1

Security professionals have a tendency to implement security for security’s sake. We look at the problem of viruses and we think about antivirus products. We see hackers and we think “defense in depth.” In this book, we continually emphasize the need to think of security in the context of the business. How do security threats and vulnerabilities affect your company? When a hacking attempt is successful, what is the net effect of the business damage? When a self-propagating worm spreads in your

network, what implications does it have for the company’s core production functions? Security incidents appear on the radar screens of your executive management in essentially two forms: loss of information assets and disruption to the company’s ability to do business.