Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: security not a big priority?

from [secbasics] Network Security [Permanent Link]
Subject: Re: security not a big priority?
Date: Thu, 15 Feb 2007 17:44:33 -0500 
On Thu, Feb 15, 2007 at 10:43:46AM -0600, Francois Yang wrote:

This is a community college, so I've sent an e-mail to my boss
everytime there was news about a school being hacked and in every
e-mail I've added comments on how they could have prevented being
compromised.
I even wrote a long letter describing why we need such things as IDS
and what could happen if we don't have one. I also included a long
list of schools that were hacked into in 2006.  apparently that
doesn't seem to be affective.


It's very simple Francois. You need to build a business case for why your 
security changes are important. You need to show ROI. You need to show in 
concrete 
business terms the amount that your school stands to lose in the event of a 
breach. You need to justify the probability of compromise without the IDS and 
you 
need to justify the probability of compromise with the IDS (hint: they're the 
same, it's not an IPS unless that's what you meant) and then you need to show 
the 
amount of damage that can be done without notification and with.

You can't expect your boss to automatically assume security is important if you 
can't show in concrete (or even estimated) business terms how it stacks up 
against these other competing projects.

Hope that helps

Aaron
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: security not a big priority?, Craig Wright
Next by Date:  SF new column announcement: Laptop Losses and Phishing Fruit Salad, Kelly Martin
Previous by Thread:  Re: security not a big priority?, Francois Yang
Next by Thread:  Re: security not a big priority?, secbasics
Indexes:  [Date] [Thread] [Top] [All Lists]