How to get better security people

Tue Mar 26 17:56:39 UTC 2002

On Mon, 25 Mar 2002, Sean Donelan wrote:

:Customers need to let companies know that security and responsiveness
:affects their purchasing decisions.  I think some companies are getting
:the message.  But in today's market, with tight budgets and layoffs,
:security is often viewed as overhead.  

The mantra at the consulting firms I have had conversatons with is
showing ROI for security services. I think that much of the value
in security services to date has been in the anti-virus field. The
reason for this is that one can easily measure and express the costs
saved by being immune to a particular virus or worm, which might have
cost a day or more of business. Contrasted with the number of new
virus reports affecting M$ products on a daily basis, the value is
pretty easy to see. 

It can be difficult to show the returned value of auditing acl's, or 
implementing an IDS infrastructure, despite the profound importance
of doing so. 

Nimda and CodeRed were excellent indicators of how a good
security policy can be a competetive edge during (increasingly common)
global incidents. Hopefully we will see more security folks pressing
this message, and more decision makes hearing it. 

:A lot of providers are lucky
:if they have one network engineer who does security stuff in her spare
:time.  Full-fledge security departments are rare.

This is where managed security services are gaining popularity. Regardless
of the technical merits of assembling some COTS solutions and generating
periodic reports, it can be more cost effective than hiring CCSP/GIAC/CISSP's 
at $60-90k USD a pop, while still operating with some reasonable level
of assurance that your infrastructure is being monitored.  

--
batz