Chapter 15: Setting Perceptions and Justifying the Cost of Security

Overview

As we have seen, hardening your network infrastructure can be a very long and laborious process. After you ve put forth the effort to harden your network, however, the last thing you want is to see all of your effort and work fail, and yet many companies find themselves in this situation. They did everything that they thought they needed to do. They bought the hardware, and they bought the software. They brought out the auditors , they wrote their policies. Yet they still fell short.

The inevitable question is why ? In Part IV we seek answers to that question, and by doing so provide you with tools and information that you need to ensure that you can succeed at hardening your network infrastructure.

In this section we shift our focus from some of the technical aspects of hardening your network and look at some of the soft skills involved. In this chapter we take a look at how to set perceptions and examine methods to get the money required for succeeding at hardening your network infrastructure. In Chapter 16 we look at staffing and training issues and focus on how to address those issues to ensure that you have the appropriate staff as well as the appropriate training and education, not only for your administrators but for your users as well. Chapter 17 wraps up with the aspect of hardening your network infrastructure that no one wants to see but everyone needs to expect and be prepared for ”handling a security incident with effective incident response policies.

Throughout this book, the focus has been primarily on technical solutions for hardening your network infrastructure. In this chapter we shift our focus and look at some of the more esoteric requirements for hardening your network infrastructure. This does not mean that this chapter is any less important than learning how to harden your firewalls or routers and switches. In fact, this chapter can be key to ensuring the success or failure of your infrastructure hardening efforts, because it looks at the two things that are most likely to contribute to the success or failure of efforts: setting the appropriate expectations and getting the money needed to undertake the effort.

Throughout this chapter, it may seem like some of the information is directed more at management personnel. That isn t quite correct. While it is critical that management understands and supports the concepts and recommendations put forth, the technical folks must also understand the impact that they can have with the user community through their words and actions. Even those ideas that are key to management are important for the technical folks to be aware of and understand.