Security Basics mailing list archives
Re: The Return on Investment of Good Security
From: "adeel hussain" <ad33lh () gmail com>
Date: Tue, 6 Jan 2009 04:25:36 -0500
Hello Everyone, The topic seems to be shifting from ROI to quality of service (in relation to vulnerability assessments or pen tests). Perhaps we need to keep in mind that the scope of any engagement is critical to its impact and relevance to our security posture. If I engage a crack tiger team to penetrate my crown jewel DB then there are probably going to be certain assumptions, one - I have secured it to the best of my ability. Two that lower level assessments and tests have been performed to eliminate the "obvious" holes. Three that the time of these highly trained and expensive talents will be focused on the stuff I can not learn by pointing Nessus and metasploit at it. All these and a thousand other variables should be determined by your existing setup, the history of the systems involved (security involved and known threats) and the value of the systems and data they contain/process. Good and Bad are extremely subjective terms, perhaps we should focus on cost effective. Have the Nessus specialist do your Vuln assessment for his/her price, have the security service providers review the overall system for their price and have the "Tiger" teams attack specific targets (perhaps via less well guarded systems) for their price. No one system, service, person or philosophy will protect you against everything but a coordinated effort by those you determine are required can provide satisfaction that you have done what is reasonable to secure your system. After that it is all incident handling and damage control. Adeel On Mon, Jan 5, 2009 at 3:56 PM, Mercurio, Michael D (Dante) <michael.mercurio () verizonbusiness com> wrote:
The article is basically stating you get what you pay for. The problem is the measurement of a 'good' vs. 'bad' service is not as easy as just comparing pricing. To make your point, the vendor needs to provide 'quality' service and I'm assuming you are making the argument that your company is the 'quality' vendor that costs more, but I have seen many high priced vendors who did not have a clue. Simple example, I once found default SNMP read/write access to a bank core switch that was missed by a previous 'nationally known quality' vendor who charged twice as much. In order to justify a higher price, you need to educate people on what qualifies as a 'good' vs. 'bad' vendor besides price. You might want to touch on items such as: 1) Review and compare scopes of work to ensure they are both doing the same thing. 2) Review a sample report to ensure you will be getting something of quality back. 3) Ask for sample resumes of consultants that will be conducting the assessment. 4) Ask to contact some references. The items above will tell you more about a 'quality' vendor than the price of the assessment and also provide more reasons why an assessment will cost more. M. Dante Mercurio, CISSP, CCNA http://www.mercurio.ws http://advinsecurity.wordpress.com -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Adriel T. Desautels Sent: Friday, January 02, 2009 6:46 PM To: pen-test list Cc: security-basics () securityfocus com Subject: The Return on Investment of Good Security Latest blog entry for those who care. This one compares the Return on Investment of good security services to the Return on Investment of poor quality security services. As usual comments and criticisms are welcome and appreciated. Direct link as requested: http://snosoft.blogspot.com/2009/01/cost-of-good-security-is-fraction-of .html Adriel T. Desautels ad_lists () netragard com -------------------------------------- Subscribe to our blog http://snosoft.blogspot.com
Current thread:
- Re: The Return on Investment of Good Security tony_l_turner (Jan 05)
- Re: The Return on Investment of Good Security Adriel T. Desautels (Jan 05)
- Re: The Return on Investment of Good Security Tony (Jan 05)
- RE: The Return on Investment of Good Security Daniel I. Didier (Jan 05)
- RE: The Return on Investment of Good Security Warren Brunson (Jan 05)
- Re: The Return on Investment of Good Security Tony (Jan 05)
- Re: The Return on Investment of Good Security Adriel T. Desautels (Jan 05)
- <Possible follow-ups>
- The Return on Investment of Good Security Adriel T. Desautels (Jan 05)
- Re: The Return on Investment of Good Security Eitan Adler (Jan 05)
- RE: The Return on Investment of Good Security Mercurio, Michael D (Dante) (Jan 05)
- Re: The Return on Investment of Good Security Adriel T. Desautels (Jan 05)
- Re: The Return on Investment of Good Security adeel hussain (Jan 06)
- Re: The Return on Investment of Good Security Ed Fuller (Jan 06)
- Re: The Return on Investment of Good Security Adriel T. Desautels (Jan 06)
- Re: The Return on Investment of Good Security intel96 (Jan 07)