Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Reports for Exec Management

from [Nick Owen] Network Security [Permanent Link]
Subject: Re: Reports for Exec Management
Date: Mon, 10 Apr 2006 10:07:20 -0400 
Mark Curphey wrote:

With respect, the cost to repairing a server from a virus attack is not an
affective metric that will get most senior managers attention. You should
always tie back information security to the business. Almost every company
in the world (with very few exceptions) are in the business of making money
and not in the business of running a secure environment. Put another way
they are in the business of running an environment that is secure enough to
do business. The financial cost due to lost productivity or due to loss of
critical business data will almost always far outweigh the cost of a
relatively low paid system admin repairing a host. Senior executives will
also relate to wasting time due to IT issues and annoyances of not being
able to get to their saved copy of that great Forbes article "Top Ten Global
Golf Courses to Do Business On".

IMHO ROI from security is widely touted by salesmen who think they can
somehow prove to someone that they can save money by lining their pockets in
exchange for a silver bullet. In reality unless they understand the detailed
financials of a company and how it makes money it is generally bs.
Quantitative risk assessment is usually based on assumptions that make it
meaningless.

The value of an info sec to most companies is that it lets them get on with
what they care about. Making money.


Or, from a finance perspective: creating value.  Making more money
increases the value of a company, but so does reducing the cost of
capital.  A stream of cash flow is worth more at a 5% cap rate than a
10% cap rate.  I think many CEO/CFO/Board types would understand info
sec investments presented as risk management techniques that reduce the
cost of capital as part of an NPV equation.  You could include
insurance as a line item too, to reinforce the idea.

ROI is helpful for the sales guy because it relates directly to the
investment in the product, but what the company needs is to increase
NPV. How the project's ROI ties into NPV is of interest to management, I
suspect.

Nick

-- 
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
https://www.linkedin.com/in/nickowen
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Reports for Exec Management, Richard Sullivan
Next by Date:  New site about security conferences : www.security-briefings.com, newslist@security-briefings.com
Previous by Thread:  RE: Reports for Exec Management, Richard Sullivan
Next by Thread:  RE: Reports for Exec Management, Crayola
Indexes:  [Date] [Thread] [Top] [All Lists]