Re: security not a big priority?

[secbasics () dusty ece cmu edu]

On Thu, Feb 15, 2007 at 10:43:46AM -0600, Francois Yang wrote:
> This is a community college, so I've sent an e-mail to my boss
> everytime there was news about a school being hacked and in every
> e-mail I've added comments on how they could have prevented being
> compromised.
> I even wrote a long letter describing why we need such things as IDS
> and what could happen if we don't have one. I also included a long
> list of schools that were hacked into in 2006.  apparently that
> doesn't seem to be affective.

It's very simple Francois. You need to build a business case for why your security changes are important. You need to 
show ROI. You need to show in concrete 
business terms the amount that your school stands to lose in the event of a breach. You need to justify the probability 
of compromise without the IDS and you 
need to justify the probability of compromise with the IDS (hint: they're the same, it's not an IPS unless that's what 
you meant) and then you need to show the 
amount of damage that can be done without notification and with.

You can't expect your boss to automatically assume security is important if you can't show in concrete (or even 
estimated) business terms how it stacks up 
against these other competing projects.

Hope that helps

Aaron