Business Case for Network Security, The: Advocacy, Governance, and ROI
- By Catherine Paquet, Warren Saxe
- Published Dec 13, 2004 by Cisco Press.
Book
- Sorry, this book is no longer in print.
- Copyright 2005
- Edition: 1st
- Book
- ISBN-10: 1-58720-121-6
- ISBN-13: 978-1-58720-121-9
Understand the total cost of ownership and return on investment for network security solutions
- Understand what motivates hackers and how to classify threats
- Learn how to recognize common vulnerabilities and common types of attacks
- Examine modern day security systems, devices, and mitigation techniques
- Integrate policies and personnel with security equipment to effectively lessen security risks
- Analyze the greater implications of security breaches facing corporations and executives today
- Understand the governance aspects of network security to help implement a climate of change throughout your organization
- Learn how to qualify your organization’s aversion to risk
- Quantify the hard costs of attacks versus the cost of security technology investment to determine ROI
- Learn the essential elements of security policy development and how to continually assess security needs and vulnerabilities
The Business Case for Network Security: Advocacy, Governance, and ROI addresses the needs of networking professionals and business executives who seek to assess their organization’s risks and objectively quantify both costs and cost savings related to network security technology investments. This book covers the latest topics in network attacks and security. It includes a detailed security-minded examination of return on investment (ROI) and associated financial methodologies that yield both objective and subjective data. The book also introduces and explores the concept of return on prevention (ROP) and discusses the greater implications currently facing corporations, including governance and the fundamental importance of security, for senior executives and the board.
Making technical issues accessible, this book presents an overview of security technologies that uses a holistic and objective model to quantify issues such as ROI, total cost of ownership (TCO), and risk tolerance. This book explores capital expenditures and fixed and variable costs, such as maintenance and upgrades, to determine a realistic TCO figure, which in turn is used as the foundation in calculating ROI. The importance of security policies addressing such issues as Internet usage, remote-access usage, and incident reporting is also discussed, acknowledging that the most comprehensive security equipment will not protect an organization if it is poorly configured, implemented, or used. Quick reference sheets and worksheets, included in the appendixes, provide technology reviews and allow financial modeling exercises to be performed easily.
An essential IT security-investing tool written from a business management perspective, The Business Case for Network Security: Advocacy, Governance, and ROI helps you determine the effective ROP for your business.
This volume is in the Network Business Series offered by Cisco Press®. Books in this series provide IT executives, decision makers, and networking professionals with pertinent information about today’s most important technologies and business strategies.
Related Articles
Core Elements of the Cisco Self-Defending Network Strategy
Corporate Governance, Business Continuity Planning, and Disaster Recovery
Security Advocacy and Awareness: Creating A Secure Culture
Security Financials: The Core Element of Security Business Proposals
Interview(s)
An interview with author Warren Saxe was published in the March 4, 2005, issue of Investor's Business Daily. Warren spoke about how much firms should spend on computer security, what top executives need to know, and how good security differs from years ago.
Below is an excerpt from the interview, printed with permission of Investor's Business Daily.
IBD: Why write a book on the business case for network security?
Saxe: We started with the information technology managers and asked: How do they effectively sell to the business side that security is needed, and which types?
IT managers live in a subculture that's all about the lack of security. By the time they get to the executive suite and blurt it all out, it can come across as fear-mongering. There's a need to create understanding among nontechnical people: Just what do they need to know and to understand so they can do a better job of oversight?
IBD: What's the right amount to spend on security?
Saxe: It comes down to risk and what risk the company is willing to tolerate. It's hard to say what should be spent.The problem with assigning a metric, such as a percentage of budget, is that it will almost always be too much or too little. It has to come down to money. Which is why we get into return on investment and the business case for security.
At the end of the day, every financial expenditure, regardless of its perceived importance, must make business sense.
Visit www.investors.com.
Online Sample Chapter
Policy, Personnel, and Equipment as Security Enablers
Downloadable Sample Chapter
Download - 2.91 MB -- Chapter 5: Policy, Personnel, and Equipment as Security Enablers
Table of Contents
Introduction.
I. VULNERABILITIES AND TECHNOLOGIES.
1. Hackers and Threats.
Contending with Vulnerability
Realizing Value in Security Audits
Analyzing Hacking
Assessing Vulnerability and Response
Hackers: Motivation and Characteristics
The Enemy Within: Maliciousness and Sloppiness
Threats Classification
The Future of Hacking and Security
Summary
End Notes
2. Crucial Need for Security: Vulnerabilities and Attacks.
Recognizing Vulnerabilities
Design Vulnerabilities Issues
Human Vulnerability Issues
Implementation Vulnerability Issues
Categories of Attacks
The Human Component in Attacks
Reconnaissance Attacks
Access Attacks
Denial of Service Attacks
Additional Common Attacks
Footprinting
Scanning and System Detailing
Eavesdropping
Password Attacks
Impersonating
Trust Exploitation
Software and Protocol Exploitation
Worms
Viruses
Trojan Horses
Attack Trends
Wireless Intrusions
Wireless Eavesdropping
Man-in-the-Middle Wireless Attacks
Walk-By Hacking
Drive-By Spamming
Wireless Denial of Service
Frequency Jamming
The Hapless Road Warrior
Social Engineering
Examples of Social Engineering Tactics
Summary of Attacks
Cisco SAFE Axioms
Routers Are Targets
Switches Are Targets
Hosts Are Targets
Networks Are Targets
Applications Are Targets
Summary
3. Security Technology and Related Equipment.
Virus Protection
Traffic Filtering
Basic Filtering
Advanced Filtering
Filtering Summary
Encryption
Encrypted VPN
SSL Encryption
File Encryption
Authentication, Authorization, and Accounting: AAA
Authentication
Authorization
Accounting
Public Key Infrastructure
From Detection to Prevention: Intrusion-Detection Systems and Intrusion-Prevention Systems
IDS Overview
Network- and Host-Based IDS
IPS Overview
Target-Based IDS
Content Filtering
URL Filtering
E-Mail Content Filtering
Assessment and Audit
Assessment Tools
Audit Tools
Additional Mitigation Methods
Self-Defending Networks
Stopping a Worm with Network-Based Application Recognition
Automated Patch Management
Notebook Privacy Filter
Summary
End Notes
4. Putting It All Together: Threats and Security Equipment.
Threats, Targets, and Trends
Lowering Risk Exposure
Security Topologies
SAFE Blueprints
SAFE Architecture
Using SAFE
Summary
II. HUMAN AND FINANCIAL ISSUES.
5. Policy, Personnel, and Equipment as Security Enablers.
Securing the Organization: Equipment and Access
Job Categories
Departing Employees
Password Sanctity
Access
Managing the Availability and Integrity of Operations
Implementing New Software and Privacy Concerns
Custom and Vendor-Supplied Software
Sending Data: Privacy and Encryption Considerations
Regulating Interactivity Through Information and Equipment Control
Determining Levels of Confidentiality
Inventory Control: Logging and Tagging
Mobilizing the Human Element: Creating a Secure Culture
Employee Involvement
Management Involvement: Steering Committee
Creating Guidelines Through the Establishment of Procedural Requirements
Policy Fundamentals
Determining Ownership
Determining Rules and Defining Compliance
Corporate Compliance
User Compliance
Securing the Future: Business Continuity Planning
Ensuring a Successful Security Policy Approach
Security Is a Learned Behavior
Inviting the Unknown
Avoiding a Fall into the Safety Trap
Accounting for the Unaccountable
Workflow Considerations
Striving to Make Security Policies More Efficient
Surveying IT Management
The Need for Determining a Consensus on Risk
Infosec Management Survey
Infosec Management Quotient
Summary
6. A Matter of Governance: Taking Security to the Board.
Security-A Governance Issue
Directing Security Initiatives
Steering Committee
Leading the Way
Establishing a Secure Culture
Securing the Physical Business
Securing Business Relationships
Securing the Homeland
Involving the Board
Examining the Need for Executive Involvement
Elements Requiring Executive Participation
Summary
End Notes
7. Creating Demand for the Security Proposal: IT Management's Role.
Delivering the Security Message to Executive Management
Recognizing the Goals of the Corporation
Knowing How the Organization Can Use ROP
Understanding the Organization's Mandate and Directives
Acknowledging the Organization's Imperatives and Required Deliverables
Establishing an Appropriate Security Posture
Outlining Methods IT Managers Can Use to Engage the Organization
Lobbying Support
Assessing Senior Business Management Security Requirements
Every Question Counts: Delivering the Survey to Respondents
Infosec Operational Survey
Infosec Operational Quotient
Summary
8. Risk Aversion and Security Topologies.
Risk Aversion
The Notion of Risk Aversion
Determining Risk Tolerance
What Assets to Protect
Short-Term and Long-Term Risks
Risk-Aversion Quotient
Calculating the Risk-Aversion Quotient
Risk-Aversion Quotient and Risk Tolerance
Using the Charts
Security Modeling
Topology Standards
One Size Rarely Fits All
Security Throughout the Network
Diminishing Returns
Summary
9. Return on Prevention: Investing in Capital Assets.
Examining Cost of Attacks
Determining a Baseline
Providing Alternatives
Budgeting for Security Equipment
Total Cost of Ownership
Present Value
Analyzing Returns on Security Capital Investments
Net Present Value
Internal Rate of Return
Return on Investment
Payback Period
The Bottom Line
Acknowledging Nonmathematical Security Fundamentals
Summary
End Notes
III. POLICIES AND FUTURE.
10. Essential Elements of Security Policy Development.
Determining Required Policies
Constructing Reliable and Sound Policies
Reliability
Access
Constancy
Answerability
Using Policy Tools and Policy Implementation Considerations
Useful Policy Tools
Policy Implementation
Performing Comprehensive Monitoring
Knowing Policy Types
Physical Security Policies
Access-Control Policies
Dialup and Analog Policies
Remote-Access Policies
Remote Configuration Policies
VPN and Encryption Policies
Network Policies
Data Sensitivity, Retention, and Ethics Policies
Software Policies
Summary of Policy Types
Handling Incidents
Summary
11. Security Is a Living Process.
Security Wheel
Secure
Monitor
Test
Improve
Scalability
Jurisprudence
Hacking
Internal Issues
Negligence
Privacy
Integrity
Good Netizen Conduct
SWOT: Strengths, Weaknesses, Opportunities, and Threats
Strengths
Weaknesses
Opportunities
Threats
Summary
End Note
IV. APPENDIXES.
Appendix A. References.
Appendix B. OSI Model, Internet Protocol, and Packets.
Appendix C. Quick Guides to Security Technologies.
Appendix D. Return on Prevention Calculations Reference Sheets.
Glossary.
Index.
Index
Download - 3.19 MB -- Index
Other Things You Might Like
- Securing Enterprise Networks with Cisco Meraki
- Book $55.99
- In Zero Trust We Trust
- eBook (Watermarked) $34.39