lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <OF1AEE64AB.29A101CD-ONCA2571F4.0057644E-CA2571F4.005A4443@au1.ibm.com>
Date: Tue, 26 Sep 2006 02:26:01 +1000
From: Benjamin Robson <ben.robson@...ssicblue.com.au>
To: "Kenneth F. Belva" <ken@...security.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
	full-disclosure-bounces@...ts.grok.org.uk
Subject: Re: Could InfoSec be Worse than Death?

Ken,

I think your premise is based on a couple of pieces of flawed thinking.

Firstly, your statement, "After all, information security doesn’t make 
money–it only spends." in my experience is actually incorrect.  An 
effective information security outcome actually will save a company a 
significant amount of money.  In my experience achieving an effective 
information security outcome for an organisation is more based on policy 
and procedure than it is through the implementation of technology.  There 
are plenty of examples of organisations that are running with little or no 
security toolkit that are not exploited, achieving their security outcomes 
through effectively implemented, maintained and followed policy and 
procedures.

It is through these policies and procedures that companies can save 
themselves significant money.  When an effective policy and procedure set 
is in place the organisation does not gain a security outcome because some 
document says "thou shalt do things securely", it achieves a security 
outcome because specific behavioural requirements are stated and 
procedures provide how to meet these requirements.  This proceduralisation 
of steps to achieve the requirements means that overall operational 
quality is improved, reducing the risk to the operational status of the 
business overall, and allows cheaper less skilled staff to be utilised for 
more scheduled, operational duties.  It does not remove the need for 
higher end technical skill-sets, but it means that instead of having a 
$100Kp.a. staff member creating email accounts off-the-cuff the 
organisation can have a $50Kp.a. staff member creating email accounts 
reliably by following the documented procedures.

So information security outcomes should not be presented as a cost-base 
for an organisation, but as an operational overhead reducing mechanism 
that has the added bonus of reducing the operational risk to the business 
and also the reduction of the information security risk as well.  In other 
words the company saves money as well as improving reliability and 
security.  How could a CFO not like that?!

Secondly, in answer to your question "Why is it so hard to convince 
management to spend on security?", I would say because the language 
information security professionals use is so foreign to the audience as to 
be ineffective.  When a C** level person, Director or other company 
executive meets a member of the IT staff the first thing that happens, 
shortly after the IT person opens their mouth, is that the C** level 
person, Director or other company executive's mind switches off the 
listening mechanism and ponders things more familiar to them.  They are 
typically not capable nor interested in the ins-and-outs of why something 
happens, only when can they have a particular capability or when is it 
going to be fixed.

The reason for this is because these people do not exist in a world of 
technology detail or implementation.  They live in a world of revenue, 
cost, P&L, assets and business risk.  What this means is that we, as 
security professionals, need to adapt our language to be that which they 
can understand.  For example, instead of talking about servers, 
workstations, disk, etc... we need to talk in terms of Information Assets. 
 When talking of information security outcomes we need to talk in terms of 
Information Asset Protection, and Business Risk mitigation.  These are 
concepts that are easy for them to grasp.  So when speaking of needing 
budget for a specific project one should not highlight the features it 
brings and how wonderful the blinking lights are, but should speak in 
terms of the current business risk that exists, the potential impact on 
the operational status of the organisation (including costs if 
quantifiable), and how much the project will save the organisation 
relative to the cost.

For example, if looking to sell a Security Policy development project, 
demonstrate that without adequate policy sets the organisation's staff 
have no clear definition of what is required of them that is linked to the 
organisation's business planning.  Show how by effectively defining the 
organisation's needs through the policy set, procedures can be derived to 
meet these needs that will allow the organisation to reduce the 
operational overheads of the organisation through the ability to use less 
skilled resources and the improvement of quality in outcomes.  If looking 
to establish an anti-spam project, demonstrate how such a project can 
reduce the risk to the operational environment, improve productivity, 
reduce exposure to litigation through inappropriate materials and 
potentially lower the bandwidth costs of the company.

The trick to engaging with the cheque signers within the organisation to 
achieve security outcomes is to demonstrate a cost benefit to the 
organisation and to speak in terms that are common to business management. 
 Not to make it more complex through the introduction of more detailed 
language frameworks such as "Virtual Trust".  I mean without reading the 
background documentation I (having worked in this space for almost 8 
years) have no idea what is specifically meant by the term "Virtual Trust" 
(I can take a guess, but until I read the documentation it is just a 
guess).  So if you walk up to a CEO and say "Hey boss, I'd like to talk 
about Virtual Trust", I don't think your going to get 100% of his 
attention, as apposed to going "Hey boss, I'd like to talk about reducing 
this business risk whilst reducing our operational costs."


-- 
Benjamin M.A. Robson
Senior Security Consultant

Classic Blue Solutions
134-142 Ferrars St, Southbank
Victoria, Australia, 3006
Phone: +61-(0)3-9684-3104
Mobile: +61-(0)434-149-022
Fax: +61-(0)3-9682-8680





"Kenneth F. Belva" <ken@...security.com> 
Sent by: full-disclosure-bounces@...ts.grok.org.uk
25/09/2006 10:05 PM

To
bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
cc

Subject
[Full-disclosure] Could InfoSec be Worse than Death?






[From: http://www.bloginfosec.com]

Our current way of viewing information security is loss prevention. It
is an insurance model. And, although insurance is useful and necessary,
senior managers are not likely to spend one dollar more than necessary
to obtain the needed protection. After all, information security doesn’t
make money–it only spends.

Why is it so hard to convince management to spend on security?

This is not a new problem. In Woody Allen’s 1975 classic “Love and
Death”(1), he writes: “There are some things worse than death. If you’ve
ever spent an evening with an insurance salesman, I’m sure you know
exactly what I mean!”

There is an alternative: Virtual Trust(2) as an information security
model. According to the Virtual Trust model, security actually creates
business and generates revenue.

The VT model can be expanded to describe the breakdown of all modern day
computing (via worms, viruses, phishing) since these nefarious
activities weaken trust. VT can also explain positive business changes
such as the creation of digital assets via DRM (iTunes, Unbox) whereas
the insurance model cannot fully.

(1) http://en.wikipedia.org/wiki/Love_and_Death
(2) http://www.ftusecurity.com/pub/VT-belva-dekay-final.pdf

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Content of type "text/html" skipped

Content of type "image/jpeg" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ