Strategien


Risikomanagement

Calculated Risk

09.12.2002
Von Scott Berinato
Die Ausgaben für IT-Sicherheit steigen. Da sich der ROI für Maßnahmen zur Sicherung nicht nach herkömmlichen Methoden berechnen lässt, wird ein anderes Kalkulationsmodell benötigt. Eine Argumentationshilfe in drei Schritten.

Quelle: CSO, USA

Jeff Nigriny wants to believe that patch management software is a goodinvestment. but he can't. until nigriny, chief of security foraerospace and defense supply chain exchange network Exostar, can provea positive return on his security investment, or ROSI, he willcontinue to manually patch systems. He will download the patches,perform regression testing, deploy them in a staging area, determinewhat machines need patches and then, finally, spit them out onto hisnetwork.

"Patch management software seems like the perfect candidate to show aneasy return," says Nigriny. "Everyone kind of feels like it's theright thing to do. But I haven't procured a system. And I won't--yet.Why? Because right now the ROSI for it isn't working."

He calls this particular scenario "the most difficult and abstract interms of risk and return" that he's worked on. It's nothing like 24/7monitoring, which he said was a cinch to bring to the brass,especially since after he proved an ROSI for monitoring, he alsoshowed that he could cut costs another threefold by outsourcing it.

But with patching, he continues to build and then rebuild his ROSImodels, looking for that elusive positive return, all the while fixinghis systems the old-fashioned way.

Zur Startseite