On Wed, 21 Apr 2010 14:44:35 PDT, Mike Hale said: > According to the paper, roughly 40% is spend on directly securing > secrets, and another 40% is spent on compliance of some type. They > further suggest that half of this compliance spending is spent on > internal compliance, and half on regulatory/external compliance. > I find the findings completely flawed. Am I missing something? My reading of it is "we spent 40% actually securing it, and an equal amount on total bullshit paperwork and checkbox-checking to "prove" we secured it, and the paperwork and checkboxes didn't do anything to directly secure the data". Consider - if you spend a week talking to the auditors, that's a week's salary spent on talking to auditors that didn't actually do squat for the security. Similar to if you had to get a yearly safety inspection on your car, and you had to pay $20 to the mechanic to do the inspection (which will hopefully actually verify your car meets the legal standards if your mechanic is honest), but then had to spend another $20 to file the paperwork with the local Dept of Motor Vehicles to make it official.
Attachment:
pgpJrfNOtNBDW.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/