tag:blogger.com,1999:blog-4088979.post542033839067118251..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Cheap IT Is Ultimately ExpensiveRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-4088979.post-67655927274527120092009-07-13T04:37:04.118-04:002009-07-13T04:37:04.118-04:00This comment has been removed by a blog administrator.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-70072366309489634742009-05-28T09:58:50.439-04:002009-05-28T09:58:50.439-04:00Pete, "measuring" risk is a joke. Measuring loss ...Pete, "measuring" risk is a joke. Measuring loss is mostly impossible. (Tell me how much you lose when a competitor steals your data to improve their products over the next 10 years.) Measuring cost is the exercise most likely to produce trustworthy results since you can track money leaving the company.<br /><br />Measuring cost is what I refer to in this post. I'd love to measure loss but it's not going to yield real numbers. Measuring "risk" is a giant guess.<br /><br />Regarding "ROI," I have a security program I'd like you to "invest" in. Just sent me a check for whatever amount you like. When I don't send you any money back maybe you'll see where I'm coming from regarding "ROI." :)Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-28349792763397855542009-05-28T09:31:20.046-04:002009-05-28T09:31:20.046-04:00@Richard -
Okay, if we simply don't use those ter...@Richard -<br /><br />Okay, if we simply don't use those terms are you onboard with the need to measure costs, risk, and losses (we must do this to determine how much was avoided)? And are you okay with using standard economic and risk management techniques to perform these measurements?<br /><br />Note that you are doing this in a broad way, anyway, any time you assert that something is NOT CHEAPER...right? Doesn't it make sense to be clearer about the magnitude and extent by which you are making those assertions?<br /><br />(Digressing back to your concerns about ROI, profit includes revenue and expenses. So if I hold revenue constant and reduce expenses, then my profit increases. So if a security solution reduces expenses, it increases profit. Voila!)<br /><br />PetePetehttps://www.blogger.com/profile/16425298556760151548noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-51810267872600069212009-05-27T20:05:13.342-04:002009-05-27T20:05:13.342-04:00Pete, when you can run a profitable (or heck, brea...Pete, when you can run a profitable (or heck, break-even) company that does nothing but security (but doesn't sell it as a service to external customers) then I'll recognize security as having ROI. Until then security remains a loss avoidance exercise that supports others who sell products and/or services to external customers.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-62173750805430397482009-05-27T19:59:07.291-04:002009-05-27T19:59:07.291-04:00@Richard -
You want ROI and/or ROSI...except you ...@Richard -<br /><br />You want ROI and/or ROSI...except you usually don't want ROI and/or ROSI. I recommend reading "How to Measure Anything" by Hubbard to get over your quantophobia. ;-)<br /><br />PetePetehttps://www.blogger.com/profile/16425298556760151548noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-89275221971220025192009-05-26T12:20:09.191-04:002009-05-26T12:20:09.191-04:00@Richard
I think the post above this one is a spam...@Richard<br />I think the post above this one is a spam you want to delete. Talk about insidious...taking part of an earlier comment!<br /><br />@Keydet89<br />I think I poorly truncated my earlier comment. My point is that if an organization does not accept that an incident will occur, then it seems to always be in their best interesting to go the route that appears the cheapest, which worsens the security gamble for us. This would be like not assuming a category 5 hurricane will ever happen in location X, so location X opts to only build levees to withstand category 1-4.Unknownhttps://www.blogger.com/profile/15357840241031190415noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-23264504409242474492009-05-24T01:42:35.330-04:002009-05-24T01:42:35.330-04:00Not everyone seems to believe that, or at least th...Not everyone seems to believe that, or at least their actions don't seem to be in line with it. Spending for security still seems to be the Gamble that an incident won't occur.<br /><A HREF="http://www.bigberkeywaterfilters.com" REL="nofollow">Berkey Filters</A>Unknownhttps://www.blogger.com/profile/15437814402753682057noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-10335695255552581212009-05-23T07:44:13.018-04:002009-05-23T07:44:13.018-04:00...this is all based on the accepted assumption th...<I>...this is all based on the accepted assumption that an incident will occur.</I>I'm not sure I agree that this is an assumption. Given the Verizon Security reports and others like them, as well as my own experience as an incident responder, a great number of incidents occur without the victim organization's knowledge, and they have to be told by an outside party...be it someone attacked from their site, a bank or Acquirer doing fraud analysis, etc.<br /><br />You're correct about the gamble...I think the issue is that IT managers are faced with the certainty of a sales guy sitting in front of them with a purchase order, and they have to weigh that against the potential/perceived <I>uncertainty</I> of an incident actually occurring. The issue is that in most cases, the incidents have already occurred.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-65388092514307866512009-05-22T16:27:57.621-04:002009-05-22T16:27:57.621-04:00I don't know of any data either to support this, b...I don't know of any data either to support this, but I do agree that you're correct.<br /><br />However, this is all based on the accepted assumption that an incident will occur. Not everyone seems to believe that, or at least their actions don't seem to be in line with it. Spending for security still seems to be the Gamble that an incident won't occur.Unknownhttps://www.blogger.com/profile/15357840241031190415noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-37483548571569927262009-05-22T02:40:52.636-04:002009-05-22T02:40:52.636-04:00Excellent article, i liked it a lot. I think that ...Excellent article, i liked it a lot. I think that what you say its true, cheaper is expensive.JL Loyahttps://www.blogger.com/profile/15261290887217757361noreply@blogger.com