Saturday, November 15, 2014

Industry Standards

As you might guess, I spend a lot of time looking at specifications and requirements.  A phrase I see very frequently in these is "industry standards" - usually attached to requirements in sentences like "We would like security to meet industry standards" or "this widget needs to behave according to whatever the industry standards are".

There's something that bothers me about this:  People often think that Industry Standards are a good thing or that Industry Standards mean high quality.  I think this is actually a bad thing, and here's why... When we think of industry names that we can set the quality bar by, we think of the likes of big banks, big retail names and so on.  For instance, Home Depot, JP Morgan Chase, Ebay, Yahoo!, Sony, Apple, Dun & Bradstreet, TK Maxx, etc.

The astute readers will realise that I've just rattled off a quick list of organisations that have all suffered major data breaches.  To see a truly terrifying list, have a look at something like this...

Is that what people aspire to when they say they want something to be following "industry standards"?  If anything, "industry standards" are a minimum level of effort that has been proven to likely to leave millions of people as victims of data breaches, privacy scandals or worse.

That's not a good thing to aspire to.