ANALYSIS
One of the biggest challenges facing IT pros is making nontechnical executives understand the need for increasing security spending and the consequences of reducing spending or dismissing the issue. Member Jim Huggy said that when he had trouble convincing his superiors that spending money on security measures was necessary, he hired hackers to break into the company network and report on the vulnerabilities. Once the company's vulnerability was confirmed by the hackers' success in breaking in, company officials became convinced of the dangers facing their network. "The report was well received by the executives, and the dollars were spent," Huggy said. Member ahedler compared the hiring of hackers to an inspection before buying insurance. "[With] many types of insurance, an inspection is required before a policy can be issued." Ahedler also pointed out that company officials would not consider doing business without physical security measures such as locks and alarm systems, so network security should be given the same level of attention. It takes a thief
Why turn to hackers to uncover vulnerabilities? Sometimes, it takes a thief to catch a thief. As Gary Anderson pointed out, a system designer is perhaps not the best one to test the system that he or she has designed because, "He tests for success, not failure." It's difficult to see how to break into something from the outside when you're looking at things from the inside, and a designer or builder has a perspective of creation, not destruction. It only makes sense that those who spend their time breaking into things are better judges of what good security is all about.
