Hi,
They didn't stablished a precise number. Their suggestion ranges from
5 to 8 percent.
I know they didn't. But they did establish a precise benefactor of that
narrow range: "all" businesses. I find that to be very presumptuous of
Gartner.
Secondly, Gartner
needs to get its act together and actually define what they are saying is
security. Are they including that RFID door pass which runs through te IT
department and site back-ups or do they mean just system solutions?
This new model is supposed to cover every element within a corporative
information system, staff included. But that is far away from my
point.
The current thead only aims to gather pen testing results.
Your question regarded pen testing further down the mail. My comment was
about Gartner's ridiculous punditry in action. How can we realistically
comment on pen-testing under that model if the model itself is both
unrealistic and improperly defined?
If by anti-virus, you also mean web-content control solutions, then I
guess it's not like that.
No. I mean anti-virus. Anyway, my point here is that they should not
recommend spending without qualifying spending because people do buy
expensive things that may not be the right solution for the problem.
So to say people should devote ANY arbitrary number to security makes no
sense. How about they start talking instead about the level of controls
(not solutions) that all Internet-based services and infrastructures should
have in place for 2007.
It's not their precise role, its ours.
Do you mean pen testers when you say "we"? And "we" have a role in
defining the controls that all Internet based services and infrastructures
should have in place? Why? Why isn't it the job of the people building the
security defenses into the architecture and products of the individual
companies? If Gartner wants to take a role in telling businesses what they
should spend on security then why don't they properly qualify that by
telling them also which controls make the most sense to spend that money
on? And if they can't do that, then they will need to qualify where the
5-8% value comes from.
Oh wait, they want to reduce everything to an
arbitrary dollar amount instead of making sense.
Don't be such an immature professional and assume a proactive posture
because that is exactly what would complete the referred analysis
firm's numbers.
I don't understand how a proactive posture will complete the numbers of
some company exactly? Please explain this better.
Anyway I'll try harder to be a more mature professional in the future.
Thanks for the advice!
-pete.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
