Re: SCADA (or: How I learned to love receiving FWW in digest form)

["Marcus J. Ranum" <mjr () ranum com>]

Dotzero wrote:
> would Marcus' artist friend agree to a 10% or 20% increase in his
> utility bills to have "proper security" (however one defines this)?

Wait a minute!! It was properly secure BEFORE.
In fact, had to have SPENT MONEY to make it worse.

Someone, someplace, put it into a less secure state
"to save money" or "for business reasons." What we're
seeing is that their cost/benefit analysis was wrong;
it didn't save as much as they thought (because they
did it wrong!) or, if it recouped enough on the
investment, then any additional security expense
comes out of that profit/benefit's margin.

Let me belabor that point a bit: security is often
seen as a bill that gets presented; a cost of doing
business. What they don't understand is that the
bill is just interest coming due for when they cut
some corners years ago. A break-in or disaster is
that interest, compounded.

This is one reason I am (obviously) highly skeptical
of many business justifications. They omit to take
hidden costs into account and then try to shift/blame
someone else for them later. It's very easy to see
something as a profitable and desirable activity as
long as you only look at the upside.

mjr.
--
Marcus J. Ranum         CSO, Tenable Network Security, Inc.
                        http://www.tenablesecurity.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards