Dailydave mailing list archives
Re: Drinking the Cool-aid
From: "Scharf, Stephen" <Stephen.Scharf () experian com>
Date: Fri, 21 Mar 2014 23:38:16 +0000
Hello Dan. I would not be so presumptuous to assume I am your favorite CISO, but I will take a stab at your comment anyway. I am also a contributing member to the index, but cannot honestly remember which value I answered for the referenced question. The truth is we buy security products with all the hopes and dreams they are packaged with and expect value will be derived from their cost. In some cases the cost to implement, and most importantly operate, outweigh the value the product delivers. In those situations it does take some managerial courage to step forward. But if handled correctly, it can be a run-rate cost saving exercise. I myself had previously purchased a product (which will remain unnamed) that cost 4x to implement and 2x to operate and generated 1x in value. After giving every effort to salvage the situation, I made the decision to save 2x by eliminating the 1x value. After all, we are not running security charities, nor do we have unlimited funds to buy and retain every product on the market. Fair to say that CISOs that make these errors frequently (and own up to them) will not be CISOs much longer. But hopefully the majority of CISOs see that removing solutions for valid reasons is not a career limiting exercise, but failing to do so could be. -Stephen Global CISO (of a company my email address gives away) -----Original Message----- From: dailydave-bounces () lists immunityinc com [mailto:dailydave-bounces () lists immunityinc com] On Behalf Of dan () geer org Sent: Thursday, March 20, 2014 4:18 PM To: Alfonso De Gregorio Cc: dailydave Subject: Re: [Dailydave] Drinking the Cool-aid | Networks are often the result of successive technological layers. As | organizations take on new business, face new threats, reconsider | security notions (e.g., insider/outsider), or embrace "new" security | paradigms, more security products get deployed, adding complexity and | increasing the attack surface. | | The picture that emerges resembles one big security contraption. It is | hard to tell at what extent it will work as intended. The question to ask your favorite CISO/CIO/General Counsel is Have you or would you ever decommision a security product? With the Index of Cyber Security (which I run with a colleague), in September, 2012, we asked a form of this question: What percentage of the security products you are running now would you still run if you were starting from scratch? 0-20% 5% of respondents 21-40% 15% of respondents 41-60% 20% of respondents 61-80% 27% of respondents 81-100% 34% of respondents Clearly, there are many who seem to be happy with what they have, and yet there is a significant number that thinks they could do better. One in five respondents reported that they would keep less than 40% of their current security products. Averaging the results, as many as 1 in 2 products at the higher end of the range, or 1 in 4 products at the lower end (25.4% to 45.6%) would be discarded if starting from scratch were to be an option. The mid-point of these high and low ranges was 35.5%, or roughly 1 in 3, which was interestingly high. Part of the explanation here is surely that no CISO/CIO/GC wants to stand up in a Management Committee meeting and say "Our investment in the PushMePullMe Scanner has proved to be a total loss; we need $X,000,000 to decommission it and buy the tIPSy-nIPSy system instead." No, it will be to *add* tIPSy-nIPSy to the environment and leave the the PushMePullMe Scanner up and running. --dan _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Drinking the Cool-aid Dave Aitel (Feb 22)
- Re: Drinking the Cool-aid yersinia (Feb 24)
- Re: Drinking the Cool-aid Alfonso De Gregorio (Feb 24)
- Re: Drinking the Cool-aid dan (Mar 21)
- Re: Drinking the Cool-aid Scharf, Stephen (Mar 24)
- Re: Drinking the Cool-aid dan (Mar 24)
- Re: Drinking the Cool-aid dan (Mar 21)
- Re: Drinking the Cool-aid Andreas Lindh (Mar 03)
- Re: Drinking the Cool-aid Joe Gatt (Mar 03)
- Re: Drinking the Cool-aid Andre Gironda (Mar 03)
- Message not available
- Re: Drinking the Cool-aid Eggensperger, Roy E (Mar 03)