[Top] [All Lists]

Re: Requesting comments on draft-cheney-safe-02.txt

2009-08-08 01:31:40


In addition to my reply to Rich I want to address the cost of doing
business with regard to security mitigation.

For a moment I would like to jump to another more email centric example:
SPAM.  SPAM can be easily mitigated using the latest email server
software and performing the best current procedures to minimize the
impact of SPAM upon an organizations systems and users.  Even after all
possible efforts are considered SPAM can still get through.  If SPAM
does not get through it still consumes bandwidth across networking
devices and bandwidth on the email server.  SPAM mitigation costs CPU
cycles on email servers that could be used for other more productive
tasks.  Those wasted CPU cycles increase load, which is a management
concern for server load balancing and power distribution costs in a
server farm.

No matter what we do and even if no SPAM gets through to the end user
the administrator has still spent time, money, and resources to defend
their network.  From the perspective of a project manager or a business
owner that is funding that could be invested to grow the business if not
wasted on mitigation.  That is additional personnel and equipment that
could be retasked to perform other operations to make the organization
more productive and competitive.  At the end of the day the final
business result is additional costs.

Security vulnerabilities, much like SPAM, are a high cost and a drain on
any organization.  Even if mitigation completely eliminated 100% of the
problem 100% of the time it still comes at a cost, a cost that is
unnecessary if those vulernabilities were eliminated.

If I were a key decision maker in the investment of business assets
across a large organization I would want to eliminate costs to the
business as much as possible.  If there are positive benefits associated
with, but not directly related to, those cost savings that is simply an
unintended business benefit even if the technology benefits are

In summary, after all technology decisions and impacts are considered at
the end of the process will this result in a savings to business.  I
believe it will result in an astounding cost savings if a significant
majority of reported vulnerabilities could be either eliminated or
substantially reduced.

Thank you,

<Prev in Thread] Current Thread [Next in Thread>