Security for security's sake?
What a novel idea. Like many of you, I read Ron Gula's blog in my feedreader. Over the months Ron has written some great stuff on how to use Nessus and Tenable's other products for vulnerability management, configuration management and auditing. The articles are usually pretty good, but are very much aimed at end users getting more value out of Tenable's product. Today however, Ron had a good article recounting a recent experience he had with a friend of his.
This friend was an attorney for an application hosting company and he and Ron scanned (Ron I did not know Tenable had Nessus scanners set up to scan over the Internet, is there an SaaS Nessus service in the works?) one of the sites his company hosts. The scan turned up some relatively benign stuff. Ron tried to show the guy some other type of stuff that could be turned up in a scan. The guy was just interested in one thing. Was the site secure or not.
Ron comments that can you imagine that topics like CVSS , NSA best practices never came up. I bet neither did PCI, SOX, Sarbanes-Oxley or any of the other compliance buzz words. Ron says his friend was just interested in risk to the business and it is a good thing. That is exactly right. I think we lose sight to often of this simple fact. It is about reducing risk and making the customer more secure. Yeah, allowing them to show how they comply with some politician or someone else's idea of secure is nice. Yes allowing them to check off the box on the audit and SEC forms are nice. But it is good to not lose sight of the fact that it is about being secure. Like Jim Carville might have said back when Bill Clinton and not Hillary was running for President, it is about being secure, stupid!
Comments