Re: DHS Cyber Security Investment Study

[Valdis.Kletnieks () vt edu]

On Mon, 12 Sep 2005 13:39:56 EDT, "Rowe, Brent" said:

> clear that I are not interested in learning the makeup of your IT
> infrastructure, the IT policies and procedures your organization
> employs, the number of breaches you have each year, or any other
> sensitive information related to your organization's IT security.
> Instead, I am interested in discussing the information you use to decide
> how much to spend on various IT security-related activities and what
> information you are collecting (and using) from your IT system
> operations.

Any attempt at trying to analyze information about budget allocations
without at least some understanding of the IT policies is probably doomed
to failure.  At least in our shop, there are things we track in a very
anal-retentive fashion, and information we don't bother collecting, *because*
our policies say the first is important and the second one is ignorable.

For instance, if I told you how many hundreds of dollars we spent on perimeter
firewalls last year, you'd be totally dazed and confused unless you understood
our thinking regarding perimeter firewalls. (And yes, "hundreds" is the right
units, and yes, we know what we're doing, and no, I don't want to hear how
we're nuts. It works *in our environment, YMMV...:)

Attachment: _bin
Description: