Phil Schacter

March 30, 2010

Expanding Security Coverage in Europe

Blogger: Phil Schacter

With an expanding base of clients in Europe, the team of Burton Group analysts within Gartner is hiring a senior level analyst (see specifics below), with a strong background in security and risk management. Please submit information on your interest and qualifications, as directed, and reach out to any contacts you may have within the Burton team to start this conversation.  

-----

Title: Senior Analyst – Security/Risk Management Strategies

Location: Europe (preferably UK, Netherlands, Scandinavia)

About Us

Gartner, Inc. (NYSE: IT) is the world’s leading information technology research and advisory company. We deliver the technology-related insight necessary for our clients to make the right decisions, every day.

In January 2010, Gartner completed the acquisition of Burton Group, a leading research and advisory firm that focuses on providing practical, technically in-depth advice to front-line IT professionals.

 

The Opportunity

 

Together, our complimentary services will focus on the entire spectrum of the Technology market from IT leaders to front-line IT professionals. We are now embarking on a growth period of Burton Group’s service offering in EMEA with the recruitment of a Senior Analyst to join our Security & Risk Management Strategies team as part of global team focusing on this topic.

 

The jobholder of this exciting opportunity will be responsible for creating high quality, in-depth research documents or architecture positions in the fields of Information Security, Application Security, Infrastructure Security and related topics followed by exceptional client engagements/dialogue resulting in actionable advice to Burton Group’s clients.

 

In addition, the Senior Analyst will be responsible for speaking as a subject expert at Burton Group events/conferences, consulting engagements, as well as supporting sales and marketing activities.

 

Your Background, Experience & Skills;

 

The successful candidate will possess the following background and experience;

 

  • At least 10 years of progressively senior experience gained in an end user function, Consulting and/or Research roles as a technical expert in the following topics;
    • Infrastructure security for networks, computing, and storage systems
    • Designing, developing, and validating secure applications
    • Vulnerability and threat management
    • Endpoint and mobile device and OS security mechanisms
    • Securing information and information systems
    • Security management processes and tools
  • Excellent writing and research skills coupled with strong analytical skills
  • Excellent presentation skills, including large audiences (500+ people)
  • Bachelors degree in Computer Science, or related area
  • Ability to take a position, based on facts, and support that position to clients, both external and internal, with clear analysis
  • Broad knowledge of industry trends and emerging technologies
  • Ability to identify how changing technologies will impact technology choices in architectural decisions
  • Ability to travel approximately 20% of their time, mostly within the EU but some international

 

This is an unrivalled opportunity to join the prestigious workforce of Burton Group/Gartner as we begin our unique and exciting collaboration. To apply, please forward your CV and covering letter to peter.fay@gartner.com or visit www.gartner.com for more information.

Posted by at 06:56 PM in Phil Schacter, risk management, security | | Comments (0) | TrackBack (0)

|

March 24, 2010

Exploring the Myths and Challenges of Assessing IT Risk

Blooger: Phil Schacter

Over the past several months, I’ve been working with fellow analysts Eric Maiwald, Ramon Krikken, and Trent Henry on a major research effort to understand how IT risk programs are conducted, what inhouse and industry risk assessment methodologies are being used, and what challenges security and risk professionals are facing. This research started with interviewing 19 IT risk program managers and specialists representing over a dozen client organizations. Next, each analyst focused on a specific methodology to understand its capabilities, strengths, and weaknesses. The first four methodologies we examined were: Carnegie-Mellon University OCTAVE, Information Security Forum IRAM, ISACA’s Risk IT Framework, and NIST SP 800-30. Documents covering each of these methodologies, a comparison of the four, and a summary of the risk assessment practices for the interviewed organizations will publish for Burton subscribers over the next couple of months. This research will also be featured in half day sessions at Catalyst in Prague, April 19-22, and Catalyst in San Diego, July 26-30.

The Catalyst experience is unlike any other technology conference, with full days of exceptional presentations spread over four or five rooms. Each half day or full day topic combines the perspective of analyst expert, customer architect/implementer, and industry solution providers. A conversation develops over the linked sessions in the topic track, to build on what’s been said previously, and drive towards some set of conclusions to close out the topic. These conversations continue into the breaks, as IT professionals from other organizations with similar challenges share their experience.

For this year’s Catalyst topic track on risk management, the program kicks off with an entertaining and informative investigation into the myths and realities of risk management, co-presented by Eric Maiwald and Trent Henry. This session also showcases the highlights from the research conducted over the last several months. The next presentation features another Burton expert, Bob Smock, sharing a specific example of using risk score cards. In Prague, representatives from HSBC and Munich ReInsurance will separately present their perspectives on IT risk assessment. Customer speakers for San Diego are still in the selection process. Finally, the topic wraps up with Burton’s Jack Santos sharing his insights into how to communicate with executives about risk.

There’s still time to signup to attend either of these upcoming Catalyst events and I hope to see you there. For more information see the Burton Catalyst site.

Posted by at 06:19 PM in burtongroupcatalyst10, Phil Schacter, risk, risk management, security | | Comments (0) | TrackBack (0)

|

December 30, 2009

Time to refocus on security context, behavior, and accountability

Blogger: Phil Schacter

For many years I’ve been a strong proponent of investing in identity infrastructure as the basis for enforcing strict access control policies. Many organizations now have mature identity systems that support such preventative identity-based access controls, although other organizations still struggle with provisioning and de-provisioning identity and entitlements. I haven’t changed my mind about the importance of identity and identity-based controls, but now recognize that it’s not enough. There are too many cases where identity cannot be strongly established, due to the nature of the relationship, the potential for credentials to be compromised, and the uncertainty whether the accessing device is in the possession of the authorized user. Equally or perhaps more important than identity is the security context in which the request to access the protected resource or system is made.

Security context is a set of determinable factors concerning the request and the requesting user/device. These factors could include network location, geographic location, device identity and characteristics, chronological time context (i.e. relative to normal business hours), nature of the activity, and any special circumstances or unusual aspects to the request. Similar contextual and behavioral information is already used by financial systems to detect likely instances of credit card fraud. As organizations adapt to externalization, consumerization, and democratization of IT there is less likelihood that the user/device accessing an IT system is an employee using an IT-managed device owned by the organization. Many non-employees will require access to specific business and IT services, hosted in a mix of private and shared data centers, from a variety of devices and locations.

Security systems need to monitor and learn what behaviors and access patterns are normal, and which are more likely to involve compromised devices, co-opted credentials, or fraudulent activity by individuals with a direct or indirect relationship to the organization. The learned patterns of behavior then must be reviewed, internalized, and subsequently applied when making access decisions. Complementing this increased application of security context information are the logging and post-event analysis systems that ensure that criminal activity is identified and sufficient forensics information is available to support prosecution or civil litigation. In other words, establish accountability for actions as a deterrent.

Posted by at 04:47 PM in accountability, Phil Schacter, security, security and consumerization | | Comments (0) | TrackBack (0)

|

April 26, 2009

Musings on the RSA show experience

Blogger: Phil Schacter

Going into this year’s RSA show I had some concerns that the economy and travel budget restrictions would further devolve the show into primarily a vendor networking event. My somewhat lowered expectations were surpassed with a turnout that was only slightly less than last year, and learning experiences that leveraged the time and place of the RSA show as a gathering of the security community. As usual my email InBox was spammed by invitations to vendor-sponsored hospitality events, vendor meetings to discuss show announcements, and information on meetings by various industry groups during RSA show week.

While still dwarfed by Interop, the RSA show is a focused meeting of 10 to 15 thousand security practitioners and is symptomatic of a healthy industry segment, and a community of organizations that recognize the value of keeping current on developments and defenses to protect their information, applications, systems, and network infrastructure. In addition to 30 pre-scheduled meetings with specific vendors there were many other casual conversations and reconnecting with people you haven’t seen since last year’s show, or last year’s Catalyst conference. The overall sense of these conversations is that the market demand for security is strong and growing stronger. Security vendors are growing their revenues during a weak economy. Organizations making purchases of security products and services are negotiating harder and it’s clear that no one is paying full list price anymore.

Nothing revolutionary on the show floor (what I saw of it in between meetings with vendors). Lots of focus on web threat vector, security services in the cloud, hybrid models involving some cloud-delivered pieces, virtualization security, security services that can be hosted in a virtual environment or blade in a multi-function box, and lots of appliances of all manner of description. Many of the established security vendors you’d expect to see, and lots of smaller ones trying to attract attention in the US market – either by finding good channel partners or by attracting a larger vendor interested in acquiring the company and its technology.

I’ve also come to the conclusion that everyone that attends the RSA show has a different experience. Some unique mix of networking, education, and exposure to the commercial aspects of a trade show. The special events that occur during show week include meetings by Concordia Group, Cloud Security Summit, Trusted Computing Group, Mini-Metricon, and others provide an opportunity to learn, interact and get involved. The conference keynotes and educational sessions provide access to knowledgeable experts, but with a heavy dose of vendor messaging. But let’s not forget that this is also a trade show for the IT security industry, and a chance to survey the latest offerings from hundreds of vendors. Finally, and perhaps the best aspect of RSA show week is the networking and cross-pollination of ideas that occurs between security professionals, on both sides of the vendor relationship. It’s an exhausting show with long days, but from my perspective well worth the energy and time investment.

Posted by at 02:56 PM in Phil Schacter, security | | Comments (1) | TrackBack (0)

|

  • Burton Group Free Resources Stay Connected Stay Connected Stay Connected Stay Connected

Categories


Archives

More...

About

Blog powered by TypePad