What are Recommended Practices vs. “Best Practices”?

Facebook's engineering culture during its earlier days of rapid growth was "move fast and break things." But the Harvard Business Review says that this era is over.

Problem scenario
You are concerned about recommended practices and "best practices." You want to be productive and leave no security gaps in your systems that you design/install or allow bugs in your code. You want logging and monitoring to be appropriate. What is the difference between recommended practices and "best practices?"

"There is an exception to every rule." - Many different sources.

"A foolish consistency is the hobgoblin of little minds, adored by little statesmen and philosophers and divines. With consistency a great soul has simply nothing to do." -Ralph Waldo Emerson

Superlatives can be appropriate in various contexts. There is nothing wrong when a radio station advertisement is informing the audience that it plays only the best new music. But in business writing, superlatives can make someone seem less credible (according to this external website).

Marketing material and advertisements try to induce a potential customer into a sale. It sounds assuring if a vendor claims to always use "best" practices. Journalists for the industry seem to like the phrase too. The adjective "best" can be defined as "excelling all the others" (according to page 116 of Merriam-Webster's Dictionary 11th Edition).

A well-respected book on modern American English (Garner's Modern American Usage on page 918) defines superlative as "[t]he form of an adjective or adverb used to compare at least three things and show that one has a quality above or below the others." As an example the book cites the word best as the superlative to good. Therefore a "best" practice is indicating that two alternative practices are available. (The book The Careful Writer concurs that there are three degrees when someone uses a superlative.) The adjective "preferred" would be pleonastic if applied to something that is the "best".

After we consulted with The Careful Writer and Garner's Modern American Usage we would be disinclined to characterizing as many practices as "best" because there may be only one other worse way to accomplish a given I.T. goal (i.e., consider a business use case with numerous restrictions and there are exactly two options). Nonprofitcopywriter.com and mediasurvival.com suggest the word "best" should be avoided in writing. The noun "practice" can be defined as a customary course of action. It is a best practice to use proper grammar when writing.

Best practices may include "prohibitions without reasons" and the systematizing of human interactions (such as creating a Jira story when there is a problem). Nietzsche would have hated best practices. The Portable Nietzsche says that he said "prohibitions without reasons" do more harm than good (on page 68). The will toward a system was dishonest according to Nietzsche (as stated in the first chapter of Twilight of the Idols). He also thought that a will toward ignorance was strong (as he describes in Beyond Good and Evil).

Kant defines categorical imperatives as commands or moral laws all persons must follow, regardless of their desires or extenuating circumstances.


Best practices purport a categorical truth. Humans all want a heuristic to avoid the toil of thinking. By definition there is nothing superior to the best. When deciding on how to engineer something in I.T., there are usually more than two choices (but there could be just one or two). From selecting a technology to adopting an indentation and formatting style in programming, there are a multitude of choices.

It’s also too easy to call something the “best”–have you really had a chance to test all other options before concluding that this particular thing or person surpasses them?


Extremism has its disadvantages and absolutes can be uncommon in endeavors with people. Take for example The Agile Manifesto; it gives positive treatment to a set of desirable items juxtaposed to their common alternatives. But it specifically says that there is value in the less preferred alternatives themselves. Consider the concept of "best practices" when you read the those four sentences of the Agile Manifesto:

Individuals and interactions over processes and tools
Working software over comprehensive documentation
Customer collaboration over contract negotiation
Responding to change over following a plan


Agile deprioritizes processes, documentation and following a plan. That does not sound like it advocates "best practices." Other sources (such as this one) say it is a best practice (an advisable process) to document, and follow a plan. It is considered a best practice to have a test plan for software products (according to Perforce) or a plan with a budget for software projects (also according to Perforce). However Agile itself was created to follow a path defined by best practices (according to devops.com). Many sources say it is a best practice to use Agile, but that would tend to say it is a best practice to not use best practices.

Valuable software tends to have many features, and sales professionals would say it is a best practice to give the market all that it demands. But in Eric S. Raymond's The Cathedral and the Bazaar there is praise for what is sometimes called New Jersey style software (page 225). This is the concept that "worse is better" because minimal functionality brings with it performance, simplicity and security. As technology gets increasingly sophisticated in modern times, demands to push software to its limits remain as high as ever.

Some independent software consulting companies purport to write sophisticated, complex code while always adhering to best practices. Here is an example of a blog post (by a well-respected author) that tends to contradict "best practices" for software architecture in favor of avoiding complexity:

Software architecture best practices, enterprise architecture patterns, and formalized ways to describe systems are all tools that are useful to know of and might come in handy one day. But when designing systems, start simple and stay as simple as you can.


Another authority concurs with simplicity. One of the most influential database pioneers Jim Gray was aware that many books tend to prescribe complex solutions as best practices. He said this (in "Transaction Processing: Concepts and Techniques"):

Don't be fooled by the many books on complexity or by the complex and arcane algorithms you find in this book or elsewhere. Although there are no textbooks on simplicity, simple systems work and complex don't.

Page 326 of Elements of Programming Interviews in python)

Programmer and author Jon Bentley agrees:

don't write a big program when a little one will do

Page 29 of Programming Pearls

There is a saying that perfect is the enemy of good. (This quote originally comes from the first two lines of a Voltaire poem. You can use translate.google.com to see for yourself what the first two sentences mean in English.) In pursuit of perfection one may do a very poor job. There is evidence suggesting that no software project should be perfect and striving for perfection has its disadvantages. "Like it or not vulnerabilities exist in the software and networks that the world depends on from day to day. It's simply an inevitable result of the fast pace of software development. New software is often successful at first, even if there are vulnerabilities." This quote was taken from the book Hacking The Art of Exploitation 2nd Edition, page 451.

The author goes on to describe (on page 452) that the legal system is slow and ineffective in the context of computing. In some cases the law criminalizes learning activities with respect to networking. The author refers to Hans Christian Andersen's story "The Emperor's New Clothes" (which is an allegory illustrating the downsides to social conformity and pretending to go along with commonly accepted facts). So this I.T. security author (of Hacking The Art of Exploitation 2nd Edition) says that even the law can be counterproductive and alludes to the community being in denial. Clearly the author rejects the notion of absolutes in the world of I.T. security.

"We should forget about small efficiencies, say about 97 percent of the time: premature optimization is the root of all evil." (Donald Knuth)


Other authors and advertisement creators that use the term "best practice" in I.T. may not have thought through what they were saying or possibly they felt pressure to conform to utilize this sometimes meaningless phrase of "best practice".

Best practices are not compatible in some instances. Here is one example where sources disagree on whether or not it is a best practice to normalize a relational database. If adhering to a best practice makes a system less secure, then best practices fail to be the best for security. To see an example of an approach that is referred to a as a best practice by some and a violation of best practices by other sources, see this posting.

Most professionals in I.T. would defer to Jez Humble and David Farley when it comes to best practices surrounding code versioning. In Continuous Delivery (on page 388) they say it is imperative to "keep absolutely everything in version control." While this book was published in 2011, it still has relevance in 2022. An established industry standard in today's world is the laudable 12 Factor App. It says:

The twelve-factor app stores config in environment variables (often shortened to env vars or env). Env vars are easy to change between deploys without changing any code; unlike config files, there is little chance of them being checked into the code repo accidentally;

Taken from https://12factor.net/config

We know that a best-practice from one source may conflict with a widely-heeded practice in another source. On December 6, 2021, most people would have said that Amazon uses best practices. Amazon is considered to set a standard for other companies. It needs no citation to assert that AWS best practices were commonly promulgated in 2021 by various third party vendors. On December 7, 2021 AWS had a major outage.

Here is a rhetorical question: is it as simple as always using best practices?

The term "best practice" is an ascertainable and singular practice that is strictly better than other practices. It gives a false sense of security. Many companies purport to always use best practices on their websites and advertisements. Always using best practices would be tantamount to being perfect. The feasibility of this is self-explantory.

There may be legitimate times to disregard "best" practices to allocate resources for hardening a system from a pragmatic perspective. A Cloudera Guru says that best practices vary depending on the scenario:

It is usually a best practice not to transform…


The adverb "usually" modifies the definition of a best practice. At a minimum best practices sometimes have applicability and sometimes do not have applicability. Prepositions such as "if" and "when" are common in discussions of best practices. Other qualifiers enable people to use the phrase "best practices." Their applicability hinges on context -- even for the people who prescribe them. Here is an example of a conditioned "best practice":

There are several, basic “best practices” that all businesses should follow if granting employees access to the corporate network through a VPN.


Given the complexity of I.T. today, we cannot state with confidence that every so-called "best practice" will be compatible with other applicable "best practice" you may find. There may be no feasibility to such an undertaking.

We think that I.T. security is under-rated and many projects have been under-funded. Accordingly we think that I.T. professionals should think in terms of "recommended practices" instead of "best practices." Nothing in I.T. is so simple to be framed as the "best" in 2022 without being qualified or conditioned on a specific context (such as a use case).

Many "best practices" are merely specific conventions that are commonly implemented by corporations (e.g., configuring parameters for automatic desktop screen lockouts or periodic credential challenges on a Linux server). Some authorities will describe a best practice that is irrelevant based on your specific utilization of the tool or technology. Therefore some "best practices" can be safely ignored. Given temporal and financial constraints, no reasonable person would recommend they be adhered to when their need is obviated. The culture of "move fast and break stuff" may be a hyperbole to highlight the benefits of experimentation. Clearly it could be used in ways that would compromise the security of a data center. No one can refute that experimentation is a "best practice" (because of The DevOps Handbook, launchdarkly.com, the prevalence of the DevOps movement).

There is skepticism in the industry; many authors criticize "best practices." Consider the following examples:

  • The website visualstudiomagazine.com in 2016 had an article about why a system architect hated "best practices".
  • MIT had a magazine article in 2018 that said best practices should only be implemented in moderation.
  • The Massaro consulting website specifically stated that there are times and contexts when someone should avoid using best practices.
  • Miller Klein Associates Ltd. (an industrial strategy consulting company) said to not use the term "best practice" and to look for situations when practices don't apply.
  • Forbes said that there are downsides to best practices and that "best practices" do not even exist.

Recommended practices are those that are usually suitable. They are advisable but not always necessary. Not every practice in I.T. has been documented much less agreed upon.

Modern enterprise networks and software requirements can be very complex with nuances in design and a multitude of trade-offs inherent in the underlying architectural decisions. We think it is best to pursue recommended practices when engineering systems and/or writing code. Do not be seduced into ignoring the complexity of I.T. security. The DevOps Handbook says that a myth in the I.T. industry is "[s]ystems will be safe if people comply with the procedures they have been given." (page 360, see also [1]). There are contexts where "best practices" do not exist or should be avoided. We recommend that you strive to have a secure environment and not be content with merely following "best practices."

[1] Denis Besnard, Erik Hollnagel. I want to believe: some myths about the management of industrial safety. Cognition, Technology and Work, Springer Verlag, 2014, 16 (1), pp.13-23.

See also:

Is It Enough to Use Best Practices?
Is It a Best Practice to Normalize a SQL Database?
Is It a Recommended/Best Practice to Have a Code Freeze?
Is It a Best/Recommended Practice to Use Branching with Version Control Systems?
Is It a Best/Recommended Practice to Check Code in Frequently?

Is It a Best/Recommended Practice to Update a Server when Clients/Apps May Not Be Compatible with the Version?
Is It a Best/Recommended Practice to Use Log4j?
Is It a Recommended Practice to Use Production Data when Testing Software?
Are Zero Trust Networks More Secure than VPN-Protected Networks?
What Are the Recommended Practices of Monitoring?
What Are the Recommended Practices of Logging?
What is difference between "Good Practice" and "Best Practice"?
What is I.T. Operational Readiness?

For a definition of best practices outside the I.T. industry, click here.

Leave a comment

Your email address will not be published. Required fields are marked *