If the corporate image is so important (and I certainly believe it is), then how companies deal with security, how companies implement and prioritize security, how they respond to security concerns, all these and more are part of the analysis that admins must perform as they present a cost/benefit discussion that deals with each and every new system (and existing systems). Raising the level of awareness of the total cost of ownership, the total cost of a security breach, the total risk of such a breach, all this and more is the responsibility of whomever has ownership of the IT vision within a company. It's important to understand that today, security risks undertaken by an organization may/will come to light under the scrutiny of the public/press at some future time, and that there are costs with respect to taking those risks. This overflows into other areas of organization behavior. Organizations that choose to engage in risky behavior, whether with respect to IT security, or in other areas, find that the equation of risk/reward is shifting, as increased public/press scrutiny is applied. What were the long term effect of the Bhopal accident to Union Carbide, the Exxon Valdez oil spill to Exxon, of the Enron scandal? How has public behavior towards these organizations changed as a result of their willingness to engage in risky behavior? Unless and until there is a consequence, unless and until the public at large acts, you are likely to see the inertia of large organizations continue, with short-term cost/benefit analysis instead of long-term analysis being the norm. ---Matthew *********** REPLY SEPARATOR *********** On 5/7/2002 at 1:07 AM Ron DuFresne wrote: > >It's a problem of security often not being driven from the top down. and >this is so common in the IT industry. Some have pointed out how security >might well be a finacial burden some companies are well willing to forego >and bearout the costs of compromises, seeing it as a cheaper alternative. >Many are failing to understand that security can have an impact upon how >their corporate image can be percieved to those they do business with, and >to their direct customers. And this has been one of the problems faced by >a number of very visable security related companies. Image/reputation is >a cost sometimes well above what can be bornout by the beancounters and >upper managment. HIPPA is going to have a very substantial impact on >companies, if the government can find a way to rally audit and validate >compliance. So many of those that will have to comply are so far out in >left feild of securely managing the information they are tasked with we >might well see a fallout of major attempts to get under the security >umbrella on par to the issues faced with trying to deal with y2k issues a >few years back. > >Still, alas, few of the admins I've had the 'pleasure' of working with >really paid security a serious visual at all. Most seem to have >forgotten more then they retained. Afterall security begins with the OS >install. And most seem to have learned far too many bad habits to >sometimes even adapt when an organization does push security in a top down >manner. Often they are more difficult to bring 'onboard' then the end >users. > > >Thanks, > >Ron DuFresne >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This archive was generated by hypermail 2b30 : Tue May 07 2002 - 12:36:38 PDT