I have to agree,
Security is "viewed" as a negative, because its always been about what you shouldn't do, or couldn't do, instead of a "risk proposition" it really should be "viewed" as. What is your ROI on security? Well ask how much a breach known to the public/regulators, etc etc will cost your company both from the fines/penalties levied due to non-compliance and then try and estimate the residual losses from brand loss/tarnished company image, paying for credit reporting for hundreds if not thousands of individuals who you just lost there PHI/EPHI, CC card numbers or some other critical piece of information due to a lack of due-diligence and due-care, or the lawsuits that will have to be settled due to said information loss. Now can we say this will never happen if you maintain a high level of security? "NO" but you will be less at "risk" and better positioned if the aforementioned above was to come to pass, and better able to defend yourself in lawsuits, court of law, etc etc than you would be if you just played the "ostrich defense" or totally ignored the security aspects which would show gross negligence and lead to a host of other issues. So getting the business to reduce the risk of their operations to an acceptable level, comply with the current and future regulations/laws is a task in its own rights. You should also strive to build your systems with tenets of security in mind ( Confidentiality, Integrity and Availability) along with practicing Least privilege and segregation of duties, and then tie it all up with auditing your infrastructure and properly risk-managing them through the information life-cycle. Sincerely, EZ Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 From: Jonathan Link [mailto:[email protected]] Sent: Tuesday, February 22, 2011 2:34 PM To: NT System Admin Issues Subject: Re: Security ROI - comment on this please That's just dumb. The Myth, well, I don't know who's been saying that security produces ROI, I'd never heard of that myth. Protects revenue generation, is as far as I'd define security processes in this context. The "fact" is interesting. Is inurance a negative deliverable, too? Do business waste money on insurance? As MBS, ASB and others indicate, it's about risk mitigation. Lawsuits and other costs related to a data breach are the true negative deliverables. On Tue, Feb 22, 2011 at 1:53 PM, David Lum <[email protected]> wrote: This is on a Powerpoint that just came to my desk: Myth: Security produces ROI Fact: Security is a negative deliverable 1. Produces no revenue and creates no efficiencies 2. Although limits possibilities that a future negative fallout will happen David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 503.548.5229 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
