On Mon, 12 Sep 2005 13:39:56 EDT, "Rowe, Brent" said:
clear that I are not interested in learning the makeup of your IT infrastructure, the IT policies and procedures your organization employs, the number of breaches you have each year, or any other sensitive information related to your organization's IT security. Instead, I am interested in discussing the information you use to decide how much to spend on various IT security-related activities and what information you are collecting (and using) from your IT system operations.
Any attempt at trying to analyze information about budget allocations without at least some understanding of the IT policies is probably doomed to failure. At least in our shop, there are things we track in a very anal-retentive fashion, and information we don't bother collecting, *because* our policies say the first is important and the second one is ignorable. For instance, if I told you how many hundreds of dollars we spent on perimeter firewalls last year, you'd be totally dazed and confused unless you understood our thinking regarding perimeter firewalls. (And yes, "hundreds" is the right units, and yes, we know what we're doing, and no, I don't want to hear how we're nuts. It works *in our environment, YMMV...:)