As professionals, we are to
- Protect society, the common good, necessary public trust and confidence, and the infrastructure.
- Act honorably, honestly, justly, responsibly, and legally.
- Provide diligent and competent service to principles.
- Advance and protect the profession.
Words matter and have specific meanings. And jargon; well, every profession has it. The result for every industry is to standardize the vernacular to advance communication, provide common understanding, and allow trust and confidence. When someone pursues a profession, much of the early learning concerns jargon. In the cybersecurity profession, a set of terms we often see conflated are standards and guidelines. Part of our job (protecting and competent service) is to differentiate these terms.
Allowing an organization to misuse the terms creates cultural chaos for professionals and auditors. Misusing these terms undermines enforcing policies and standards that align with industry standards, regulations, and laws. Confusion is created when these terms are not used correctly, and this hurts the common good, seeds a lack of confidence, and prohibits acting responsibly and legally.
Over the years, I’ve witnessed the pain of conflating these terms and excusing the use of a guideline in place of a proper standard as, “It’s just weird here” or “It’s just the way we do things.”
As professionals, we are duty-bound by ethics to correct this seemingly nuanced substitution of terminology.
So, what differentiates a standard from a guideline?
Let us first look at what a guideline is.
A guideline is a recommendation about how to fulfill requirements set forth in standards, policies, regulations, and laws. It “guides” the consumer to a solution. Though not a procedure, guidelines can establish patterns that meet the shall and must-do needs, allowing the consumer to have an easy button towards compliance. A guideline does not create a requirement that must be met, rather it simplifies meeting requirements. Often, guidelines are created to fill voids where policy or standards do not exist, however, a careful distinction must be made here. Where there is no policy or standard, there is no requirement. Once again (for those in the back), a guideline provides a recommendation of how to do something, and in the absence of a standard or policy, they can help guide good practice.
Separately, a standard set the minimum acceptable action or result. Standards are tools to create consistency and often define some measurable or enforceable requirement. Often, controls (the way to meet a standard) may be defined within the standard, though, in practice, controls are generally the tools that ensure processes and procedures are followed.
To simplify the above:
- Standards create a requirement or a mandatory something that must be done.
- Guidelines recommend how something may be done but are not a requirement or a mandatory thing to do.
As a professional, you must help your customer (read organization) properly delineate standards and guidelines. Every job description I’ve ever read includes a reference to the ability to communicate clearly and effectively.
Distinguishing these terms is the epitome of good communication. As a leader, you should expect your professionals to perform to the ethical standards of their profession. This includes using correct jargon to simplify communication, create efficiency, and align with industry standards.
So be a light in the dark and use the terms correctly.
Let me know your thoughts in the comments and perhaps add some of the ways you know we can improve our service to others as professionals!