RE: Re: Flawed Surveys [was: VPN endpoints]

["Stailey, Mike" <Mike.Stailey () henryschein com>]

Mike,
Point taken and noted. I agree somewhat. However, until the powers that be (our enterprises) REALLY believe that 
security is important both from an inside standpoint as well as what comes at us, we as security practitioners are 
preaching to the choir. We are the professionals that have a higher level of accurate stats than any phone survey of 
"Hi, got a few minutes to answer some computer security questions?". My point is until someone that is an *national 
authority* stands up and says "this is a problem we need to fix" enterprises are not going to fork over the cash that 
is needed to do the complete job. No matter how many matrixes we give them. You did not address my comment on SOX which 
I believe is the *national authority*. It forces enterprises to not only show compliance to a higher network security 
standard but also internal controls as well. If there are bad practices going on inside a company you can be darn sure 
the SOX process will make the top guys aware of it. This means the top guys have knowledge and their butt's are now on 
the line.

So, we now have the attention of the top guys with the doe. I truly believe the smart ones (us) will then contract an 
outside security firm to help them with risk, solution, prevention. Now we have facts and figures from two reliable 
sources (us and the contractors) and feed them back to the SOX process which in turn will build the needed stats.

No, I don't work for the government or a security contracting firm is case you were wondering.

Paul, 
How many times in our career have we busted hump with charts, facts and figures on something we were passionate about 
and when we got an audience with the top brass we noticed their eyes glazing over? Could SOX while on the surface seems 
like yet another B-S big brother not going to work legislation -or- could it be disguised as the start of a 
"revolution"?

Still sticking to my story...


Mike.




-----Original Message-----
From: MHawkins () TULLIB COM [mailto:MHawkins () TULLIB COM]
Sent: Friday, September 03, 2004 1:50 PM
To: paul () compuwar net; Stailey, Mike
Cc: mjr () ranum com; firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] Re: Flawed Surveys [was: VPN endpoints]


Mike,

> Mike - In CA all public companies must disclose any security breaches.

This is not true. Security breaches WHERE CUSTOMER INFORMATION was
compromised must be reported.

My point is that, for an accurate picture of costs and risks to be
developed, ALL security breaches need to be detailed and tabulated then
analyzed by actuaries and statisticians to build up a risk matrix.

Even CA's legislation does not do, nor was it intended, to do that.

CA's legislation primarily is intended to indirectly protect privacy. There
is no DIRECT incentive. It's indirect. This is same problem I was referring
to. Hackers provide a direct incentive to organizations to protect their
networks. Surprize, surprize, enterprizes are fairly good at protecting
themselves from hackers. On the hand, enterprizes are AWFUL at protecting
themselves from disgruntled employees and other internal risks.

Until we measure ALL such risks, we shall never know where to spend our
money.

CA legislation is very wide of that mark.

Mike H



-----Original Message-----
From: Paul D. Robertson [mailto:paul () compuwar net]
Sent: Friday, September 03, 2004 1:43 PM
To: Stailey, Mike
Cc: Hawkins, Michael; mjr () ranum com; firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] Re: Flawed Surveys [was: VPN endpoints]


On Wed, 1 Sep 2004, Stailey, Mike wrote:

> Mike - In CA all public companies must disclose any security breaches.
> Also, we now have the Sarbanes/Oxley act for publicly held companies.
> Yes, it's got a long way to go but like in Paul's prior posts - it
> definitely a start in the right direction.
>
> Anyway, that's my story and I'm sticking to it...

Isnt' it bad though, that these regulations are coming from outside of our
field?  Shouldn't we be the ones lobbying and drafting and providing
guidance?

Maybe the costs will make businesses shy away from practicioners who would
advocate more regulation, but maybe that's the revolution we need in this
field to gain the next level of effectiveness?

Paul
----------------------------------------------------------------------------
-
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation






E-mail messages may contain viruses, worms, or other malicious code. By reading the message and opening any 
attachments, the recipient accepts full responsibility for taking protective action against such code. Henry Schein is 
not liable for any loss or damage arising from this message.

The information in this email is confidential and may be legally privileged. It is intended solely for the 
addressee(s). Access to this e-mail by anyone else is unauthorized.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards