On Mon, 25 Mar 2002, Sean Donelan wrote: :Customers need to let companies know that security and responsiveness :affects their purchasing decisions. I think some companies are getting :the message. But in today's market, with tight budgets and layoffs, :security is often viewed as overhead. The mantra at the consulting firms I have had conversatons with is showing ROI for security services. I think that much of the value in security services to date has been in the anti-virus field. The reason for this is that one can easily measure and express the costs saved by being immune to a particular virus or worm, which might have cost a day or more of business. Contrasted with the number of new virus reports affecting M$ products on a daily basis, the value is pretty easy to see. It can be difficult to show the returned value of auditing acl's, or implementing an IDS infrastructure, despite the profound importance of doing so. Nimda and CodeRed were excellent indicators of how a good security policy can be a competetive edge during (increasingly common) global incidents. Hopefully we will see more security folks pressing this message, and more decision makes hearing it. :A lot of providers are lucky :if they have one network engineer who does security stuff in her spare :time. Full-fledge security departments are rare. This is where managed security services are gaining popularity. Regardless of the technical merits of assembling some COTS solutions and generating periodic reports, it can be more cost effective than hiring CCSP/GIAC/CISSP's at $60-90k USD a pop, while still operating with some reasonable level of assurance that your infrastructure is being monitored. -- batz