Security Basics: Re: The Return on Investment of Good Security

["Adriel T. Desautels" <ad_lists () netragard com>]

Yes, you are right on the money.

We've already got a few good white papers that we allow our prospects  
to download. These papers arm the prospects with intelligence whereby  
enabling them to vet out the frauds from the real providers.  But yes,  
my goal is to set a higher standard for security services, not just  
within my own business. Yes, we are a very high quality provider and  
that is because of how much effort, thought, and experience we have to  
put into being such a provider.  We'll never call ourselves the best,  
once anyone thinks that its nearly time for a big fat "Game over".
Quality providers are measured by the depth, accuracy and quality of  
their deliverables. Missing something as basic as a default SNMP  
configuration is pretty weak unless the technology was installed or  
configured after the assessment. Networks do change and something that  
is secure today might not be tomorrow.

On Jan 5, 2009, at 3:56 PM, Mercurio, Michael D (Dante) wrote:

> The article is basically stating you get what you pay for. The problem
> is the measurement of a 'good' vs. 'bad' service is not as easy as  
> just
> comparing pricing. To make your point, the vendor needs to provide
> 'quality' service and I'm assuming you are making the argument that  
> your
> company is the 'quality' vendor that costs more, but I have seen many
> high priced vendors who did not have a clue.
>
> Simple example, I once found default SNMP read/write access to a bank
> core switch that was missed by a previous 'nationally known quality'
> vendor who charged twice as much. In order to justify a higher price,
> you need to educate people on what qualifies as a 'good' vs. 'bad'
> vendor besides price.
>
> You might want to touch on items such as:
> 1) Review and compare scopes of work to ensure they are both doing the
> same thing.
> 2) Review a sample report to ensure you will be getting something of
> quality back.
> 3) Ask for sample resumes of consultants that will be conducting the
> assessment.
> 4) Ask to contact some references.
>
> The items above will tell you more about a 'quality' vendor than the
> price of the assessment and also provide more reasons why an  
> assessment
> will cost more.
>
> M. Dante Mercurio, CISSP, CCNA
> http://www.mercurio.ws
> http://advinsecurity.wordpress.com
>
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com 
> ]
> On Behalf Of Adriel T. Desautels
> Sent: Friday, January 02, 2009 6:46 PM
> To: pen-test list
> Cc: security-basics () securityfocus com
> Subject: The Return on Investment of Good Security
>
> Latest blog entry for those who care. This one compares the Return on
> Investment of good security services to the Return on Investment of  
> poor
> quality security services.  As usual comments and criticisms are  
> welcome
> and appreciated.
>
> Direct link as requested:
>
> http://snosoft.blogspot.com/2009/01/cost-of-good-security-is-fraction-of
> .html
>
>
>         Adriel T. Desautels
>         ad_lists () netragard com
>         --------------------------------------
>
>         Subscribe to our blog
>         http://snosoft.blogspot.com


        Adriel T. Desautels
        ad_lists () netragard com
        --------------------------------------

        Subscribe to our blog
        http://snosoft.blogspot.com