Re: Gartner's Security 3.0

[Pete Herzog <lists () isecom org>]

Hi,

> They didn't stablished a precise number. Their suggestion ranges from
> 5 to 8 percent.

I know they didn't.  But they did establish a precise benefactor of that 
narrow range: "all" businesses.  I find that to be very presumptuous of 
Gartner.

> >   Secondly, Gartner
> > needs to get its act together and actually define what they are saying is
> > security.  Are they including that RFID door pass which runs through te IT
> > department and site back-ups or do they mean just system solutions?
>
> This new model is supposed to cover every element within a corporative
> information system, staff included. But that is far away from my
> point.
> The current thead only aims to gather pen testing results.

Your question regarded pen testing further down the mail.  My comment was 
about Gartner's ridiculous punditry in action. How can we realistically 
comment on pen-testing under that model if the model itself is both 
unrealistic and improperly defined?

> If by anti-virus, you also mean web-content control solutions, then I
> guess it's not like that.

No.  I mean anti-virus.  Anyway, my point here is that they should not 
recommend spending without qualifying spending because people do buy 
expensive things that may not be the right solution for the problem.

> > So to say people should devote ANY arbitrary number to security makes no
> > sense.  How about they start talking instead about the level of controls
> > (not solutions) that all Internet-based services and infrastructures should
> > have in place for 2007.
>
> It's not their precise role, its ours.

Do you mean pen testers when you say "we"?  And "we" have a role in 
defining the controls that all Internet based services and infrastructures 
should have in place?  Why? Why isn't it the job of the people building the 
security defenses into the architecture and products of the individual 
companies?  If Gartner wants to take a role in telling businesses what they 
should spend on security then why don't they properly qualify that by 
telling them also which controls make the most sense to spend that money 
on?  And if they can't do that, then they will need to qualify where the 
5-8% value comes from.

> >   Oh wait, they want to reduce everything to an
> > arbitrary dollar amount instead of making sense.
>
> Don't be such an immature professional and assume a proactive posture
> because that is exactly what would complete the referred analysis
> firm's numbers.

I don't understand how a proactive posture will complete the numbers of 
some company exactly? Please explain this better.

Anyway I'll try harder to be a more mature professional in the future. 
Thanks for the advice!

-pete.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------