| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 26 Sep 2006 02:26:01 +1000 From: Benjamin Robson <ben.robson@...ssicblue.com.au> To: "Kenneth F. Belva" <ken@...security.com> Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com, full-disclosure-bounces@...ts.grok.org.uk Subject: Re: Could InfoSec be Worse than Death? Ken, I think your premise is based on a couple of pieces of flawed thinking. Firstly, your statement, "After all, information security doesn’t make money–it only spends." in my experience is actually incorrect. An effective information security outcome actually will save a company a significant amount of money. In my experience achieving an effective information security outcome for an organisation is more based on policy and procedure than it is through the implementation of technology. There are plenty of examples of organisations that are running with little or no security toolkit that are not exploited, achieving their security outcomes through effectively implemented, maintained and followed policy and procedures. It is through these policies and procedures that companies can save themselves significant money. When an effective policy and procedure set is in place the organisation does not gain a security outcome because some document says "thou shalt do things securely", it achieves a security outcome because specific behavioural requirements are stated and procedures provide how to meet these requirements. This proceduralisation of steps to achieve the requirements means that overall operational quality is improved, reducing the risk to the operational status of the business overall, and allows cheaper less skilled staff to be utilised for more scheduled, operational duties. It does not remove the need for higher end technical skill-sets, but it means that instead of having a $100Kp.a. staff member creating email accounts off-the-cuff the organisation can have a $50Kp.a. staff member creating email accounts reliably by following the documented procedures. So information security outcomes should not be presented as a cost-base for an organisation, but as an operational overhead reducing mechanism that has the added bonus of reducing the operational risk to the business and also the reduction of the information security risk as well. In other words the company saves money as well as improving reliability and security. How could a CFO not like that?! Secondly, in answer to your question "Why is it so hard to convince management to spend on security?", I would say because the language information security professionals use is so foreign to the audience as to be ineffective. When a C** level person, Director or other company executive meets a member of the IT staff the first thing that happens, shortly after the IT person opens their mouth, is that the C** level person, Director or other company executive's mind switches off the listening mechanism and ponders things more familiar to them. They are typically not capable nor interested in the ins-and-outs of why something happens, only when can they have a particular capability or when is it going to be fixed. The reason for this is because these people do not exist in a world of technology detail or implementation. They live in a world of revenue, cost, P&L, assets and business risk. What this means is that we, as security professionals, need to adapt our language to be that which they can understand. For example, instead of talking about servers, workstations, disk, etc... we need to talk in terms of Information Assets. When talking of information security outcomes we need to talk in terms of Information Asset Protection, and Business Risk mitigation. These are concepts that are easy for them to grasp. So when speaking of needing budget for a specific project one should not highlight the features it brings and how wonderful the blinking lights are, but should speak in terms of the current business risk that exists, the potential impact on the operational status of the organisation (including costs if quantifiable), and how much the project will save the organisation relative to the cost. For example, if looking to sell a Security Policy development project, demonstrate that without adequate policy sets the organisation's staff have no clear definition of what is required of them that is linked to the organisation's business planning. Show how by effectively defining the organisation's needs through the policy set, procedures can be derived to meet these needs that will allow the organisation to reduce the operational overheads of the organisation through the ability to use less skilled resources and the improvement of quality in outcomes. If looking to establish an anti-spam project, demonstrate how such a project can reduce the risk to the operational environment, improve productivity, reduce exposure to litigation through inappropriate materials and potentially lower the bandwidth costs of the company. The trick to engaging with the cheque signers within the organisation to achieve security outcomes is to demonstrate a cost benefit to the organisation and to speak in terms that are common to business management. Not to make it more complex through the introduction of more detailed language frameworks such as "Virtual Trust". I mean without reading the background documentation I (having worked in this space for almost 8 years) have no idea what is specifically meant by the term "Virtual Trust" (I can take a guess, but until I read the documentation it is just a guess). So if you walk up to a CEO and say "Hey boss, I'd like to talk about Virtual Trust", I don't think your going to get 100% of his attention, as apposed to going "Hey boss, I'd like to talk about reducing this business risk whilst reducing our operational costs." -- Benjamin M.A. Robson Senior Security Consultant Classic Blue Solutions 134-142 Ferrars St, Southbank Victoria, Australia, 3006 Phone: +61-(0)3-9684-3104 Mobile: +61-(0)434-149-022 Fax: +61-(0)3-9682-8680 "Kenneth F. Belva" <ken@...security.com> Sent by: full-disclosure-bounces@...ts.grok.org.uk 25/09/2006 10:05 PM To bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk cc Subject [Full-disclosure] Could InfoSec be Worse than Death? [From: http://www.bloginfosec.com] Our current way of viewing information security is loss prevention. It is an insurance model. And, although insurance is useful and necessary, senior managers are not likely to spend one dollar more than necessary to obtain the needed protection. After all, information security doesn’t make money–it only spends. Why is it so hard to convince management to spend on security? This is not a new problem. In Woody Allen’s 1975 classic “Love and Death”(1), he writes: “There are some things worse than death. If you’ve ever spent an evening with an insurance salesman, I’m sure you know exactly what I mean!” There is an alternative: Virtual Trust(2) as an information security model. According to the Virtual Trust model, security actually creates business and generates revenue. The VT model can be expanded to describe the breakdown of all modern day computing (via worms, viruses, phishing) since these nefarious activities weaken trust. VT can also explain positive business changes such as the creation of digital assets via DRM (iTunes, Unbox) whereas the insurance model cannot fully. (1) http://en.wikipedia.org/wiki/Love_and_Death (2) http://www.ftusecurity.com/pub/VT-belva-dekay-final.pdf _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Content of type "text/html" skipped Content of type "image/jpeg" skipped _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists