Understand the total cost of ownership and return on investment for network security solutions
The Business Case for Network Security: Advocacy, Governance, and ROI addresses the needs of networking professionals and business executives who seek to assess their organization’s risks and objectively quantify both costs and cost savings related to network security technology investments. This book covers the latest topics in network attacks and security. It includes a detailed security-minded examination of return on investment (ROI) and associated financial methodologies that yield both objective and subjective data. The book also introduces and explores the concept of return on prevention (ROP) and discusses the greater implications currently facing corporations, including governance and the fundamental importance of security, for senior executives and the board.
Making technical issues accessible, this book presents an overview of security technologies that uses a holistic and objective model to quantify issues such as ROI, total cost of ownership (TCO), and risk tolerance. This book explores capital expenditures and fixed and variable costs, such as maintenance and upgrades, to determine a realistic TCO figure, which in turn is used as the foundation in calculating ROI. The importance of security policies addressing such issues as Internet usage, remote-access usage, and incident reporting is also discussed, acknowledging that the most comprehensive security equipment will not protect an organization if it is poorly configured, implemented, or used. Quick reference sheets and worksheets, included in the appendixes, provide technology reviews and allow financial modeling exercises to be performed easily.
An essential IT security-investing tool written from a business management perspective, The Business Case for Network Security: Advocacy, Governance, and ROI helps you determine the effective ROP for your business.
This volume is in the Network Business Series offered by Cisco Press®. Books in this series provide IT executives, decision makers, and networking professionals with pertinent information about today’s most important technologies and business strategies.
An interview with author Warren Saxe was published in the March 4, 2005, issue of Investor's Business Daily. Warren spoke about how much firms should spend on computer security, what top executives need to know, and how good security differs from years ago.
Below is an excerpt from the interview, printed with permission of Investor's Business Daily.
IBD: Why write a book on the business case for network security?
Saxe: We started with the information technology managers and asked: How do they effectively sell to the business side that security is needed, and which types?
IT managers live in a subculture that's all about the lack of security. By the time they get to the executive suite and blurt it all out, it can come across as fear-mongering. There's a need to create understanding among nontechnical people: Just what do they need to know and to understand so they can do a better job of oversight?
IBD: What's the right amount to spend on security?Saxe: It comes down to risk and what risk the company is willing to tolerate. It's hard to say what should be spent.
Download - 2.91 MB -- Chapter 5: Policy, Personnel, and Equipment as Security Enablers
I. VULNERABILITIES AND TECHNOLOGIES.
1. Hackers and Threats.
Contending with Vulnerability
Realizing Value in Security Audits
Assessing Vulnerability and Response
Hackers: Motivation and Characteristics
The Enemy Within: Maliciousness and Sloppiness
The Future of Hacking and Security
2. Crucial Need for Security: Vulnerabilities and Attacks.
Design Vulnerabilities Issues
Human Vulnerability Issues
Implementation Vulnerability Issues
Categories of Attacks
The Human Component in Attacks
Denial of Service Attacks
Additional Common Attacks
Scanning and System Detailing
Software and Protocol Exploitation
Man-in-the-Middle Wireless Attacks
Wireless Denial of Service
The Hapless Road Warrior
Examples of Social Engineering Tactics
Summary of Attacks
Cisco SAFE Axioms
Routers Are Targets
Switches Are Targets
Hosts Are Targets
Networks Are Targets
Applications Are Targets
3. Security Technology and Related Equipment.
Authentication, Authorization, and Accounting: AAA
Public Key Infrastructure
From Detection to Prevention: Intrusion-Detection Systems and Intrusion-Prevention Systems
Network- and Host-Based IDS
E-Mail Content Filtering
Assessment and Audit
Additional Mitigation Methods
Stopping a Worm with Network-Based Application Recognition
Automated Patch Management
Notebook Privacy Filter
4. Putting It All Together: Threats and Security Equipment.
Threats, Targets, and Trends
Lowering Risk Exposure
II. HUMAN AND FINANCIAL ISSUES.
5. Policy, Personnel, and Equipment as Security Enablers.
Securing the Organization: Equipment and Access
Managing the Availability and Integrity of Operations
Implementing New Software and Privacy Concerns
Custom and Vendor-Supplied Software
Sending Data: Privacy and Encryption Considerations
Regulating Interactivity Through Information and Equipment Control
Determining Levels of Confidentiality
Inventory Control: Logging and Tagging
Mobilizing the Human Element: Creating a Secure Culture
Management Involvement: Steering Committee
Creating Guidelines Through the Establishment of Procedural Requirements
Determining Rules and Defining Compliance
Securing the Future: Business Continuity Planning
Ensuring a Successful Security Policy Approach
Security Is a Learned Behavior
Inviting the Unknown
Avoiding a Fall into the Safety Trap
Accounting for the Unaccountable
Striving to Make Security Policies More Efficient
Surveying IT Management
The Need for Determining a Consensus on Risk
Infosec Management Survey
Infosec Management Quotient
6. A Matter of Governance: Taking Security to the Board.
Security-A Governance Issue
Directing Security Initiatives
Leading the Way
Establishing a Secure Culture
Securing the Physical Business
Securing Business Relationships
Securing the Homeland
Involving the Board
Examining the Need for Executive Involvement
Elements Requiring Executive Participation
7. Creating Demand for the Security Proposal: IT Management's Role.
Delivering the Security Message to Executive Management
Recognizing the Goals of the Corporation
Knowing How the Organization Can Use ROP
Understanding the Organization's Mandate and Directives
Acknowledging the Organization's Imperatives and Required Deliverables
Establishing an Appropriate Security Posture
Outlining Methods IT Managers Can Use to Engage the Organization
Assessing Senior Business Management Security Requirements
Every Question Counts: Delivering the Survey to Respondents
Infosec Operational Survey
Infosec Operational Quotient
8. Risk Aversion and Security Topologies.
The Notion of Risk Aversion
Determining Risk Tolerance
What Assets to Protect
Short-Term and Long-Term Risks
Calculating the Risk-Aversion Quotient
Risk-Aversion Quotient and Risk Tolerance
Using the Charts
One Size Rarely Fits All
Security Throughout the Network
9. Return on Prevention: Investing in Capital Assets.
Examining Cost of Attacks
Determining a Baseline
Budgeting for Security Equipment
Total Cost of Ownership
Analyzing Returns on Security Capital Investments
Net Present Value
Internal Rate of Return
Return on Investment
The Bottom Line
Acknowledging Nonmathematical Security Fundamentals
III. POLICIES AND FUTURE.
10. Essential Elements of Security Policy Development.
Determining Required Policies
Constructing Reliable and Sound Policies
Using Policy Tools and Policy Implementation Considerations
Useful Policy Tools
Performing Comprehensive Monitoring
Knowing Policy Types
Physical Security Policies
Dialup and Analog Policies
Remote Configuration Policies
VPN and Encryption Policies
Data Sensitivity, Retention, and Ethics Policies
Summary of Policy Types
11. Security Is a Living Process.
Good Netizen Conduct
SWOT: Strengths, Weaknesses, Opportunities, and Threats
Appendix A. References.
Appendix B. OSI Model, Internet Protocol, and Packets.
Appendix C. Quick Guides to Security Technologies.
Appendix D. Return on Prevention Calculations Reference Sheets.
Download - 3.19 MB -- Index