Comments on: Who defines “good enough” http://mcwresearch.com/archives/228 Things I think I've thought about Thu, 20 Nov 2008 09:14:21 +0000 http://wordpress.org/?v=2.5.1 By: Michael http://mcwresearch.com/archives/228#comment-175 Michael Sat, 15 Jul 2006 00:59:29 +0000 http://mcwresearch.com/archives/228#comment-175 Thanks for the props guys...I'll never fit my head through the door now. Thanks for the props guys…I’ll never fit my head through the door now.

]]> By: Michael R. Farnum http://mcwresearch.com/archives/228#comment-174 Michael R. Farnum Sat, 15 Jul 2006 00:50:47 +0000 http://mcwresearch.com/archives/228#comment-174 Michael, Good catch on the lazy issue. I guess I need to go format the list. Actually, I am moving to my own domain (infosecplace.com/blog), and the list looks good there, so I think I will keep being lazy for now. :) I agree with Alan that your post was excellent. Great points all. Risk is still the key. Acceptance / mitigation / transfer of risk is where you decide to do what you do about that risk. And if funds are low, it makes you make decisions that you don't like to make. I am really enjoying your blog. Keep it up. Michael (also) Michael,

Good catch on the lazy issue. I guess I need to go format the list. Actually, I am moving to my own domain (infosecplace.com/blog), and the list looks good there, so I think I will keep being lazy for now. :)

I agree with Alan that your post was excellent. Great points all. Risk is still the key. Acceptance / mitigation / transfer of risk is where you decide to do what you do about that risk. And if funds are low, it makes you make decisions that you don’t like to make.

I am really enjoying your blog. Keep it up.

Michael (also)

]]> By: Michael http://mcwresearch.com/archives/228#comment-172 Michael Fri, 14 Jul 2006 03:18:46 +0000 http://mcwresearch.com/archives/228#comment-172 Well I hope my situation is the norm but now you have me worried! Well I hope my situation is the norm but now you have me worried!

]]> By: alan shimel http://mcwresearch.com/archives/228#comment-171 alan shimel Thu, 13 Jul 2006 18:14:20 +0000 http://mcwresearch.com/archives/228#comment-171 Excellent post. I agree security is about risk management as well. However, is your situation the norm or the exception? I met with a large supermarket chain a couple of months ago who said, look we really don't care much what your product does or how it works. We just want to know will it get me past my PCI survey. Or another who said, we don't care if our patch management system is really accurate about the current state of our computers. We just need to show a report that we have a patch manager in place. I think the security guys (who are often wearing multiple hats)know what the right thing to do is, they don't do a good job selling it to the financial stakeholders. Your NAC situation is a perfect example. It will only take one visitor or someone coming in and wreaking havoc and all your HIPS isn't going to help (BTW, maybe I can get you some NAC cheap ;-)) Excellent post. I agree security is about risk management as well. However, is your situation the norm or the exception? I met with a large supermarket chain a couple of months ago who said, look we really don’t care much what your product does or how it works. We just want to know will it get me past my PCI survey. Or another who said, we don’t care if our patch management system is really accurate about the current state of our computers. We just need to show a report that we have a patch manager in place. I think the security guys (who are often wearing multiple hats)know what the right thing to do is, they don’t do a good job selling it to the financial stakeholders. Your NAC situation is a perfect example. It will only take one visitor or someone coming in and wreaking havoc and all your HIPS isn’t going to help (BTW, maybe I can get you some NAC cheap ;-))

]]>