On Tue, 29 Jul 2003 13:14:49 EDT, Jason <[EMAIL PROTECTED]> said: > Wrong, the cost benefit does work out for the business. We are at 3.9 > million because we did not pay attention to the assets that needed > protecting and implement best practices. At 3.9 million we are still > under the extremely conservative $4million estimate from one single outage!
You can harp on "best practices" all you want - hell, *I* certainly do it enough. However, you have to come to some realizations here. All "best practices" cost something to implement. And at some point, the cost of prevention is going to exceed the cost of cleaning up. And at this point, the boss asks "So what are the chances we'll make it through the entire rest of the fiscal year without having to blow *another* $1.3M, compared to the chances we'll get wormed before the next advisory comes out?" Remember - we're up to MS03-*030* and it's still July. At $1.3M per, you've burned some $39M already to protect against a $4M threat. Security is *tradeoffs*. Do I wish all my users were patched against MS03-026? Yes. Do I think some will get trashed by whatever worm comes by? Yes - the last worm nailed 200 boxes or so before we got specific router filters in place. However, when the cost of forcing *all* the users to upgrade exceeds the cost of cleaning up the 200 that will get whacked, it's *REAL* hard to get resources allocated - I've never net a VP-level exec that would agree to the idea that they should spend $2M to protect against a $500K threat because it's "best practices". The only ways you'll get your $2M is to either make it under $500K instead, or something raises the $500K (for instance, if "liable for a $1.5M fine under the newly passed protection-of-private-law" gets added in...) Anybody who can't understand *that* probably doesn't get the joke about a $200 chip protecting the $0.75 fuse by blowing up first....
pgp00000.pgp
Description: PGP signature
