At Gartner's 2006 Symposium in Orlando, I spoke with two risk managers at global financial services firms. They told me that 2006 is the first year the business-unit owners have operational risk management objectives in their compensation and bonus plans. This is huge! It demonstrates the growing trend for accountability outside IT for doing security and risk effectively.

To be clear, these executives were always tasked with the financial side of risk management, including credit and market risk, but now they have to take proactive steps to ensure their systems are secured appropriately as well. The risk managers I spoke with said this is the first year the executives called them, as opposed to the other way around.

Hang tight, risk professionals. Relief is on the way in the form of a business that cares.

Submit a Comment | Permalink

These days, everybody wants metrics. But metrics for information security can emerge only from security maturity, says Gartner Vice President and Distinguished Analyst Chris Byrnes. Judging how mature your organization's maturity model was the topic of Byrnes' Wednesday morning presentation, "The Information Security Maturity Model."

Gartner's information security maturity model consists of four phases: "blissful ignorance," an early awareness phase, a corrective phase, and finally, operational excellence. Byrnes said that when Gartner starting tracking the progress of large organizations with this model in 1996, about 80% were still in the blissful ignorance phase, and less than 20% had even reached the awareness phase. No one had reached excellence.

By 2000, things had improved somewhat: blissful ignorance was down to 60%, and 10% had reached the corrective phase. But still a mere 2% had achieved excellence. 2004 showed a great leap of enterprises into the awareness phase, at about 50%, with 5% achieving excellence.

The most recent Gartner survey showed that blissful ignorance was down to 25%, with 35% achieving awareness, 30% in the corrective phase, and 10% achieving excellence. By 2008-2009, Gartner estimates 20% will have achieved excellence and another 40% will be in the corrective phase, Byrnes said.

Since the purpose of metrics is to demonstrate value, security professionals often jump from technology to return on investment without considering other value statements that might be more relevant in making their case about the business value of security, Byrnes said. These include factors such as expected return, risk management, regulatory and stakeholder exposure, and reliability of business operations. Articulating the business value of security in these terms can help defer the need for metrics until your organization has reached a higher level of maturity, he added.

Submit a Comment | Permalink

Gartner research shows that risk and compliance issues are taking up an increasing chunk of IT spending - up to 15 percent for many organizations today. Organizations can get more benefit for the buck if they include risk management in their process improvement projects, said Research Vice President Chris Adams in her presentation, "The Risk Management Services You Don't Know You're Buying."

"Process improvement outsourcing and the related services most companies buy are the juggernaut that compels sourcing and consulting," Adams said. "These services should be generated a lot of risk management results for you, and they're not."

It's a tricky task, since risk is so siloed in most enterprises. Begin by developing enterprise-wide view of risk, whether it's regulatory compliance for a bank or preventing food-borne illness for a restaurant chain. Then enterprises need to make a business case for risk management, another tricky task, since, as Adams said, "No one ever got credit for preventing the thing that didn't happen."

Pull it all together by plotting functions according to risk and differentiation, so you can use outsourcing, standards and best practices strategically.

Submit a Comment | Permalink

Following closely on the heels of Microsoft CEO Steve Ballmer’s Mastermind address this morning, Gartner Vice President and Distinguished Analyst Neil MacDonald will discuss “Microsoft and Security” at 1:45 in Swan 1-4. Microsoft’s IT offerings are so pervasive, MacDonald argues, that its plans to make a large-scale entry into the security market will inevitably impact virtually every enterprise.

Among the key issues in MacDonald’s talk will be how Microsoft’s security strategy will evolve, including its strategies for “keeping the bad guys out” and “letting the good guys in.” Currently, he says, Microsoft’s security is equal to that of open source, and it has the potential to get better. The company’s security impact will be felt first by consumers and SMBs, but its offerings will “grow up” during the next five years to suit larger enterprises. Few enterprises will use use a Microsoft-only security infrastructure, but all will use some Microsoft security infrastructure. It won’t be a best-of-breed vendor – but for most, that won't matter. He’ll also talk about the security issues raised by Vista.

Submit a Comment | Permalink

Gartner has positioned Network Access Control at the “Peak of Inflated Expectations” in the recently published Information Security Hype Cycle. If you're an information security professional, chances are that you are already being bombarded by NAC messages from the 50+ vendors promoting NAC functionality. On Thursday, October 12, at 3:15 p.m., Mark Nicolett and I will present “Network Access Control – It Won’t Be Easy, But It Will Be Worth It” – session 44H. In this session, we'll tell you what we've learned from the early adopters, and give you some guidelines for navigating through the dizzying array of NAC solutions. In the meantime, post a comment here about what you’d like to hear in a Gartner NAC presentation.

Submit a Comment | Permalink

All of you will be impacted in some way by Microsoft’s foray into security. There are two dimensions to this: 1) Microsoft’s efforts to produce more secure code across all of its products and 2) Microsoft’s efforts to produce security products that target enterprises and consumers. In my session on Microsoft and Security (23I), on Tuesday, October 10 at 1:45 p.m., I will talk about both.

Microsoft has taken a leadership role in the adoption of security into its software development lifecycle process and its efforts are showing results. For example, Windows Server 2003 had fewer critical vulnerabilities in its first year of release than Windows 2000. We expect the same will be true of Windows Vista as compared to the gold release of Windows XP.

For security products, Microsoft has made it clear it plans to enter the security market on a broad basis across enterprise and consumer offerings. Over the next several years, Microsoft will have a broad portfolio of security offerings around network security, network access control and identity and access management built on its core server and desktop OS platforms. Microsoft recently announced Release Candidate 1 (RC1) for Windows Vista. There’s not one single feature that stands out in my mind as being a “must have” for Windows Vista, but collectively the improvements in security functionality are at the top of the list of why you should care about Windows Vista. We’ll look at the pros and cons of the security functionality in Windows Vista during the session as well.

So, these are the types of questions we will tackle in the session: How will these offerings impact you? What should you be planning for? In what timeframe Are Microsoft’s security offerings ready for prime time?

All of you will be affected in some way by Microsoft’s security offerings – even if its just in getting better pricing and functionality out of your incumbent security vendors!

Submit a Comment | Permalink

I first started covering data security here at Gartner about four or so years ago. Back then one of my biggest dilemmas was what the heck to call this - "data security" or "content security" or if this was even a separate research area at all. A few people read the research, and even fewer would show up for a conference presentation.

Things sure have changed in the past few years. Today protecting enterprise data is one of the top security issues. From encrypting data to preventing information leaks, enterprises of all sizes are looking for new approaches to mitigate these risks.

One of the first problems in researching data security was a lack of any frameworks or models to approach the problem. Sure, there were all sorts of encryption and other point products, but no way to really pull these together, prioritize investments, and layer tools and process intelligently. To that end we developed something we call the Data Security Hierarchy as a high-level framework to give you a place to start, and it forms the cornerstone of my session, "Keep Customers and Regulators Happy with Data Security"(Wednesday, October 11 at 3:15 p.m., Session 34I).

We'll cover the hierarchy and then dig into the different layers of technology to take a comprehensive view on data security. While some of this is high level, you will leave the session with the Top 5 steps you’ll need to take to protect your data and reduce information leaks.

Should be fun. Well, I obviously have a strange definition of fun.

Submit a Comment | Permalink

As OS vendors get better at producing secure code and organizations get better at patching, application-level attacks are the next frontier for hackers. It sounds simple: to make applications more secure, we need to build more secure applications. You hear again and again that security needs to be pushed further back into the application development lifecycle, yet our surveys show most organizations still aren’t doing this. So we decided to focus an entire presentation for Fall Symposium on “Building Secure Application Solutions.”

In the session we’ll discuss some of the political and technical obstacles that organizations face as they look at incorporating security into their development processes as well as specific advice on how and where to get started and how to be successful. But building secure applications means more than just avoiding unchecked buffers. It also means using the organizations security services correctly (for example Identity and Access Management and encryption). So we’ve also included several slides to talk about emerging technologies like model-driven security which will help to automate the inclusion of security functionality – like authentication, authorization and encryption -- into applications from their inception. Combined, we expect you to come out of the session armed and ready to make some changes within your own organization. So join me and Joseph Feiman for our session on Building Secure Application Solutions, at 8 a.m. Friday, October 13. At least that’s one thing you don’t need to be superstitious about.

Submit a Comment | Permalink

How would you like a tool that monitored all your communications traffic- from email, to IM, to FTP, to HTTP, and could generate immediate alerts, or sometimes block, when sensitive information was leaving your organization? And what if this tool could find sensitive subsections of documents pasted into a webmail session, or only alert on credit card numbers stored in your own databases? Even better -- what if the tool could actually FIND the documents where this information is stored by watching your servers? Or, dare we say it, perhaps even ENCRYPT emails with sensitive information automatically, without the user having to remember to press any buttons?

That's the promise of Content Monitoring and Filtering (CMF) -- a fairly new class of products that, despite a small market today, is getting a lot of attention. But as with any new market, products don't always deliver on the full promise; and organizations may struggle to integrate a new technology into their business processes and organization structures.

In our session on Content Monitoring and Filtering (Wednesday, October 11 at 9:30 a.m.), Paul Proctor and I will describe this new technology and give concrete suggestions on how to integrate it into your organization. We'll cover the various vendors and give specific advice on selecting and deploying a product. We'll tell you what they're good for, what they're not good for, where vendor promises are vapor, and where these promises are a functional reality.

CMF is a promising technology, but one that's often misunderstood. By the end of this session you'll know what it delivers today and what to expect in the future.

Submit a Comment | Permalink

Security 1.0 was back in the mainframe days, when security was easy: the user could only do what we allowed them to do. First the PC, then the local area network and then the Internet left Security 1.0 behind. Security was cheap (on the order of 2 percent of the IT budget) and easy.

Security 2.0 is where we are today – security groups are constantly trying to catch up to new technologies (like wireless and smart phones and telework) that bring new vulnerabilities. Security is expensive (5-8 percent of the IT budget) and hard, but businesses are much more productive and creative being able to use IT for business advantage as compared to the restrictive mainframe days.

Security 3.0 is where we need to be – security that moves forward at the same pace as the business units while reducing the amount of the IT budget that is consumed for security.

Last week, I spent a day meeting with Gartner enterprise customers in the southwest, and it was interesting to see how our clients are approaching moving forward in security. Some are trying to head back to Security 1.0 – get to a locked-down environment to reduce security vulnerabilities and cost. This may work for some enterprises but the drop in security costs will likely come with a bigger drop in business competitiveness. Others are so immersed in the day-to-day struggle of Security 2.0 that they are mostly looking to outsource the whole mess. The types of enterprises Gartner calls Type A (technologically aggressive) are actually focusing on the principles of Security 3.0: critical security processes, security engines vs. point products, and pushing quality requirements onto software vendors and business partners. Those enterprises will have the best business results over the short and long term.

Come to my Information Security Scenario presentation, “Moving to Security 3.0” Monday October 9 at 2 p.m. to hear more about Security 3.0.

Submit a Comment | Permalink

“If you do not know where you are and you do not know where you are going, then any road can take you there,” said a famous cat in American literature. Our Activity Cycle can give you a destination, but knowing where you are is also necessary. Assessing your current maturity level gives you that piece of the puzzle. When I talk with clients about security program maturity they want to know how to judge their own position. We have done assessments, so it seemed logical that I should be able to tell people how to do it. I’ll be presenting a session on the Information Security Maturity Model that gives us a pretty good start on that bright and early Wednesday, October 11 at 8 a.m. in Session 31I. See you there!

And for the first person to submit a comment that identifies the feline source of the above mentioned quote, I’ll have a Gartner polo shirt ready to give you at the beginning of the session.

1 Comment | Submit a Comment | Permalink

Over the course of tens of thousands of interactions with thousands of clients, our security team accumulated a pretty good picture of how security programs operate. We drew that picture, calling it the Activity Cycle for Security Officers, and we ran it past a few hundred security officers. They gave us a high level of validation. In one hour we can show you the result and give you enough information to start making use of it. If you're in the process of structuring a security program, or thinking about it, or if you're trying to mature and “perfect” an existing program, we believe we can help – a lot. Come hear me speak Monday, October 9 at 11:15 a.m. in Session 12I to find out more.

Submit a Comment | Permalink

I attended the Black Hat (for corporate types) and Defcon (for hard core geeks of all types) security conferences last month. One of the biggest trends I noticed at the conferences this year is the increasing focus on enterprise applications as a point of attack.

Our major enterprise applications are incredibly complex and manage the most sensitive information we have. Big apps like SAP can take years to install and configure and involve more layers than a wedding cake. We also layer these applications on decades-old legacy systems never designed for the world of the Internet. Attackers now have automated tools to find logic flaws, SQL Injection opportunities, or exploit poor multi-level authentication.

In my session on Major Application Security we'll frame this problem and the security defenses you can use to stop these attacks. It's a tough problem, and some of the suggested solutions might require application changes that take time to implement. My goal is to get you ahead of the problem and give you the background you need to keep these apps secure as you move forward with new connections, new interfaces, and new technologies layered with our legacy tools.

We have a great opportunity to get ahead of a major security issue before the bad guys focus on it. Join me for Oracle, SAP and Beyond – Securing Major Enterprise Applications Tuesday, October 10 bright and early at 8 a.m. in session 21I.

Submit a Comment | Permalink