Cybersecurity industry analysis: Another recurring vulnerability we must correct
A version of this article appeared in Help Net Security. It has been updated and syndicated here.
I have spent my career finding, fixing, discussing, and breaking down software vulnerabilities, one way or another. I know that when it comes to some common security bugs, despite being in our orbit since the 90s, they continue to plague our software and cause major problems, even though the (often simple) fix has been known for almost the same length of time. It truly feels like Groundhog Day, where we as an industry seem to do the same thing over and over and expect a different result.
There’s another little problem, however. We’re not getting realistic advice, nor the fastest solutions, to combat the non-stop onslaught that is modern cybersecurity. Of course, each breach is different in its own way, and there are numerous attack vectors that can be exploited in vulnerable software. Feasible generic advice will be limited, but the best practice approach is looking more flawed by the hour.
To this end, I do have to wonder why so much of the commentary and analysis around cybersecurity has omitted solutions that truly address the root cause of so many vulnerabilities: humans. Gartner’s most recent Hype Cycle for Application Security, and Forrester’s The State of Application Security 2021, both bibles for security experts that undoubtedly help to shape their program and potential product adoption, are almost entirely tools-focused. A report by Aberdeen back in 2017 showed just how unruly the average security tech stack had become, with CISOs managing hundreds of products as part of their security strategies; four years later, we’re grappling with more risk, more vulnerabilities, and more additions to growing tech stack beasts.
Security tooling is a must-have, but we need to look wider and restore balance to the people component of security defense.
Automation is the future. Why should we care about the human element of cybersecurity?
Virtually everything in our lives is powered by software, and it’s true that automation is replacing the human elements that were once present in so many industries. It’s a sign of progress in a world digitizing at warp speed, with AI and machine learning hot topics keeping many organizations future-focused.
So, why, then, would a human-focused approach to cybersecurity be anything other than an antiquated solution to a technologically advancing problem? The fact that billions of data records have been stolen in breaches in the past year, including the most recent Facebook breach affecting over half a billion accounts, should indicate that we’re not doing enough (or taking the right approach) to make a serious counter-punch to threat actors.
Cybersecurity tooling is a much-needed component of cyber defense, and tools will always have a place. Analysts have been absolutely on point in recommending the latest tools in a risk mitigation approach for enterprises, and that will not change. However, with code quality (and, by definition, security) difficult to manage at the volume of code production, tools cannot do the job alone. To date, there is no single tool that will:
- Scan for every vulnerability, in every language:framework
- Scan at speed
- Minimize the double-handling caused by false positives and negatives
Tools can be slow, cumbersome, and unwieldy. Above all, however, they only find problems - they don’t fix them, or recommend solutions. The latter requires security experts, who are thin on the ground and overworked, wading through the trash to find treasure in endless pentesting and scanning results.
The fact is, according to the IBM Cyber Security Intelligence Index Report, human error plays a role in 95% of all successful data breaches. Almost half of those directly relate to software vulnerabilities, many of which could be alleviated if there was stronger adherence to secure coding and awareness in the early stages of the SDLC. However, for this to happen, a sharper and more relevant focus on education for developers - in addition to making it intrinsic to their workflow - is key.
Whether we like it or not, humans are deeply ingrained in the software development process, and cybersecurity is overwhelmingly a human problem. Tools won’t be a catch-all to correct a fundamental flaw in our approach, but they can play a key supporting role in reshaping human solutions.
What if we just built better tools (and lots of them)?
Security tooling is improving all the time. SAST/DAST/IAST tools have come a long way, improving in speed and intelligence, and RASP should be a serious defensive consideration in many application environments. Firewalls, secrets managers, cloud and network security applications: all no-brainers.
Humans can always strive to make better tools, but the innovation is not keeping up with the security and data protection needs of the digital world we live in. Tools are, for the most part, built with robots in mind. They might be there to assist developers and the security team in scanning, monitoring, or protecting code, but interaction is very limited, and very few solutions aim to elevate security awareness or improve core skills that can lead to better security outcomes.
In fact, more than half of enterprises don’t even know if the tools are working for them, nor are they confident that they could avoid a devastating data breach. That’s a very poor sentiment, and in a tools-obsessed industry lacking support for a different approach, tends to solidify the status quo and the problems within.
How can an organization leverage a human-led approach to security?
There is no question that staying ahead of the trends in application security technology is beneficial, and can even help prioritize upgrades or consolidations in a bloated tech stack, but to forgo targeting the root cause of vulnerable software - we mere humans - is going to keep us on the losing side of the cybersecurity battlefront.
If we want to get serious about decreasing the number of code-level security vulnerabilities, then developers need to be given the foundations to succeed in sharing responsibility for security. They need relevant, hands-on education and on-the-job upskilling, and functional tooling that doesn’t disrupt their workflow, or make security a chore to develop. Ideally, some tools would be developer-centric, built with their user experience front-of-mind.
To this day, no formal security certification program exists for developers, but every company can benefit from benchmarking and growing secure coding skills, killing common vulnerabilities early and often, and before that big tech stack has to lurch into action and slow everything down.
A team of security-aware developers is a hidden treasure for any organization, but like anything worth having, it will take time and effort to implement an effective dream team. Winning developers over to care about security, and view secure coding as a foundation of code quality, takes an organization-wide commitment to put security first. And when entire teams are switched on to the positive impact they can play in eliminating common vulnerabilities as code is written, there isn’t a tool on Earth that can compete.
We’re not getting realistic advice, nor the fastest solutions, to combat the non-stop onslaught that is modern cybersecurity. Of course, each breach is different in its own way, and there are numerous attack vectors that can be exploited in vulnerable software. Feasible generic advice will be limited, but the best practice approach is looking more flawed by the hour.
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoChief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
A version of this article appeared in Help Net Security. It has been updated and syndicated here.
I have spent my career finding, fixing, discussing, and breaking down software vulnerabilities, one way or another. I know that when it comes to some common security bugs, despite being in our orbit since the 90s, they continue to plague our software and cause major problems, even though the (often simple) fix has been known for almost the same length of time. It truly feels like Groundhog Day, where we as an industry seem to do the same thing over and over and expect a different result.
There’s another little problem, however. We’re not getting realistic advice, nor the fastest solutions, to combat the non-stop onslaught that is modern cybersecurity. Of course, each breach is different in its own way, and there are numerous attack vectors that can be exploited in vulnerable software. Feasible generic advice will be limited, but the best practice approach is looking more flawed by the hour.
To this end, I do have to wonder why so much of the commentary and analysis around cybersecurity has omitted solutions that truly address the root cause of so many vulnerabilities: humans. Gartner’s most recent Hype Cycle for Application Security, and Forrester’s The State of Application Security 2021, both bibles for security experts that undoubtedly help to shape their program and potential product adoption, are almost entirely tools-focused. A report by Aberdeen back in 2017 showed just how unruly the average security tech stack had become, with CISOs managing hundreds of products as part of their security strategies; four years later, we’re grappling with more risk, more vulnerabilities, and more additions to growing tech stack beasts.
Security tooling is a must-have, but we need to look wider and restore balance to the people component of security defense.
Automation is the future. Why should we care about the human element of cybersecurity?
Virtually everything in our lives is powered by software, and it’s true that automation is replacing the human elements that were once present in so many industries. It’s a sign of progress in a world digitizing at warp speed, with AI and machine learning hot topics keeping many organizations future-focused.
So, why, then, would a human-focused approach to cybersecurity be anything other than an antiquated solution to a technologically advancing problem? The fact that billions of data records have been stolen in breaches in the past year, including the most recent Facebook breach affecting over half a billion accounts, should indicate that we’re not doing enough (or taking the right approach) to make a serious counter-punch to threat actors.
Cybersecurity tooling is a much-needed component of cyber defense, and tools will always have a place. Analysts have been absolutely on point in recommending the latest tools in a risk mitigation approach for enterprises, and that will not change. However, with code quality (and, by definition, security) difficult to manage at the volume of code production, tools cannot do the job alone. To date, there is no single tool that will:
- Scan for every vulnerability, in every language:framework
- Scan at speed
- Minimize the double-handling caused by false positives and negatives
Tools can be slow, cumbersome, and unwieldy. Above all, however, they only find problems - they don’t fix them, or recommend solutions. The latter requires security experts, who are thin on the ground and overworked, wading through the trash to find treasure in endless pentesting and scanning results.
The fact is, according to the IBM Cyber Security Intelligence Index Report, human error plays a role in 95% of all successful data breaches. Almost half of those directly relate to software vulnerabilities, many of which could be alleviated if there was stronger adherence to secure coding and awareness in the early stages of the SDLC. However, for this to happen, a sharper and more relevant focus on education for developers - in addition to making it intrinsic to their workflow - is key.
Whether we like it or not, humans are deeply ingrained in the software development process, and cybersecurity is overwhelmingly a human problem. Tools won’t be a catch-all to correct a fundamental flaw in our approach, but they can play a key supporting role in reshaping human solutions.
What if we just built better tools (and lots of them)?
Security tooling is improving all the time. SAST/DAST/IAST tools have come a long way, improving in speed and intelligence, and RASP should be a serious defensive consideration in many application environments. Firewalls, secrets managers, cloud and network security applications: all no-brainers.
Humans can always strive to make better tools, but the innovation is not keeping up with the security and data protection needs of the digital world we live in. Tools are, for the most part, built with robots in mind. They might be there to assist developers and the security team in scanning, monitoring, or protecting code, but interaction is very limited, and very few solutions aim to elevate security awareness or improve core skills that can lead to better security outcomes.
In fact, more than half of enterprises don’t even know if the tools are working for them, nor are they confident that they could avoid a devastating data breach. That’s a very poor sentiment, and in a tools-obsessed industry lacking support for a different approach, tends to solidify the status quo and the problems within.
How can an organization leverage a human-led approach to security?
There is no question that staying ahead of the trends in application security technology is beneficial, and can even help prioritize upgrades or consolidations in a bloated tech stack, but to forgo targeting the root cause of vulnerable software - we mere humans - is going to keep us on the losing side of the cybersecurity battlefront.
If we want to get serious about decreasing the number of code-level security vulnerabilities, then developers need to be given the foundations to succeed in sharing responsibility for security. They need relevant, hands-on education and on-the-job upskilling, and functional tooling that doesn’t disrupt their workflow, or make security a chore to develop. Ideally, some tools would be developer-centric, built with their user experience front-of-mind.
To this day, no formal security certification program exists for developers, but every company can benefit from benchmarking and growing secure coding skills, killing common vulnerabilities early and often, and before that big tech stack has to lurch into action and slow everything down.
A team of security-aware developers is a hidden treasure for any organization, but like anything worth having, it will take time and effort to implement an effective dream team. Winning developers over to care about security, and view secure coding as a foundation of code quality, takes an organization-wide commitment to put security first. And when entire teams are switched on to the positive impact they can play in eliminating common vulnerabilities as code is written, there isn’t a tool on Earth that can compete.
A version of this article appeared in Help Net Security. It has been updated and syndicated here.
I have spent my career finding, fixing, discussing, and breaking down software vulnerabilities, one way or another. I know that when it comes to some common security bugs, despite being in our orbit since the 90s, they continue to plague our software and cause major problems, even though the (often simple) fix has been known for almost the same length of time. It truly feels like Groundhog Day, where we as an industry seem to do the same thing over and over and expect a different result.
There’s another little problem, however. We’re not getting realistic advice, nor the fastest solutions, to combat the non-stop onslaught that is modern cybersecurity. Of course, each breach is different in its own way, and there are numerous attack vectors that can be exploited in vulnerable software. Feasible generic advice will be limited, but the best practice approach is looking more flawed by the hour.
To this end, I do have to wonder why so much of the commentary and analysis around cybersecurity has omitted solutions that truly address the root cause of so many vulnerabilities: humans. Gartner’s most recent Hype Cycle for Application Security, and Forrester’s The State of Application Security 2021, both bibles for security experts that undoubtedly help to shape their program and potential product adoption, are almost entirely tools-focused. A report by Aberdeen back in 2017 showed just how unruly the average security tech stack had become, with CISOs managing hundreds of products as part of their security strategies; four years later, we’re grappling with more risk, more vulnerabilities, and more additions to growing tech stack beasts.
Security tooling is a must-have, but we need to look wider and restore balance to the people component of security defense.
Automation is the future. Why should we care about the human element of cybersecurity?
Virtually everything in our lives is powered by software, and it’s true that automation is replacing the human elements that were once present in so many industries. It’s a sign of progress in a world digitizing at warp speed, with AI and machine learning hot topics keeping many organizations future-focused.
So, why, then, would a human-focused approach to cybersecurity be anything other than an antiquated solution to a technologically advancing problem? The fact that billions of data records have been stolen in breaches in the past year, including the most recent Facebook breach affecting over half a billion accounts, should indicate that we’re not doing enough (or taking the right approach) to make a serious counter-punch to threat actors.
Cybersecurity tooling is a much-needed component of cyber defense, and tools will always have a place. Analysts have been absolutely on point in recommending the latest tools in a risk mitigation approach for enterprises, and that will not change. However, with code quality (and, by definition, security) difficult to manage at the volume of code production, tools cannot do the job alone. To date, there is no single tool that will:
- Scan for every vulnerability, in every language:framework
- Scan at speed
- Minimize the double-handling caused by false positives and negatives
Tools can be slow, cumbersome, and unwieldy. Above all, however, they only find problems - they don’t fix them, or recommend solutions. The latter requires security experts, who are thin on the ground and overworked, wading through the trash to find treasure in endless pentesting and scanning results.
The fact is, according to the IBM Cyber Security Intelligence Index Report, human error plays a role in 95% of all successful data breaches. Almost half of those directly relate to software vulnerabilities, many of which could be alleviated if there was stronger adherence to secure coding and awareness in the early stages of the SDLC. However, for this to happen, a sharper and more relevant focus on education for developers - in addition to making it intrinsic to their workflow - is key.
Whether we like it or not, humans are deeply ingrained in the software development process, and cybersecurity is overwhelmingly a human problem. Tools won’t be a catch-all to correct a fundamental flaw in our approach, but they can play a key supporting role in reshaping human solutions.
What if we just built better tools (and lots of them)?
Security tooling is improving all the time. SAST/DAST/IAST tools have come a long way, improving in speed and intelligence, and RASP should be a serious defensive consideration in many application environments. Firewalls, secrets managers, cloud and network security applications: all no-brainers.
Humans can always strive to make better tools, but the innovation is not keeping up with the security and data protection needs of the digital world we live in. Tools are, for the most part, built with robots in mind. They might be there to assist developers and the security team in scanning, monitoring, or protecting code, but interaction is very limited, and very few solutions aim to elevate security awareness or improve core skills that can lead to better security outcomes.
In fact, more than half of enterprises don’t even know if the tools are working for them, nor are they confident that they could avoid a devastating data breach. That’s a very poor sentiment, and in a tools-obsessed industry lacking support for a different approach, tends to solidify the status quo and the problems within.
How can an organization leverage a human-led approach to security?
There is no question that staying ahead of the trends in application security technology is beneficial, and can even help prioritize upgrades or consolidations in a bloated tech stack, but to forgo targeting the root cause of vulnerable software - we mere humans - is going to keep us on the losing side of the cybersecurity battlefront.
If we want to get serious about decreasing the number of code-level security vulnerabilities, then developers need to be given the foundations to succeed in sharing responsibility for security. They need relevant, hands-on education and on-the-job upskilling, and functional tooling that doesn’t disrupt their workflow, or make security a chore to develop. Ideally, some tools would be developer-centric, built with their user experience front-of-mind.
To this day, no formal security certification program exists for developers, but every company can benefit from benchmarking and growing secure coding skills, killing common vulnerabilities early and often, and before that big tech stack has to lurch into action and slow everything down.
A team of security-aware developers is a hidden treasure for any organization, but like anything worth having, it will take time and effort to implement an effective dream team. Winning developers over to care about security, and view secure coding as a foundation of code quality, takes an organization-wide commitment to put security first. And when entire teams are switched on to the positive impact they can play in eliminating common vulnerabilities as code is written, there isn’t a tool on Earth that can compete.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoChief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
A version of this article appeared in Help Net Security. It has been updated and syndicated here.
I have spent my career finding, fixing, discussing, and breaking down software vulnerabilities, one way or another. I know that when it comes to some common security bugs, despite being in our orbit since the 90s, they continue to plague our software and cause major problems, even though the (often simple) fix has been known for almost the same length of time. It truly feels like Groundhog Day, where we as an industry seem to do the same thing over and over and expect a different result.
There’s another little problem, however. We’re not getting realistic advice, nor the fastest solutions, to combat the non-stop onslaught that is modern cybersecurity. Of course, each breach is different in its own way, and there are numerous attack vectors that can be exploited in vulnerable software. Feasible generic advice will be limited, but the best practice approach is looking more flawed by the hour.
To this end, I do have to wonder why so much of the commentary and analysis around cybersecurity has omitted solutions that truly address the root cause of so many vulnerabilities: humans. Gartner’s most recent Hype Cycle for Application Security, and Forrester’s The State of Application Security 2021, both bibles for security experts that undoubtedly help to shape their program and potential product adoption, are almost entirely tools-focused. A report by Aberdeen back in 2017 showed just how unruly the average security tech stack had become, with CISOs managing hundreds of products as part of their security strategies; four years later, we’re grappling with more risk, more vulnerabilities, and more additions to growing tech stack beasts.
Security tooling is a must-have, but we need to look wider and restore balance to the people component of security defense.
Automation is the future. Why should we care about the human element of cybersecurity?
Virtually everything in our lives is powered by software, and it’s true that automation is replacing the human elements that were once present in so many industries. It’s a sign of progress in a world digitizing at warp speed, with AI and machine learning hot topics keeping many organizations future-focused.
So, why, then, would a human-focused approach to cybersecurity be anything other than an antiquated solution to a technologically advancing problem? The fact that billions of data records have been stolen in breaches in the past year, including the most recent Facebook breach affecting over half a billion accounts, should indicate that we’re not doing enough (or taking the right approach) to make a serious counter-punch to threat actors.
Cybersecurity tooling is a much-needed component of cyber defense, and tools will always have a place. Analysts have been absolutely on point in recommending the latest tools in a risk mitigation approach for enterprises, and that will not change. However, with code quality (and, by definition, security) difficult to manage at the volume of code production, tools cannot do the job alone. To date, there is no single tool that will:
- Scan for every vulnerability, in every language:framework
- Scan at speed
- Minimize the double-handling caused by false positives and negatives
Tools can be slow, cumbersome, and unwieldy. Above all, however, they only find problems - they don’t fix them, or recommend solutions. The latter requires security experts, who are thin on the ground and overworked, wading through the trash to find treasure in endless pentesting and scanning results.
The fact is, according to the IBM Cyber Security Intelligence Index Report, human error plays a role in 95% of all successful data breaches. Almost half of those directly relate to software vulnerabilities, many of which could be alleviated if there was stronger adherence to secure coding and awareness in the early stages of the SDLC. However, for this to happen, a sharper and more relevant focus on education for developers - in addition to making it intrinsic to their workflow - is key.
Whether we like it or not, humans are deeply ingrained in the software development process, and cybersecurity is overwhelmingly a human problem. Tools won’t be a catch-all to correct a fundamental flaw in our approach, but they can play a key supporting role in reshaping human solutions.
What if we just built better tools (and lots of them)?
Security tooling is improving all the time. SAST/DAST/IAST tools have come a long way, improving in speed and intelligence, and RASP should be a serious defensive consideration in many application environments. Firewalls, secrets managers, cloud and network security applications: all no-brainers.
Humans can always strive to make better tools, but the innovation is not keeping up with the security and data protection needs of the digital world we live in. Tools are, for the most part, built with robots in mind. They might be there to assist developers and the security team in scanning, monitoring, or protecting code, but interaction is very limited, and very few solutions aim to elevate security awareness or improve core skills that can lead to better security outcomes.
In fact, more than half of enterprises don’t even know if the tools are working for them, nor are they confident that they could avoid a devastating data breach. That’s a very poor sentiment, and in a tools-obsessed industry lacking support for a different approach, tends to solidify the status quo and the problems within.
How can an organization leverage a human-led approach to security?
There is no question that staying ahead of the trends in application security technology is beneficial, and can even help prioritize upgrades or consolidations in a bloated tech stack, but to forgo targeting the root cause of vulnerable software - we mere humans - is going to keep us on the losing side of the cybersecurity battlefront.
If we want to get serious about decreasing the number of code-level security vulnerabilities, then developers need to be given the foundations to succeed in sharing responsibility for security. They need relevant, hands-on education and on-the-job upskilling, and functional tooling that doesn’t disrupt their workflow, or make security a chore to develop. Ideally, some tools would be developer-centric, built with their user experience front-of-mind.
To this day, no formal security certification program exists for developers, but every company can benefit from benchmarking and growing secure coding skills, killing common vulnerabilities early and often, and before that big tech stack has to lurch into action and slow everything down.
A team of security-aware developers is a hidden treasure for any organization, but like anything worth having, it will take time and effort to implement an effective dream team. Winning developers over to care about security, and view secure coding as a foundation of code quality, takes an organization-wide commitment to put security first. And when entire teams are switched on to the positive impact they can play in eliminating common vulnerabilities as code is written, there isn’t a tool on Earth that can compete.
Table of contents
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
The Secure-by-Design movement is the future of secure software development. Learn about the key elements companies need to keep in mind when they think about a Secure-by-Design initiative.
DigitalOcean Decreases Security Debt with Secure Code Warrior
DigitalOcean's use of Secure Code Warrior training has significantly reduced security debt, allowing teams to focus more on innovation and productivity. The improved security has strengthened their product quality and competitive edge. Looking ahead, the SCW Trust Score will help them further enhance security practices and continue driving innovation.
Resources to get you started
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.
The Benefits of Benchmarking Security Skills for Developers
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.
Driving Meaningful Success for Enterprise Secure-by-Design Initiatives
Our latest research paper, Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise is the result of deep analysis of real Secure-by-Design initiatives at the enterprise level, and deriving best practice approaches based on data-driven findings.