From: Pete Herzog (lists@isecom.org)
Date: Sat Oct 20 2007 - 18:38:45 EDT
Hi,
> They didn't stablished a precise number. Their suggestion ranges from
> 5 to 8 percent.
I know they didn't. But they did establish a precise benefactor of that
narrow range: "all" businesses. I find that to be very presumptuous of
Gartner.
>
>> Secondly, Gartner
>> needs to get its act together and actually define what they are saying is
>> security. Are they including that RFID door pass which runs through te IT
>> department and site back-ups or do they mean just system solutions?
>
> This new model is supposed to cover every element within a corporative
> information system, staff included. But that is far away from my
> point.
> The current thead only aims to gather pen testing results.
Your question regarded pen testing further down the mail. My comment was
about Gartner's ridiculous punditry in action. How can we realistically
comment on pen-testing under that model if the model itself is both
unrealistic and improperly defined?
>
> If by anti-virus, you also mean web-content control solutions, then I
> guess it's not like that.
No. I mean anti-virus. Anyway, my point here is that they should not
recommend spending without qualifying spending because people do buy
expensive things that may not be the right solution for the problem.
>
>> So to say people should devote ANY arbitrary number to security makes no
>> sense. How about they start talking instead about the level of controls
>> (not solutions) that all Internet-based services and infrastructures should
>> have in place for 2007.
>
> It's not their precise role, its ours.
Do you mean pen testers when you say "we"? And "we" have a role in
defining the controls that all Internet based services and infrastructures
should have in place? Why? Why isn't it the job of the people building the
security defenses into the architecture and products of the individual
companies? If Gartner wants to take a role in telling businesses what they
should spend on security then why don't they properly qualify that by
telling them also which controls make the most sense to spend that money
on? And if they can't do that, then they will need to qualify where the
5-8% value comes from.
>
>> Oh wait, they want to reduce everything to an
>> arbitrary dollar amount instead of making sense.
>
> Don't be such an immature professional and assume a proactive posture
> because that is exactly what would complete the referred analysis
> firm's numbers.
I don't understand how a proactive posture will complete the numbers of
some company exactly? Please explain this better.
Anyway I'll try harder to be a more mature professional in the future.
Thanks for the advice!
-pete.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:10 EDT