Comments on: Unfortunately, The White House Cyberspace Policy Review Recommends Response Over Prevention

By: DHS Takes Steps In The Right Direction

DHS Takes Steps In The Right Direction — Wed, 03 Feb 2010 11:53:48 +0000

[...] cybersecurity plans for Gartner international government clients, as well as blogged some reviews here pundit-style on the various national cybersecurity strategies the US has published. They all tend [...]

By: Cyberspace Policy Review « Aggressive Virus Defense

Cyberspace Policy Review « Aggressive Virus Defense — Fri, 08 Jan 2010 17:16:23 +0000

[...] is criticized as lacking specific and dramatic measures. [Gadi Evron, Andrew Storms] and “Recommends Response Over Prevention” (John Pescatore of Gartner). It is true. The study recommends education, further study, and [...]

By: Skepticism and Disappointment in Many Reactions to Cybersecurity Plan « Jim’s Hardware

Mon, 08 Jun 2009 00:01:30 +0000

[...] Another downbeat perspective comes from Gartner’s John Pescatore: the report is long on collecting statistics about security incidents, short on resources for preventing and dealing with them. It is basically a strategy for investing in more forest fire lookout towers vs reducing the likelihood and impact of wildfires. Good for the agency that keeps wildfire statistics, good for the people who sell forest fire monitoring technology and services – bad for the forest critters and the people who live in houses near forests. [...]

By: Rob Lewis

Rob Lewis — Fri, 05 Jun 2009 17:19:38 +0000

Every herd needs a Shepard. More of what isn’t working will not solve everything, but will eliminate some low hanging fruit.

It amazes me though, how so many people in the industry equate reacting faster with being proactive, even to the point of using the word react in their definition. Sheesh.

By: John Pescatore

John Pescatore — Tue, 02 Jun 2009 16:12:24 +0000

First off, it depends on the type of training, as to whether it is influential. There has been no end to training about scams that people fall for in the real world, and they still fall for them – and in the cyberworld, they fall for them all over again. There is a lot of fluff proposed all the time about end user training or creating a “security aware culture” that *never* shows ROI. Well, the return is that the security group gets to say “we told them not to do that” – but “that” still happnes.

Now, training of system administrators and software developers – definite value there, once again as vulnerability avoidance. That aspect is totally ignored by this plan.

I really don’t think there has been any major lack of addressing the human side of the end user equation – I think there has been huge over-estimation of how effective that will be, since the threats always have and always will fool the end user. See my blog post about speed cameras vs. public service commercials about driving the speed limit in front of schools and work zones.

By: Carter

Carter — Tue, 02 Jun 2009 15:23:10 +0000

It is interesting to see that “training”, which from a technical & operational perspective is more influential than the newest gadget in the magic quad ( ) is not addressed other than as a referenced material for this document. When we take into consideration the amount of monies spent on IA risks from a technical perspective only, then measure that to the increase/decrease of threats that present true risk, we will see a decreasing ROI.