New to the boards, and fairly new into the field itself. I've been involved in IT for the last 10 years. The first 8 were R & D activities at fortune 500 company, and the last two have been at the University where I graduated so very, very, very... long ago.
We're in the process of launching a vulnerability scanning program in our institution but are seeing a lot of resistance from various departments concerned with us taking down systems, or having access to things they're not comfortable with.
Using a commercial scanning product, what are people's opinions about the value of scanning systems, and whether or not it help harden the defenses of an institution against actual pen testing.
I'm really interested in any studies or statistics that support/despise vulnerability scanning and how it fits in with an overall security strategy.
As for particular groups, has anyone had experience in selling this type of program to people that operate mostly appliance type systems (switches, hubs, printers, etc) rather than actual servers and workstations. I think the approach may have to be a little different for those kinds of individuals. It may be that they have a point about the ROI, but I'm not sold on their stance quite yet.
Thanks in advance for any advice you can give.