Superficially, one difference between government and business security programs is that government has intelligence agencies that they can draw upon for threat assessment. It is a separate question if intelligence agencies accurately determine certain threats, or if politicians pay attention to accurate assessments if the assessment conflicts with ideology or generic preconceptions. Seriously, one of the major problems in convincing businesses about a need for security is that many managers, sensitive to cost, do not see a real threat. If one broadens that to continuity of operations in general, those managers whose firms have survived major disasters tend to be far more in favor of disaster recovery planning. Unfortuately, many security technologists are in the unfortunate position of the parent trying to convince a child not to touch a hot stove, when they have never been burned. In my case, that is convincing a dearly beloved cat that the stovetop is not on the feasible route from point A to point B. While some use the analogy of herding cats, that is more appropriate with technical people than top managers. In the case of the latter, the analogy may be more akin to the lion, who woke one day, and strode through his domain. Encountering an antelope, he roared, "WHO IS KING OF THE JUNGLE?" The antelope quivered and said "you, mighty lion." He next encountered a gnu (no, it's not Gnu). Again, even the tougher beast said "You are the great one." The lion walked further, and met an elephant. As he started to say "WHO IS...", the elephant wrapped his trunk around him, whopped him into several trees, juggled him on his tusks, and then threw him into a mud wallow. Scrambling to avoid an indignant hippopotamus, the lion looked at the elephant and said "Gee, your Majesty, could you chill out a little?" -----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Tuesday, October 07, 2008 1:40 PM To: J. Oquendo Cc: nanog@nanog.org Subject: Re: Fwd: cnn.com - Homeland Security seeks cyber counterattacksystem(Einstein 3.0) On Tue, 07 Oct 2008 11:30:11 CDT, "J. Oquendo" said:
What about exceeding the minimum requirements for a change.
It's like any other field - the customer wants more than the minimum, they'll have to pay more. Almost all contractors will at least act like they're trying to meet the local building codes, because that's a minimum requirement. It's the rare contractor indeed who will throw in the upgraded appliance package and real marble flooring for free... (I think you'll find that if somebody is actually willing to *pay* for more security, there's plenty of outfits who are more than happy to make it happen)