North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: DHS Cyber Security Investment Study
On Mon, 12 Sep 2005 13:39:56 EDT, "Rowe, Brent" said: > clear that I are not interested in learning the makeup of your IT > infrastructure, the IT policies and procedures your organization > employs, the number of breaches you have each year, or any other > sensitive information related to your organization's IT security. > Instead, I am interested in discussing the information you use to decide > how much to spend on various IT security-related activities and what > information you are collecting (and using) from your IT system > operations. Any attempt at trying to analyze information about budget allocations without at least some understanding of the IT policies is probably doomed to failure. At least in our shop, there are things we track in a very anal-retentive fashion, and information we don't bother collecting, *because* our policies say the first is important and the second one is ignorable. For instance, if I told you how many hundreds of dollars we spent on perimeter firewalls last year, you'd be totally dazed and confused unless you understood our thinking regarding perimeter firewalls. (And yes, "hundreds" is the right units, and yes, we know what we're doing, and no, I don't want to hear how we're nuts. It works *in our environment, YMMV...:) Attachment:
pgp00018.pgp
|