Something that I hear all the time that gets my goat is "What is the industry standard for that?". What I want to say is "What does it matter?". Very few of the companies in my industry have a network or environment anywhere close to what we have. Most of them run much smaller companies, networks and less complex environments. So what is standard for them is not standard for us. I understand what the intent of the question is but intent doesn't help us in this. What will help us is for us to quit trying to look like any other company out there and do what is best for us.
If we choose to go with a completely different architecture, technology or philosophy than anyone else that is fine as long as it is what works for us and what makes the most sense for our business model and processes. Industry standards, best practices and such are a great place to start but don't use them as the apex of your program. Just as PCI is a good baseline for securing your network that doesn't mean that it will ensure a secure network. You have to know your environment and what will work for you. That is YOUR industry standard. Your company and your environment are your industry. Not what another insurance office, manufacturing plant or real estate office is doing. It's not what SANS, NIST or any other organization says. It's what secures your company according to your level of risk acceptance, network environment, and company culture.
