|
Price Tags and Providers
Indeed, an assessment's cost can vary greatly. Pricing starts at about $2,000. It goes up with the number and type of devices and applications to be tested, with those requiring specialized skills costing more. Probing a Web application or a wireless network, for example, "can even require higher-end commercial tools, which can be quite pricey," Beaver says. Another key factor, consultants say, is what you get at the end -- a useful analysis of the tests performed, or just the output from a scan of your systems.
Vendors are plentiful in this space and include everyone from large consulting firms and major technology vendors to local security consultants (see "A Sampling of Security Assessment Services"). On the low end, Hewlett-Packard Co.'s Security Vulnerability Assessment for SMB (Basic), at less than $2,000, includes a review of a customer's security architecture and policy, as well as a penetration test of up to 15 IP addresses in the customer's perimeter. (Testing of up to 50 IP addresses costs $1,000 more.) The findings are presented in a "discovery and recommendations" report that identifies gaps in security, as well as a "best practices sharing session" of up to one hour.
What to Demand in an
Assessment Report: |
- A detailed list of vulnerabilities and recommendations for fixing them.
- An in-person presentation of the findings with opportunity for Q&A.
- A ranking of vulnerabilities based on importance to the business.
|
Holbert says he chose Avnet not only for its technical skills, but also because the staff could provide "a good technical analysis and summary of what they found, and a good list of remediation events or tasks." Avnet also tells Holbert how his security practices compare with industry best practices.
Other users recommend insisting on a live presentation of the results, with an opportunity for questions and answers. That helps the internal team understand the results and get buy-in for the need for security from the rest of the organization.
Often, IT or security managers use the results to justify budget requests. Fischer performed his assessment to get a "Good Housekeeping Seal so we could demonstrate to our users that we had good reason" to spend more not only on security, but also the overall IT infrastructure, he says.
Companies use different methods for cost-justifying security assessments, just as they use various methods to cost-justify spending on security itself. North American Scientific funds its security assessments, like all its security spending, based on its estimate of the value of its information assets. Holbert says the company views its security spending almost as a form of insurance against the loss of its valuable information assets. "How do you value the loss of your email system? How do you value the loss of certain electronic assets like price lists or customer lists?" he asks. Compared with traditional insurance, he says, spending on security and security assessment is a bargain.
|
 |
|
|
