Press Release

Goa, India, October 24, 2013 View All Press Releases

Gartner Says the Nexus of Forces is Transforming Information Security

Analysts to Explore Emerging Business Strategies at Gartner Symposium/ITxpo 2013 October 21-24 in Goa, India

The Nexus of Forces is transforming the approach towards information security as new requirements are brought about by social, mobile, cloud and information, according to Gartner, Inc. Gartner predicts that traditional security models will be strained to the point that, by 2020, 60 percent of enterprise information security budgets will be allocated for rapid detection and response approaches, up from less than 10 percent in 2013.

An increasingly mobile workforce is demanding access to systems and information at anytime from anywhere. In this interconnected and virtualized world, security policies tied to physical attributes and devices are becoming redundant and businesses must learn to accommodate new demands being made on IT while also maintaining more traditional security controls.

“We are faced with a ‘perfect storm’ - the convergence of socialization, consumerization, virtualization and cloudification that will force radical changes in information security infrastructure over the next decade,” said Tom Scholtz, vice president and Gartner fellow. “Organizations are changing radically - tearing down and redefining traditional boundaries via collaboration, outsourcing and the adoption of cloud-based services - and information security must change with them.”

Mr. Scholtz said that rapidly changing business and threat environments, as well as user demands, are stressing static security policy enforcement models. Information security infrastructure must become adaptive by incorporating additional context at the point when a security decision is made, and there are already signs of this transformation. Application, identity and content awareness are all part of the same underlying shift to incorporate more context to enable faster and more-accurate assessments of whether a given action should be allowed or denied.

Bring your own device (BYOD) is one of the most significant IT transformations happening today. It is driven by an intense desire among employees to use personally-owned devices. IT organizations have realized that they can potentially benefit from the model as well. The transition to enable BYOD takes an organization through four phases.

The first phase includes IT's rejection of personally-owned devices. This becomes an untenable solution, leading the organization to move to the second BYOD phase, accommodation. At this second stage, organizations recognize that end users want to use personally-owned devices, and IT must accommodate that demand by implementing compensating controls. Data protection is the organization's primary concern.

The third phase is 'adopt'. In many organizations, mobility represents an opportunity to improve externally-facing customer services, internal business processes, productivity, and employee satisfaction. This means that IT organizations must focus on issues beyond security in support of personally-owned devices. In this phase, the enterprise focus shifts to productivity and employee satisfaction and from a reactive to a proactive approach. The fourth phase is assimilate, which represents the realization of the personal cloud. Integrating the user experience (application and data accessibility) is a key focus at this phase. Here, BYOD is fully adopted, and the focus of the enterprise is to optimize, operate, and evolve the strategy.

Different types of organizations are likely to take advantage of different forms of externally provisioned cloud services. Highly sophisticated organizations, with large amounts of data that would be of interest to either competitors or regulators, are naturally hesitant to hand over control of their data's destiny to external parties. Smaller and less sophisticated organizations not only have fewer concerns about being able to demonstrate their data protection, but they also have less ability to build and maintain their own IT infrastructure.

In practice, small to medium sized business (SMBs) are more likely to entrust large amounts of the organization’s own data, and processing, to cloud-based services. Other than storage (and PC backup is an especially appealing form of service), these types of customers have relatively little ability to create their own applications, or even manage their own servers, so they are most likely to take advantage of software as a service (SaaS) applications.

In contrast, large and sophisticated organizations are looking for inexpensive and convenient environments in which to deploy virtual machines. Having greater needs for data governance and a relatively greater ability to take advantage of it, enterprise customers are most likely to gravitate toward infrastructure as a sevice (IaaS) first. However, the business units within an enterprise may well have the characteristics of SMBs, so most enterprise class organizations do have many pockets of SaaS use.

“The megatrends of consumerization, mobility, social, and cloud computing are radically transforming the relationship between IT, the business, and individual users. Organizations are recognizing and responding to the need to move from control-centric security to people-centric security,” said Mr. Scholtz. “People-centric security focuses primarily on the behavior of internal staff - it does not imply that traditional ‘keep the bad guys out’ controls have become redundant. Indeed, many of these will be essential for the foreseeable future. However, people-centric security does prescribe a major change of emphasis in the design and implementation of controls - always trying to minimize preventative controls in favor of a more human-centric balance of policies, controls, rights and responsibilities. It tries to maximize human potential by increasing trust and independent decision making.”

About Gartner Symposium/ITxpo

Gartner Symposium/ITxpo is the world's most important gathering of CIOs and senior IT executives. This event delivers independent and objective content with the authority and weight of the world's leading IT research and advisory organization, and provides access to the latest solutions from key technology providers. Gartner's annual Symposium/ITxpo events are key components of attendees' annual planning efforts. IT executives rely on Gartner Symposium/ITxpo to gain insight into how their organizations can use IT to address business challenges and improve operational efficiency.

Additional information for Gartner Symposium/ITxpo in India, October 21- 24, is available at .

Members of the media can contact Sony Shetty, Gartner PR on +91 9820900036 or

Additional information from the event will be shared on Twitter at and using #GartnerSym.

Upcoming dates and locations for Gartner Symposium/ITxpo include:

October 28-31, Gold Coast, Australia:

November 4-7, Sao Paulo, Brazil:

November 10-14, Barcelona, Spain:

About Gartner

Gartner, Inc. (NYSE: IT) is the world's leading research and advisory company. The company helps business leaders across all major functions in every industry and enterprise size with the objective insights they need to make the right decisions. Gartner's comprehensive suite of services delivers strategic advice and proven best practices to help clients succeed in their mission-critical priorities. Gartner is headquartered in Stamford, Connecticut, U.S.A., and has more than 13,000 associates serving clients in 11,000 enterprises in 100 countries. For more information, visit

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.