Security's Everyman

Security's Everyman

Monday, January 05, 2009

More on Failure of Investment

My buddy Jack Daniel pointed us to a new blogger that is worth following. As I was looking through some of his post I ran across one entitled "Failure of Investment". Of course that caught my eye because of the conversations that myself, Jack Daniel (here and here) and a few others had on this topic back in September of last year.

Tim's post got me to thinking again about FOI. I had intended to expand on the concept more last year, but as you (hopefully) noticed my blogging fell off drastically the last few months of the year due to life getting in the way. Now that a new year is here and I'm hoping to get back into regular blogging and what better topic than FOI to start with.

What I want to talk about today is defining FOI at a more granular level.
Failure is measured differently for different technologies. You can't define failure the same for a firewall as you would a host based Anti-virus program. They are different technologies and have to be measured differently. If can even be argued that within the same technology there are different tolerance levels for failure. An AV program that lets a virus through to a workstation that has very limited network access isn't as serious as one that allows a AD server to get infected.

So how do you go about defining failure? It goes back to a security basic. Risk. What is the risk if failure happens w/ a technology at a certain level. This is why it is so important that decisions to purchase and implement technologies not be taken lightly. Don't make a decision based on the fact that it is from a certain vendor. Don't make a decision based solely on price. Don't make a decision based on "ease of use".

You have to know what you are protecting, what the value of it to the company is and what level of failure can each thing handle. If you don't know this then you are going to set yourself up for FOI and a new job search.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.