Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] Could InfoSec be Worse than Death?

from [Paul Schmehl] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] Could InfoSec be Worse than Death?
Date: Mon, 25 Sep 2006 13:45:16 -0500
--On Monday, September 25, 2006 11:30:36 -0400 "Kenneth F. Belva" <ken@ftusecurity.com> wrote:

Paul,

Thanks for your comments.

Unless you can demonstrate concrete revenue generationg directly
attributable to security, I don't think you can overcome that perception
(and loss avoidance through trust building does not generate revenue.)


I believe the purpose of the paper is to move away from the loss avoidance
model and describe information security in fashion that demonstrates how
security mechanisms have a direct role to play in the creation of assets
and business relationships.

I understand that, but I think your trust model is merely a euphemism for loss avoidance. And I don't see how you can avoid being seen as loss avoidance - unless you can show the ability to generate revenue.

Ben Robson writes, 'Firstly, your statement, "After all, information security doesn?t make money?it only spends." in my experience is actually incorrect. An effective information security outcome actually will save a company a significant amount of money.'

Saving money is a form of generating revenue indeed, but even in his description Ben is forced to use the words "reducing the risk" to describe his money saving techniques. That's loss avoidance, plain and simple.

Mind you, I'm not saying there is no merit to couching your argument in the trust model terms. I'm just saying that any PHB worth is salt will automatically translate the model into "loss avoidance". They might make dumb decisions from time to time (or at least what appear to be dumb decisions to us), but most PHBs *are* pretty intelligent creatures, and they excel at cutting through the BS to the bottom line arguments. (That's why, in part, they *are* PHBs.)

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

Attachment: p7sACaFnQtoFs.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] Could InfoSec be Worse than Death?, Kenneth F. Belva
Next by Date:  Re: [Full-disclosure] Could InfoSec be Worse than Death?, Brian Eaton
Previous by Thread:  [Full-disclosure] Could InfoSec be Worse than Death?, Kenneth F. Belva
Next by Thread:  Re: [Full-disclosure] Could InfoSec be Worse than Death?, Brian Eaton
Indexes:  [Date] [Thread] [Top] [All Lists]