Hello Dan. I would not be so presumptuous to assume I am your favorite CISO, but I will take a stab at your comment anyway. I am also a contributing member to the index, but cannot honestly remember which value I answered for the referenced question.
The truth is we buy security products with all the hopes and dreams they are packaged with and expect value will be derived from their cost. In some cases the cost to implement, and most importantly operate, outweigh the value the product delivers. In those situations it does take some managerial courage to step forward. But if handled correctly, it can be a run-rate cost saving exercise. I myself had previously purchased a product (which will remain unnamed) that cost 4x to implement and 2x to operate and generated 1x in value. After giving every effort to salvage the situation, I made the decision to save 2x by eliminating the 1x value. After all, we are not running security charities, nor do we have unlimited funds to buy and retain every product on the market. Fair to say that CISOs that make these errors frequently (and own up to them) will not be CISOs much longer. But hopefully the majority of CISOs see that removing solutions for valid reasons is not a career limiting exercise, but failing to do so could be. -Stephen Global CISO (of a company my email address gives away) -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: Thursday, March 20, 2014 4:18 PM To: Alfonso De Gregorio Cc: dailydave Subject: Re: [Dailydave] Drinking the Cool-aid | Networks are often the result of successive technological layers. As | organizations take on new business, face new threats, reconsider | security notions (e.g., insider/outsider), or embrace "new" security | paradigms, more security products get deployed, adding complexity and | increasing the attack surface. | | The picture that emerges resembles one big security contraption. It is | hard to tell at what extent it will work as intended. The question to ask your favorite CISO/CIO/General Counsel is Have you or would you ever decommision a security product? With the Index of Cyber Security (which I run with a colleague), in September, 2012, we asked a form of this question: What percentage of the security products you are running now would you still run if you were starting from scratch? 0-20% 5% of respondents 21-40% 15% of respondents 41-60% 20% of respondents 61-80% 27% of respondents 81-100% 34% of respondents Clearly, there are many who seem to be happy with what they have, and yet there is a significant number that thinks they could do better. One in five respondents reported that they would keep less than 40% of their current security products. Averaging the results, as many as 1 in 2 products at the higher end of the range, or 1 in 4 products at the lower end (25.4% to 45.6%) would be discarded if starting from scratch were to be an option. The mid-point of these high and low ranges was 35.5%, or roughly 1 in 3, which was interestingly high. Part of the explanation here is surely that no CISO/CIO/GC wants to stand up in a Management Committee meeting and say "Our investment in the PushMePullMe Scanner has proved to be a total loss; we need $X,000,000 to decommission it and buy the tIPSy-nIPSy system instead." No, it will be to *add* tIPSy-nIPSy to the environment and leave the the PushMePullMe Scanner up and running. --dan _______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
