I just put up my new poll for this week. Here is the questions and answers to choose from.
In your Organization are most security purchases based on
Reaction to an event or scareCool Toy "C" level wants to implement
Careful Research
Good salses pitch by vendor
Other
If you select Other please leave me a comment and let me know how your company decides on what to buy.
5 comments:
I chose other because our IT budget is at 1.4%of revenue and Security gets none of that.
risk reduction :)
I picked careful research, mostly because we don't buy things without doing some team evaluation on whether we really need it.
Cool C-level toys are typically general IT things and not security-related, in my experiences. Those being part of IT purchases (or wastes of time when they ask for careful research) are still too numerous...
Some products/initiatives do come after a scare or incident. In my current company's case, we'd never looked at disk encryption until the past year, entirely due to mgmt hearing so much about the issue. It's always been there and hasn't really changed at all in 3 2 decades (I say 2 to account for the portability of equipment and data). Thankfully, media coverage has opened doors for us to fill that gap. (Assuming we ever find an FDE product we're happy with that plays well with Altiris...)
I'd say its actually a combination of all of the above for me. An attack or request or something comes in from business for security or monitoring or such. The security guy finds a cool toy and tries to implement it, we then find alternatives, make a project, check them out and deploy.
A large driving factor is also Audits which is not an option but I think should be. A bad audit finding for us gets a lot more money than a good idea.
Huh? Where is compliance in that?
Post a Comment