|
Security Basics
mailing list archives
Re: The Return on Investment of Good Security
From: "Adriel T. Desautels" <ad_lists () netragard com>
Date: Sat, 3 Jan 2009 18:12:56 -0500
Tony,
While I understand and respect your point of view I disagree. If you
pay for quality security services you will probably avoid suffering
the damages of a successful compromise. If you avoid that compromise
then you never need to suffer damages and lose money as a result. I
suppose thats not really savings, but it does prevent loss.
If on the other hand you do not use a quality service provider then
you do run the very high risk of suffering a compromise. So then I'll
ask, how much are your assets worth? What is the value of your
network, its systems, your emails, your customer information, your
source code, etc? Is it worth more than $20,000, is it worth more than
$50,000.00? If it is then why would you choose the bunk security
service over the real one?
So the question really is, are your assets worth protecting Tony? If
you're interested I can prove my point about the differences in
quality. Have my team do a followup penetration test and allow us to
reproduce the threat that you'll likely face in the real world. We'll
probably get in, thank god we're the good guys right? Too bad most of
the bad guys are testing you better than most of the security
providers though. ;]
On Jan 3, 2009, at 10:20 AM, tony_l_turner () yahoo com wrote:
I've always felt that any attempts to calculate ROI for security
investments led to confusion. There really is no return on
investment, just mitigated or avoided risk. Its similar to buying
insurance (although that creates a certain amount of risk
transference) but either is a completely different scenario then
buying a server or a new DBMS that directly translates to increased
transaction volume or decreased contact times. ROI on security is a
misnomer. It is an attempt to justify security expenditures and
while some sort of model is needed to represent the impact for the
investment and the returns gained, ROI seems a poor choice.
------Original Message------
From: Adriel T. Desautels
Sender: listbounce () securityfocus com
To: pen-test list
Cc: security-basics () securityfocus com
Sent: Jan 2, 2009 6:45 PM
Subject: The Return on Investment of Good Security
Latest blog entry for those who care. This one compares the Return on
Investment of good security services to the Return on Investment of
poor quality security services. As usual comments and criticisms are
welcome and appreciated.
Direct link as requested:
http://snosoft.blogspot.com/2009/01/cost-of-good-security-is-fraction-of.html
Adriel T. Desautels
ad_lists () netragard com
--------------------------------------
Subscribe to our blog
http://snosoft.blogspot.com
Sent from my Verizon Wireless BlackBerry
Adriel T. Desautels
ad_lists () netragard com
--------------------------------------
Subscribe to our blog
http://snosoft.blogspot.com
 By Date 
By Thread
Current thread:
|
Intro
