By Robert HansenI’ve talked about this a few times over the years during various
presentations but I wanted to document it here as well. It’s a concept
that I’ve been wrestling with for 7+ years and I don’t think I’ve made
any headway in convincing anyone, beyond a few head nods. Bad security
isn’t just bad because it allows you to be exploited. It’s also a long
term cost center. But more interestingly, even the most worthless
security tools can be proven to “work” if you look at the numbers.