From: M.B.Jr. (marcio.barbado@gmail.com)
Date: Sat Oct 20 2007 - 15:26:15 EDT
Dear Pete,
On 10/17/07, Pete Herzog <lists@isecom.org> wrote:
> Hi,
>
> I think such things are so dumbed down that they make no argument at all.
> First, it depends upon the business. Not all business need to spend the
> same became they are not all protecting the same thing.
They didn't stablished a precise number. Their suggestion ranges from
5 to 8 percent.
> Secondly, Gartner
> needs to get its act together and actually define what they are saying is
> security. Are they including that RFID door pass which runs through te IT
> department and site back-ups or do they mean just system solutions?
This new model is supposed to cover every element within a corporative
information system, staff included. But that is far away from my
point.
The current thead only aims to gather pen testing results.
> Thirdly, cost and function are two totally different beasts. You can do
> stupid things like buying AntiVirus licenses for all desktops that will eat
> up a great deal of any budget or you can pay attention to architecture,
> design, hardening running services, etc. for the systems in operation for
> the cost of a person per N systems (actually it may already be included in
> the system set-up and roll-out department).
If by anti-virus, you also mean web-content control solutions, then I
guess it's not like that.
> So to say people should devote ANY arbitrary number to security makes no
> sense. How about they start talking instead about the level of controls
> (not solutions) that all Internet-based services and infrastructures should
> have in place for 2007.
It's not their precise role, its ours.
> Oh wait, they want to reduce everything to an
> arbitrary dollar amount instead of making sense.
Don't be such an immature professional and assume a proactive posture
because that is exactly what would complete the referred analysis
firm's numbers.
> M.B.Jr. wrote:
> > Pentesters,
> >
> > Gartner's recently -- during its 2007 IT Security Summit -- released
> > it's new corporative Information Security approach, named "Security
> > 3.0".
> > Basically, it suggests that 8 percent (and no less whatsoever than 5%)
> > of the companies' IT budget be focused on security.
> >
> > It is something no doubt but personally I think it could be more, say 10%.
> >
> > The thing is:
> > how are you, as a pentester, feeling such, concerning your incomes?
> >
> >
> > Yours faithfully,
> >
> >
> >
>
-- Marcio Barbado, Jr. "In fact, companies that innovate on top of open standards are advantaged because resources are freed up for higher-value work and because market opportunities expand as the standards proliferate." Scott Handy Vice President Worldwide Linux and Open Source, IBM ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:10 EDT