John, In addition to my reply to Rich I want to address the cost of doing business with regard to security mitigation.
For a moment I would like to jump to another more email centric example: SPAM. SPAM can be easily mitigated using the latest email server software and performing the best current procedures to minimize the impact of SPAM upon an organizations systems and users. Even after all possible efforts are considered SPAM can still get through. If SPAM does not get through it still consumes bandwidth across networking devices and bandwidth on the email server. SPAM mitigation costs CPU cycles on email servers that could be used for other more productive tasks. Those wasted CPU cycles increase load, which is a management concern for server load balancing and power distribution costs in a server farm. No matter what we do and even if no SPAM gets through to the end user the administrator has still spent time, money, and resources to defend their network. From the perspective of a project manager or a business owner that is funding that could be invested to grow the business if not wasted on mitigation. That is additional personnel and equipment that could be retasked to perform other operations to make the organization more productive and competitive. At the end of the day the final business result is additional costs. Security vulnerabilities, much like SPAM, are a high cost and a drain on any organization. Even if mitigation completely eliminated 100% of the problem 100% of the time it still comes at a cost, a cost that is unnecessary if those vulernabilities were eliminated. If I were a key decision maker in the investment of business assets across a large organization I would want to eliminate costs to the business as much as possible. If there are positive benefits associated with, but not directly related to, those cost savings that is simply an unintended business benefit even if the technology benefits are intentional. In summary, after all technology decisions and impacts are considered at the end of the process will this result in a savings to business. I believe it will result in an astounding cost savings if a significant majority of reported vulnerabilities could be either eliminated or substantially reduced. Thank you, Austin
