Gservo
23rd January 2003, 03:38 AM
Source: Network Computing
http://www.nwc.com/1401/1401f2.html
You know information security is integral to IT operations and to business success. But infosec's role and resource levels are still up for debate. One thing is clear, though: Building a strong defense isn't cheap, so wise management of funding and resources is crucial. We'd love to provide a definitive road map stating that Technology A should be chosen over Technology B, but each organization has its own challenges and dynamics. In "Secure to the Core" we painted the big picture. Here's advice on fine-tuning your plan. A key point of contention, especially in lean economic times, is the lack of clear ROI (return on investment) numbers attached to security efforts. A classic argument is that there is similarly no clear return on life insurance, but that doesn't stop most of us from buying it; still, attempting to formulate operational-security ROI may be a lost cause (see "Desperately Seeking the Security ROI," and "Security Fears Are Up, So Why Is Spending Down?"). Similar but more mature practice areas have adopted different measurement standards. For example, corporate security/financial fraud units frequently measure their effectiveness by comparing audited loss statistics to industry baselines. If their losses are greater than industry baselines, they are doing poorly; if losses are lower, they are performing above average. Although the infosec industry lacks such data, history and methodology, it's clear that smart spending can reduce losses--and, conversely, negligence can cost you big.
http://www.nwc.com/1401/1401f2.html
You know information security is integral to IT operations and to business success. But infosec's role and resource levels are still up for debate. One thing is clear, though: Building a strong defense isn't cheap, so wise management of funding and resources is crucial. We'd love to provide a definitive road map stating that Technology A should be chosen over Technology B, but each organization has its own challenges and dynamics. In "Secure to the Core" we painted the big picture. Here's advice on fine-tuning your plan. A key point of contention, especially in lean economic times, is the lack of clear ROI (return on investment) numbers attached to security efforts. A classic argument is that there is similarly no clear return on life insurance, but that doesn't stop most of us from buying it; still, attempting to formulate operational-security ROI may be a lost cause (see "Desperately Seeking the Security ROI," and "Security Fears Are Up, So Why Is Spending Down?"). Similar but more mature practice areas have adopted different measurement standards. For example, corporate security/financial fraud units frequently measure their effectiveness by comparing audited loss statistics to industry baselines. If their losses are greater than industry baselines, they are doing poorly; if losses are lower, they are performing above average. Although the infosec industry lacks such data, history and methodology, it's clear that smart spending can reduce losses--and, conversely, negligence can cost you big.