Imagine you are scheduled to meet a colleague (whom you don't know well) for a chat over lunch. They mail you to ask you to pick them up a sandwich.
Sounds fine, yes? But you get to the sandwich shop and find there are forty types of sandwich. Some are low in fat. Some are gluten free. Some are bacon-filled, and some vegetarian- and a couple are vegan. There is tomato in many, and chilli in some. Red meat and pork also feature. There are even wraps and mini rolls. And I haven't even started on the seafood options.
You have no idea what your colleague wants. So you can a) pick something you think everyone will like (trust me, there is no such beast), or ask them what they want.
Being asked for "best practice advice" is very like being in this situation. Unless you know the requirements, preferences and tolerances of your customer, you are going to have problems. And if you pick something you would like for yourself, you have missed a really big point: you are not the one who is going to be eating that sandwich.
Now let's amp this up a bit. Imagine that, instead of a sandwich, that same colleague emails and says "Buy me a car". OK, that sounds nuts. Why? Because there are even more variables at play. Is this a toy car? A small run-about for town? A people carrier, or a four-by-four? What make? What model? What options? What colour(s)? What age? The list of questions just goes on and on. You don't have the information to answer them unless you know exactly the requirements. And the cost of guessing wrong could be catastrophic.
Information security controls can be expensive to apply, and getting them wrong can damage the overall image of the team- and the profession.
If you are close to your colleague - or, back in the infosec world, if you are part of the business - you are in a position to identify suitable risk treatments.
