mailing list archives
Re: security not a big priority?
From: secbasics () dusty ece cmu edu
Date: Thu, 15 Feb 2007 17:44:33 -0500
On Thu, Feb 15, 2007 at 10:43:46AM -0600, Francois Yang wrote:
This is a community college, so I've sent an e-mail to my boss
everytime there was news about a school being hacked and in every
e-mail I've added comments on how they could have prevented being
I even wrote a long letter describing why we need such things as IDS
and what could happen if we don't have one. I also included a long
list of schools that were hacked into in 2006. apparently that
doesn't seem to be affective.
It's very simple Francois. You need to build a business case for why your security changes are important. You need to
show ROI. You need to show in concrete
business terms the amount that your school stands to lose in the event of a breach. You need to justify the probability
of compromise without the IDS and you
need to justify the probability of compromise with the IDS (hint: they're the same, it's not an IPS unless that's what
you meant) and then you need to show the
amount of damage that can be done without notification and with.
You can't expect your boss to automatically assume security is important if you can't show in concrete (or even
estimated) business terms how it stacks up
against these other competing projects.
Hope that helps