Home page logo
/

basics logo Security Basics mailing list archives

Re: security not a big priority?
From: secbasics () dusty ece cmu edu
Date: Thu, 15 Feb 2007 17:44:33 -0500

On Thu, Feb 15, 2007 at 10:43:46AM -0600, Francois Yang wrote:
This is a community college, so I've sent an e-mail to my boss
everytime there was news about a school being hacked and in every
e-mail I've added comments on how they could have prevented being
compromised.
I even wrote a long letter describing why we need such things as IDS
and what could happen if we don't have one. I also included a long
list of schools that were hacked into in 2006.  apparently that
doesn't seem to be affective.

It's very simple Francois. You need to build a business case for why your security changes are important. You need to 
show ROI. You need to show in concrete 
business terms the amount that your school stands to lose in the event of a breach. You need to justify the probability 
of compromise without the IDS and you 
need to justify the probability of compromise with the IDS (hint: they're the same, it's not an IPS unless that's what 
you meant) and then you need to show the 
amount of damage that can be done without notification and with.

You can't expect your boss to automatically assume security is important if you can't show in concrete (or even 
estimated) business terms how it stacks up 
against these other competing projects.

Hope that helps

Aaron


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]