Gartner Debunks Six Information Security Myths and Counsels Enterprises Where to Invest for Maximum Impact
Which security technologies to focus on over the next five years...and which not to...
London, UK, 20 September 2004 — Presenting Gartner's IT Security
Scenario in front of 650 attendees at the Gartner IT Security Summit in London today,
Victor Wheatman, managing VP Security, debunked six myths that proliferate in
the information security industry. He also advised enterprises which security
technologies they should prioritise and which they could avoid in the years to
come.
Myth 1 — 'Spend on more stuff; continue to spend on everything else'
While security remains a crucial
issue, spend on security need not be a bottomless pit. Gartner predicts that by
2006, information security spending will drop from an average of six to nine
percent of IT budgets to an average of four to five percent as enterprises
improve security management and efficiency. It is the improvement in management
that holds the key to a more secure enterprise. Wheatman said the
most-secure organizations spend less than average and that the lowest
spending 20 percent of organizations are most efficient. He predicted these
will safely reduce the share of security in the IT budget to three to four
percent by 2006.
Mr Wheatman stressed that to achieve this, funding must shift over the next five
years from traditional solution purchasing to a better-defined risk management
process involving investment in three objectives. Gartner identifies these as
1. keeping the bad guys out 2. letting the good guys in and 3. "keeping the
wheels on" (that is maintaining operations).
Myth 2 — 'Security is a journey, not a destination'
This is fundamentally untrue —
security has to have a destination if enterprises are to constantly reinvent
themselves and implement the latest technologies to their advantage. Enterprises need to measure how successful
their information security programmes, processes and procedures are, even if
defining proper measurement is challenging.
The key question to answer is "Are we more secure now than we were last
year?"
Mr Wheatman said that management
has shown surprising willingness to accept the risks of 'something happening',
since risks may seem remote compared to the costs of implementing a
comprehensive security architecture. Gartner believes that boards are going to
demand even more justification for security budgets as the pressures build for
demonstrating results in line with improving economic conditions. Wheatman
therefore advised information security managers to develop realistic company
specific cost/risk models and provide a clear roadmap of where their efforts
are leading. Warnings without realistic plans will not achieve management
buy-in.
Myth 3 — 'Software has to have flaws'
Wheatman said this is true if enterprises keep buying
flawed software. Gartner estimates that even if only 50 percent of software
vulnerabilities were removed prior to the software being put into production,
enterprise configuration management and incident response costs would be
reduced by 75 percent each
As the US National Institute of Standards and
Technology demonstrated in its 2002 study, "The Economic Impacts of Insufficient
Infrastructure for Software Testing," removing a software defect after a system
is operational, can cost two to five times more than if the defect were fixed
during final quality assurance testing. However, Gartner estimates that there
are only 500 software engineers worldwide with the skill and knowledge
necessary to scan code for security problems efficiently and effectively.
Wheatman urged enterprises to demand proof of safer software when procuring
software, while companies that develop software internally should review the
code with security in mind.
Myth 4 — 'Next Year Is the Year of...'
Every year enterprises are urged to invest in the latest
solutions to safeguard their business, and yet, each new wave of technology
disrupts existing security measures and introduces new vulnerabilities. Determining
when to adopt an emerging technology is critical. In the case of information
security, failing to deploy defensive solutions at the right time can leave the
organisation vulnerable. Delays in identity, authentication and access control
products or services can leave the enterprise in a catch-up mode regarding
business opportunity.
However, Wheatman warned that investing in security technology too early can result in a
complete waste of enterprise security funds and he advised organizations to
focus on their specific business needs and complete a threat assessment to
prioritise security requirements.
The Gartner Information Security Hype Cycle can be used to deflate the hype
surrounding the latest solutions.
Myth 5 — 'Regulations Matter'
A variety of regulations and new laws, such as the
Health Insurance Portability and Accountability Act, European Union Privacy
Directive or the Sarbanes-Oxley Act, have an element of information security
implied.
Regulations shouldn't really matter. Enterprises
need to do good — enough security regardless of the presence — or absence — of laws that suggest doing something more. Enterprises need to protect the
personal data of their customers as a key customer relations element — the loss
of confidence for violating a customer trust can result in lost revenue and
regulatory violations may result in fines.
While important not to rush into acquiring new products and services eagerly promoted
by security vendors as 'HIPAA- or SOX-compliant', Mr. Wheatman said that
regulations do attract management attention and can consequently make budget
processes somewhat easier.
Myth 6 — 'Business units that care about security walk the security walk and talk the security talk'
It is not enough for security managers to understand the
technologies, the specific threat metrics or the buzzwords of the solutions
available to address risk.
Security managers cannot assume that business units,
while caring about security, will put security high on the agenda or
proactively alert them to business risks. To be effective, security managers
need to place themselves in the role of business managers and be able to
translate technically oriented information security for the enterprise into business
terms.
The Way Forward
Only by cutting through the hype and looking beyond the
myths that abound, can security managers take their enterprises forward. Gartner strongly counsels against investing
in an over-hyped technology too early.
Using it's Information
security hype cycle, Gartner has identified the security technologies it
believes enterprises will need over the next five years as well as those that
enterprises probably don't need before 2009.
Although some enterprises will
benefit from technologies in the 'don't need' column, for example, digital
signatures, they are exceptions. For
the most part, the list of 'don't needs' can be avoided. Enterprises do, however, need to understand
the current and emerging technologies on the "do need" list. Many of these represent next-generation approaches to information security. For example, vulnerability management not
only implies advancement from passive vulnerability monitoring to
near-continuous monitoring, but also integration with workflow and rule engines
to effectively correct vulnerable states without creating system conflicts. In
the case of gateway spam and virus scanning, we see defenses moving out from
the desktop and e-mail servers to the edges of the enterprise boundary, and
beyond to the ISPs.
Gartner predicts that with security spending intentions
high, and with increasing threats and regulatory requirements, the next 12 to
18 months promise opportunities for security professionals to leverage
executive attention and to demonstrate value. However, failure to reduce highly
visible threats, such as spam and increasingly creative viruses and worms, or
overspending to meet legislative initiatives, could lead to questions about the
skills and relevance of in-house security professionals, and more inclination
to use external consultants and outsourcing solutions.
About Gartner:
Gartner, Inc. (NYSE: IT and ITB) is the leading provider of research and analysis on the global information technology industry. Gartner serves more than 10,000 clients, including chief information officers and other senior IT executives in corporations and government agencies, as well as technology companies and the investment community. The Company focuses on delivering objective, in-depth analysis and actionable advice to enable clients to make more informed business and technology decisions. The Company's businesses consist of Gartner Intelligence, research and events for IT professionals; Gartner Executive Programs, membership programs and peer networking services; and Gartner Consulting, customized engagements with a specific emphasis on outsourcing and IT management. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, and has more than 3,500 associates, including approximately 1,000 research analysts and consultants, in more than 75 locations worldwide For more information,
visit www.gartner.com.
