I rarely make a bet, but if you asked me whether I'd wager some money on the likelihood of an organisation employing a hacker to assess their security risk, I'd almost certainly accept on the basis that they would not.
I rarely make a bet, but if you asked me if I'd bet my bottom dollar on a firm employing a hacker to assess their security risk, I'd only accept on the basis that they would not. Hiring a hacker to assess the security risk of an organisation is something that fewer than 64 per cent of ISO's are willing to consider. That's hardly surprising when the risks are analysed alongside the statistics; viruses and hackers cost businesses worldwide somewhere in the region of $1.5 trillion. That said, organisations that are unwilling to hire a hacker face one increasing problem; hiring a hacker is not always a conscious decision.
I have read so many articles that have tried to advise the industry on ways to analyze an organizations return on security investment (ROSI), with the majority championing the difficulties associated with it and sadly concluding that in fact there is no effective way.