Comments on: Who Will Educate the Educators? http://avien.net/blog/?p=368 The official blog of the Anti-Virus Information Exchange Network Wed, 14 Jul 2010 23:58:13 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: Educating the CIO « The AVIEN Blog http://avien.net/blog/?p=368&cpage=1#comment-392 Educating the CIO « The AVIEN Blog Wed, 27 Jan 2010 13:58:25 +0000 http://avien.net/blog/?p=368#comment-392 [...] Useful and lengthy comment from Rob Rosenberger added to my blog at http://avien.net/blog/?p=368. [...] [...] Useful and lengthy comment from Rob Rosenberger added to my blog at http://avien.net/blog/?p=368. [...]

]]> By: Rob Rosenberger http://avien.net/blog/?p=368&cpage=1#comment-387 Rob Rosenberger Wed, 27 Jan 2010 03:39:14 +0000 http://avien.net/blog/?p=368#comment-387 You deduce correctly, David! I fault Twitter's 140-char limit: it doesn't offer me enough room to pontificate. :-) Now if I may continue where I left off at character 141... Goretsky's "bank guard" comment is perfectly valid. Sadly, though, it fails when you try to use it as an analogy to computer security guards. It fails for a subtle yet profound reason -- namely, bankers set budgets for security personnel & technologies based on some very well-defined risk calculations. Competent experts actually believe they know the "ROI" for their investments in banking security. On the other hand, those three dozen "whacked" firms employ computer security personnel & technologies for reasons not associated with ROI. CIOs end up listening to people like Dan Erwin, who teaches computer security experts to fool their bosses with exaggerated stories and to cite a steady stream of flawed "statistical" reports that Mich Kabay & I & others have railed against for years. Competent experts actually don't believe they know the ROI for their investments in computer security. (I worked on computer security in the brokerage industry in the 1990s, for those of you who question my insights to the financial world.) It takes more than 140 characters to propose we educate CIOs, not their computer security managers. See http://Vmyths.com/column/1/2005/1/3 for my CIO "special ed" program... You deduce correctly, David! I fault Twitter’s 140-char limit: it doesn’t offer me enough room to pontificate. :-) Now if I may continue where I left off at character 141…

Goretsky’s “bank guard” comment is perfectly valid. Sadly, though, it fails when you try to use it as an analogy to computer security guards. It fails for a subtle yet profound reason — namely, bankers set budgets for security personnel & technologies based on some very well-defined risk calculations. Competent experts actually believe they know the “ROI” for their investments in banking security.

On the other hand, those three dozen “whacked” firms employ computer security personnel & technologies for reasons not associated with ROI. CIOs end up listening to people like Dan Erwin, who teaches computer security experts to fool their bosses with exaggerated stories and to cite a steady stream of flawed “statistical” reports that Mich Kabay & I & others have railed against for years. Competent experts actually don’t believe they know the ROI for their investments in computer security.

(I worked on computer security in the brokerage industry in the 1990s, for those of you who question my insights to the financial world.)

It takes more than 140 characters to propose we educate CIOs, not their computer security managers. See http://Vmyths.com/column/1/2005/1/3 for my CIO “special ed” program…

]]>