[ISN] Are hired hackers worth the cost?

From: InfoSec News (isnat_private)
Date: Wed Mar 27 2002 - 01:37:07 PST

  • Next message: InfoSec News: "[ISN] NCIX WEB SITE UPDATE ADVISORY #4-2002"

    By Wayne Rash, Special to ZDNet
    26 March 2002
    COMMENTARY: There's one way to prove that security is a necessary IT 
    expense: hire hackers to successfully break into your own network. 
    CFOs are treating security as a cost item to be controlled--and in 
    some cases, even eliminated. That's the buzz at the recent CeBit trade 
    Despite IT managers wanting to spend more on security, CFOs are 
    putting the brakes on such spending. The latest thinking, apparently, 
    is that the terrorist activity was more than a quarter ago, so it's 
    history. In other words, CFOs are seeing all those security costs on 
    the balance sheet--yet they're not seeing any security problems. (The 
    fact that increased security is heading off problems is lost on them.) 
    This doesn't surprise me. I've been hearing similar sentiments from 
    people in the US. Outside the IT community, it seems that security is 
    either a business impediment or an unnecessary cost. As a result, CIOs 
    and network managers are under constant pressure to do less, as a way 
    to save money and reduce inconvenience. 
    Unfortunately, the primary argument to unlock dollars for security 
    infrastructure is that you have to get attacked first. But there's one 
    way to prove that security is a necessary IT expense: hire hackers to 
    successfully break into your own network. That's right--hackers for 
    hire. Though it sounds like an oxymoron, a number of companies, 
    notably Computer Sciences Corporation of El Segundo, California, 
    employ hacker engineers. 
    These "ethical hackers" will break into your network, take it over, 
    and then produce a security assessment report that uncovers your 
    vulnerabilities. At this point, security is no longer a theoretical 
    issue. You can point to specific tasks you must complete to protect 
    your company's integrity. 
    Of course, hackers for hire don't come cheap. I heard from some CeBit 
    show attendees that a simple firewall check, for example, can cost 
    But if your company balks at hiring a hacker and insists on reining in 
    the security budget, remind everyone that you'll be living on borrowed 
    time. Controlling costs is always important, but you can't risk 
    millions of dollars by being lulled into complacency. 
    Wayne Rash runs a product testing lab near Washington, DC. He's been 
    involved with secure networking for 20 years and is the author of four 
    books on networking topics. 
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Mar 27 2002 - 05:21:50 PST