At 04:11 PM 11/16/2002 -0600, [EMAIL PROTECTED] wrote:
The security professional that lacks the capability to do hands on security work with a tool like nessus is basically in a classical risk management position. Nothing new and bold or "changed" about that--they've existed in the military, banking, etc. for years. The real change is the security engineer with BOTH technical knowledge to run a tool like Nessus and the skills/authority to make the organization respond quickly to the results.The demands being placed on security groups today to protect the availability, accountability, and integrity of systems is growing on many fronts. As organizations mature their security management program, challenges in risk management relating to organizational, cultural, ethical, and technical issues are requiring many new skills in the areas of strategic planning, risk mitigation, incident management, and security investigations that have nothing to do with being able to install and run something like Nessus. Nessus is a great tool, but as such is just a means and not an end to security.The "job" is changing.
Most of the world is waking up to the fact that classical risk analysis is far two abstracted from ground zero to accurately measure residual risk, much less reduce risk levels in a timely manner. The rest of the world is serving up warez and divx movies to budding young security engineers.
-Mike
CISSP, CCNA, yada yada
-
[EMAIL PROTECTED]: general discussions about Nessus.
* To unsubscribe, send a mail to [EMAIL PROTECTED] with
"unsubscribe nessus" in the body.
