Re: Gartner's Security 3.0

["M.B.Jr." <marcio.barbado () gmail com>]

Dear Pete,

On 10/17/07, Pete Herzog <lists () isecom org> wrote:
> Hi,
>
> I think such things are so dumbed down that they make no argument at all.
> First, it depends upon the business.  Not all business need to spend the
> same became they are not all protecting the same thing.

They didn't stablished a precise number. Their suggestion ranges from
5 to 8 percent.

>   Secondly, Gartner
> needs to get its act together and actually define what they are saying is
> security.  Are they including that RFID door pass which runs through te IT
> department and site back-ups or do they mean just system solutions?

This new model is supposed to cover every element within a corporative
information system, staff included. But that is far away from my
point.
The current thead only aims to gather pen testing results.

> Thirdly, cost and function are two totally different beasts.  You can do
> stupid things like buying AntiVirus licenses for all desktops that will eat
> up a great deal of any budget or you can pay attention to architecture,
> design, hardening running services, etc. for the systems in operation for
> the cost of a person per N systems (actually it may already be included in
> the system set-up and roll-out department).

If by anti-virus, you also mean web-content control solutions, then I
guess it's not like that.

> So to say people should devote ANY arbitrary number to security makes no
> sense.  How about they start talking instead about the level of controls
> (not solutions) that all Internet-based services and infrastructures should
> have in place for 2007.

It's not their precise role, its ours.

>   Oh wait, they want to reduce everything to an
> arbitrary dollar amount instead of making sense.

Don't be such an immature professional and assume a proactive posture
because that is exactly what would complete the referred analysis
firm's numbers.



> M.B.Jr. wrote:
> > Pentesters,
> >
> > Gartner's recently -- during its 2007 IT Security Summit -- released
> > it's new corporative Information Security approach, named "Security
> > 3.0".
> > Basically, it suggests that 8 percent (and no less whatsoever than 5%)
> > of the companies' IT budget be focused on security.
> >
> > It is something no doubt but personally I think it could be more, say 10%.
> >
> > The thing is:
> > how are you, as a pentester, feeling such, concerning your incomes?
> >
> >
> > Yours faithfully,



-- 
Marcio Barbado, Jr.

"In fact, companies that innovate on top of open standards are
advantaged because resources are freed up for higher-value work and
because market opportunities expand as the standards proliferate."
Scott Handy
Vice President Worldwide Linux and Open Source, IBM

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------