security

March 30, 2010

Expanding Security Coverage in Europe

Blogger: Phil Schacter

With an expanding base of clients in Europe, the team of Burton Group analysts within Gartner is hiring a senior level analyst (see specifics below), with a strong background in security and risk management. Please submit information on your interest and qualifications, as directed, and reach out to any contacts you may have within the Burton team to start this conversation.  

-----

Title: Senior Analyst – Security/Risk Management Strategies

Location: Europe (preferably UK, Netherlands, Scandinavia)

About Us

Gartner, Inc. (NYSE: IT) is the world’s leading information technology research and advisory company. We deliver the technology-related insight necessary for our clients to make the right decisions, every day.

In January 2010, Gartner completed the acquisition of Burton Group, a leading research and advisory firm that focuses on providing practical, technically in-depth advice to front-line IT professionals.

 

The Opportunity

 

Together, our complimentary services will focus on the entire spectrum of the Technology market from IT leaders to front-line IT professionals. We are now embarking on a growth period of Burton Group’s service offering in EMEA with the recruitment of a Senior Analyst to join our Security & Risk Management Strategies team as part of global team focusing on this topic.

 

The jobholder of this exciting opportunity will be responsible for creating high quality, in-depth research documents or architecture positions in the fields of Information Security, Application Security, Infrastructure Security and related topics followed by exceptional client engagements/dialogue resulting in actionable advice to Burton Group’s clients.

 

In addition, the Senior Analyst will be responsible for speaking as a subject expert at Burton Group events/conferences, consulting engagements, as well as supporting sales and marketing activities.

 

Your Background, Experience & Skills;

 

The successful candidate will possess the following background and experience;

 

  • At least 10 years of progressively senior experience gained in an end user function, Consulting and/or Research roles as a technical expert in the following topics;
    • Infrastructure security for networks, computing, and storage systems
    • Designing, developing, and validating secure applications
    • Vulnerability and threat management
    • Endpoint and mobile device and OS security mechanisms
    • Securing information and information systems
    • Security management processes and tools
  • Excellent writing and research skills coupled with strong analytical skills
  • Excellent presentation skills, including large audiences (500+ people)
  • Bachelors degree in Computer Science, or related area
  • Ability to take a position, based on facts, and support that position to clients, both external and internal, with clear analysis
  • Broad knowledge of industry trends and emerging technologies
  • Ability to identify how changing technologies will impact technology choices in architectural decisions
  • Ability to travel approximately 20% of their time, mostly within the EU but some international

 

This is an unrivalled opportunity to join the prestigious workforce of Burton Group/Gartner as we begin our unique and exciting collaboration. To apply, please forward your CV and covering letter to peter.fay@gartner.com or visit www.gartner.com for more information.

Posted by at 06:56 PM in Phil Schacter, risk management, security | | Comments (0) | TrackBack (0)

|

March 24, 2010

Exploring the Myths and Challenges of Assessing IT Risk

Blooger: Phil Schacter

Over the past several months, I’ve been working with fellow analysts Eric Maiwald, Ramon Krikken, and Trent Henry on a major research effort to understand how IT risk programs are conducted, what inhouse and industry risk assessment methodologies are being used, and what challenges security and risk professionals are facing. This research started with interviewing 19 IT risk program managers and specialists representing over a dozen client organizations. Next, each analyst focused on a specific methodology to understand its capabilities, strengths, and weaknesses. The first four methodologies we examined were: Carnegie-Mellon University OCTAVE, Information Security Forum IRAM, ISACA’s Risk IT Framework, and NIST SP 800-30. Documents covering each of these methodologies, a comparison of the four, and a summary of the risk assessment practices for the interviewed organizations will publish for Burton subscribers over the next couple of months. This research will also be featured in half day sessions at Catalyst in Prague, April 19-22, and Catalyst in San Diego, July 26-30.

The Catalyst experience is unlike any other technology conference, with full days of exceptional presentations spread over four or five rooms. Each half day or full day topic combines the perspective of analyst expert, customer architect/implementer, and industry solution providers. A conversation develops over the linked sessions in the topic track, to build on what’s been said previously, and drive towards some set of conclusions to close out the topic. These conversations continue into the breaks, as IT professionals from other organizations with similar challenges share their experience.

For this year’s Catalyst topic track on risk management, the program kicks off with an entertaining and informative investigation into the myths and realities of risk management, co-presented by Eric Maiwald and Trent Henry. This session also showcases the highlights from the research conducted over the last several months. The next presentation features another Burton expert, Bob Smock, sharing a specific example of using risk score cards. In Prague, representatives from HSBC and Munich ReInsurance will separately present their perspectives on IT risk assessment. Customer speakers for San Diego are still in the selection process. Finally, the topic wraps up with Burton’s Jack Santos sharing his insights into how to communicate with executives about risk.

There’s still time to signup to attend either of these upcoming Catalyst events and I hope to see you there. For more information see the Burton Catalyst site.

Posted by at 06:19 PM in burtongroupcatalyst10, Phil Schacter, risk, risk management, security | | Comments (0) | TrackBack (0)

|

January 28, 2010

Operation Aurora Points Out the Need for Better Threat Assessment Process

Blogger: Dan Blum

 

The debate is ongoing about whether the Chinese government is behind the Operation Aurora cyberattacks. Certainly Google believes China launched the Hydraq trojan used to breached its defenses and compromise intellectual property. And it was that determination, plus an apparently principled decision to resist Internet censorship, that motivated Google’s strong response, in which the company publicly threatened to quit China.

 

One can agree or disagree with this response. But let’s suppose the allegations are probably correct. If so, an attack by a nation state requires a different response than one by an external hacker, an insider, or other parties. And organizations with valuable intellectual property for the taking need to think about how they might deter, prevent, or respond to such attacks.

 

In my research on the threat landscape and threat assessment, I’ve found that security vendors and IT security staff spend too little time focusing on the “people” or “political” aspects of the threat. Threat reports from the vendors cover malware and vulnerabilities, but they don’t always discuss the threat’s capabilities and intents, nor why one type of organization is targeted and another goes free. Ignoring these factors may create a significant blind spot.

 

On February 17 at 2:00 ET and again on February 18 at 9:00 AM my “Threat Assessment in Dangerous Times” telebriefing will discuss my findings that organizations need to do a better job of assessing threats and developing defensive strategies. I’ll provide guidance on developing a threat assessment strategy and factoring threat intelligence into protection programs to avoid common mistakes and gain ground against adversaries.

 

I’ll also convene a small panel of experts to discuss threat assessment and the recent "Operation Aurora" attacks.

Posted by at 04:14 PM in cyber security, Dan Blum, security, Threat analysis | | Comments (0) | TrackBack (0)

|

December 30, 2009

Time to refocus on security context, behavior, and accountability

Blogger: Phil Schacter

For many years I’ve been a strong proponent of investing in identity infrastructure as the basis for enforcing strict access control policies. Many organizations now have mature identity systems that support such preventative identity-based access controls, although other organizations still struggle with provisioning and de-provisioning identity and entitlements. I haven’t changed my mind about the importance of identity and identity-based controls, but now recognize that it’s not enough. There are too many cases where identity cannot be strongly established, due to the nature of the relationship, the potential for credentials to be compromised, and the uncertainty whether the accessing device is in the possession of the authorized user. Equally or perhaps more important than identity is the security context in which the request to access the protected resource or system is made.

Security context is a set of determinable factors concerning the request and the requesting user/device. These factors could include network location, geographic location, device identity and characteristics, chronological time context (i.e. relative to normal business hours), nature of the activity, and any special circumstances or unusual aspects to the request. Similar contextual and behavioral information is already used by financial systems to detect likely instances of credit card fraud. As organizations adapt to externalization, consumerization, and democratization of IT there is less likelihood that the user/device accessing an IT system is an employee using an IT-managed device owned by the organization. Many non-employees will require access to specific business and IT services, hosted in a mix of private and shared data centers, from a variety of devices and locations.

Security systems need to monitor and learn what behaviors and access patterns are normal, and which are more likely to involve compromised devices, co-opted credentials, or fraudulent activity by individuals with a direct or indirect relationship to the organization. The learned patterns of behavior then must be reviewed, internalized, and subsequently applied when making access decisions. Complementing this increased application of security context information are the logging and post-event analysis systems that ensure that criminal activity is identified and sufficient forensics information is available to support prosecution or civil litigation. In other words, establish accountability for actions as a deterrent.

Posted by at 04:47 PM in accountability, Phil Schacter, security, security and consumerization | | Comments (0) | TrackBack (0)

|

July 20, 2009

Wicked Problems

Blogger: Eric Maiwald

I was catching up on my reading when I came across a short piece in the IEEE Spectrum magazine by Robert Lucky. In the article, Mr. Lucky describes problems that are so complex that they cannot be fully solved – he calls these problems “wicked problems.” While reading the article I kept coming back to the old joke about security engineering – cheaper, faster, or secure…choose any two.

In this article, Mr. Lucky talks about really hard problems that often have no elegant solution only different sub-optimal options. “Entanglement” is a word he uses to describe how these problems (and their solutions) influence other things outside of our normal boundaries. He notes that to approach such a problem, we often draw boxes around the parts of the problem we control. That sounds a lot like how some organizations approach IT problems – this is a security problem or a network problem or a development problem.

But the problems we deal with are not really that cut and dry. Should I use virtualization in my data center? If you only look at power and space consumption in the data center, the answer is an obvious yes. But what about other concerns like security? Did the virtual environments just circumvent all of the network security controls? What about service oriented architectures? Good idea? Sure but what does the use of services mean for the development process and for the implementation of controls? What about WAN optimization? Should I use it? Perhaps but there are tradeoffs in its use (for example, don’t try to optimize an encrypted stream of data because it won’t compress!). I could go on but I think you get the idea and where I’m headed with this.

I’m sure you heard the joke in security – cheaper, faster, or secure…choose any two. While we laugh at this (and mostly at the security guy who dares to intrude into the faster getting cheaper), the joke illustrates the tradeoffs involved in all large system engineering or architecture projects. Unfortunately, unlike mathematics where we can easily find the local maximum and therefore the optimal solution to a problem, engineering is a messy process that requires less than optimal solutions to these very hard problems.

So where am I going with this? In order to deal with these hard problems, security needs to work with other IT disciplines. We need to identify the tradeoffs to be made and then choose the most appropriate solution based on the requirements from the business. In the end, many of the tradeoffs cannot be solved by IT alone so the business will have to be involved and will need to understand the impact of the decisions.

Posted by at 02:07 PM in Eric Maiwald, security | | Comments (1) | TrackBack (0)

|

June 05, 2009

A View from the Other Side

Blogger: Eric Maiwald

In security, we must understand how we are perceived by the business. What we think is critical may not matter at all to the business overall. We will not learn what matters to the business if we only focus on security vulnerabilities and the latest technology. We need to get out and learn how the business functions and how security impacts it. A recent experience brought this home to me.

I was in the Midwest visiting friends and I had the pleasure of being introduced to a man named Neil. Neil works in the maintenance division of a large agricultural services company. When he found out that I worked in IT security, he launched into a story about two IT people he knew. The first IT guy he really liked. This guy came into the division where Neil worked and helped them get their computers up and running. Neil explained how the computers helped him do his job and how this IT guy really paid attention to how the shop was run. Neil lamented the fact that this “good” IT guy took a job with another company and left.

Neil then launched into a story (you could almost call it a tirade except that Neil didn’t raise his voice) about the second IT guy (let’s call this the “bad” IT guy). The bad IT guy showed up and started changing things. He introduced a new system to track parts in inventory and then found ways to cut costs by reducing the inventory. Neil went into a long discussion about the parts inventory. It seems that his shop has to maintain a lot of equipment – much of it quite old – and they kept a lot of older parts on hand for the simple reason that some of the parts were hard to find. In addition, the mechanics would often only use components of a part if that was all that was really needed and they would keep the remaining components for use at some later time. Neil freely admitted that they were pack rats to some extent but he explained that they hoarded some of the parts because it allowed them to fix equipment quickly and get it back into operation without waiting for a part to arrive.

It is still unclear to me what position the bad IT guy held within Neil’s company (and it really doesn’t matter for this story – Neil perceived him as an IT guy) but he was able to change the parts inventory practice and get rid of a lot of the older parts. This was touted as a cost saving measure and was done without consulting with the people who did the work. Without the parts readily available, the time to repair older equipment increased. Equipment waited for parts to arrive (or in some cases to even be found!) and the overall availability of the equipment suffered.

So why am I relating this story? Neil’s perception of IT is formed by the IT people he interacts with. On the one hand, the good IT guy paid attention to Neil and his coworkers. He provided support for their work and helped them improve the shop practices. The bad IT guy didn’t learn how and why certain business practices existed in the shop. He only saw the potential cost savings without understanding how changing the practices might increase other costs and reduce the availability of equipment.

Who do you want to be? Who do you think your business perceives you to be? We need to be more like the good IT guy in the story. We need to learn how the business functions, what is important to the business, and how security impacts the business.

Posted by at 11:29 AM in Eric Maiwald, security | | Comments (0) | TrackBack (0)

|

April 26, 2009

Musings on the RSA show experience

Blogger: Phil Schacter

Going into this year’s RSA show I had some concerns that the economy and travel budget restrictions would further devolve the show into primarily a vendor networking event. My somewhat lowered expectations were surpassed with a turnout that was only slightly less than last year, and learning experiences that leveraged the time and place of the RSA show as a gathering of the security community. As usual my email InBox was spammed by invitations to vendor-sponsored hospitality events, vendor meetings to discuss show announcements, and information on meetings by various industry groups during RSA show week.

While still dwarfed by Interop, the RSA show is a focused meeting of 10 to 15 thousand security practitioners and is symptomatic of a healthy industry segment, and a community of organizations that recognize the value of keeping current on developments and defenses to protect their information, applications, systems, and network infrastructure. In addition to 30 pre-scheduled meetings with specific vendors there were many other casual conversations and reconnecting with people you haven’t seen since last year’s show, or last year’s Catalyst conference. The overall sense of these conversations is that the market demand for security is strong and growing stronger. Security vendors are growing their revenues during a weak economy. Organizations making purchases of security products and services are negotiating harder and it’s clear that no one is paying full list price anymore.

Nothing revolutionary on the show floor (what I saw of it in between meetings with vendors). Lots of focus on web threat vector, security services in the cloud, hybrid models involving some cloud-delivered pieces, virtualization security, security services that can be hosted in a virtual environment or blade in a multi-function box, and lots of appliances of all manner of description. Many of the established security vendors you’d expect to see, and lots of smaller ones trying to attract attention in the US market – either by finding good channel partners or by attracting a larger vendor interested in acquiring the company and its technology.

I’ve also come to the conclusion that everyone that attends the RSA show has a different experience. Some unique mix of networking, education, and exposure to the commercial aspects of a trade show. The special events that occur during show week include meetings by Concordia Group, Cloud Security Summit, Trusted Computing Group, Mini-Metricon, and others provide an opportunity to learn, interact and get involved. The conference keynotes and educational sessions provide access to knowledgeable experts, but with a heavy dose of vendor messaging. But let’s not forget that this is also a trade show for the IT security industry, and a chance to survey the latest offerings from hundreds of vendors. Finally, and perhaps the best aspect of RSA show week is the networking and cross-pollination of ideas that occurs between security professionals, on both sides of the vendor relationship. It’s an exhausting show with long days, but from my perspective well worth the energy and time investment.

Posted by at 02:56 PM in Phil Schacter, security | | Comments (1) | TrackBack (0)

|

April 13, 2009

Excuse me, can I see your information security practice license?

Blogger: Ramon Krikken

This blog post is based on a draft of the U.S. Senate Bill “The Cybersecurity Act of 2009” and the provided by the Senate Committee on Commerce, Science, and Transportation. There are many potential aspects of this to be discussed, but this post focuses on the requirement to “Provide for licensing and certification of cybersecurity professionals.”

If you read the introduction of the bill, it becomes pretty clear why the government is taking this interest. Statements such “[The U.S. is] unprepared to respond to a ‘cyber-Katrina’” and “if the 9/11 attackers had chosen computers instead of air planes as their weapons and had waged a massive assault on a U.S. bank, the economic consequences would have been ‘an order of magnitude greater’ than those cased by the physical attack on the World Trade Center,” are clearly meant to illustrate the clear and present danger that our “cyber-weaknesses” present.

Whether you consider this FUD or fact is a different question, but it certainly is true that part of our economic wellness (and our collective or individual safety, when we look at defense, utilities, energy, and aerospace for example) depends heavily on information technology and the information it stores, processes, and transmits. If the consequences are considered that grave, and the probabilities more than unlikely, it could certainly make sense to require real professionals on the job. Certification and licensing seems like a good mechanism to control this, I’m just afraid the government might get it wrong – good intentions go bad, sacred cows are not easily slaughtered … just like lobbyists.

“The” information security professional does not exist. Just as it takes many different engineers to build something, it takes many different security specialties to get things secure enough. To pretend that the average security professional harnesses all required knowledge is silly – in fact, I object to the notion that security (or at least large parts of it) could be executed well enough without intimate knowledge of that which is being secured. So what certification(s) would be used?

Aside from the specialization, there should also be a consideration of skill. If the consequences are indeed as grave as outlined in the bill, I’ll take the cyber-equivalents of the military and special forces, not the shopping mall guard and airport security, please. So a good percentage of CISSPs –  the ones with only the book-smarts  – are now out of the race (no offense to knowledgeable security professionals with a CISSP – I have one myself, too). And of course, the CISSP was never intended to be the end-all and be-all of critical infrastructure cyber-protection training, but the current overall education and training system does leave me to wonder how this will be executed.

Perhaps we have general practitioners and specialists, like in medicine. Maybe we can have apprentices, journeymen, and masters like in some of the skilled professions.  Would throwing the ISC2, ISACA, SANS, and a whole host of other certifications in a blender do us some good? I don’t know the answer, but I do hope the committee(s) will take a real hard look at what it takes to be any type of information security professional in a critical infrastructure protection role.

Posted by at 03:41 PM in Ramon Krikken, security, security certification | | Comments (0) | TrackBack (0)

|

April 10, 2009

Protecting Information in Hostile Environments

Blogger: Eric Maiwald

We used to talk about doing business over open networks as the big security concern. In fact, we had a topic by that name at Catalyst 2008. Given the further proliferation of key loggers and other malicious software (that is becoming more stealthy and customized), I think we need to start talking about doing business in completely hostile environments. It is not only the network that is open and filled with eavesdroppers but it is also the client endpoint. Key loggers can capture passwords and other sensitive information unbeknownst to the user. We also have cases of malicious software operating in servers and capturing sensitive information there (see the Heartland case). Where is it that our data is safe?

When I first came to Burton, I talked to Dan Blum (Principal Analyst in SRMS) about what I called “Star Trek Security.” What I meant by it was that information seemed to be free for the taking. If you watch Star Trek, it seemed any time the Enterprise came across an alien ship, the aliens could download any information they wanted (usually by scanning the ship or the database but sometime by pulling it directly out of the crew’s minds). Crew members could gain access to any information whenever they needed to (even if unauthorized) and it was only when some abnormal measure was taken that any data could be controlled. Similar themes are now shown on TV shows like NCIS where superstar agents can “hack” into any database they need to get into or break (or bypass) any encryption mechanism at will. It seems that these fictional situations are not all that fictional.

I wonder if we are seeing the results of too much dependency on preventative controls. No control is absolute and we lived for a long time on the difficultly of circumventing our preventative controls. But as the rewards to breaking or bypassing these controls increase, the level of effort exerted to do so also increases. The end result is that we find our controls circumvented or broken on a regular basis. Defense in depth does not seem to matter nor does compliance with standards such as PCI. Any attempted penetration can succeed given sufficient funds to hand to an employee with access.

Perhaps we need to think about how business can be conducted in this type of world. Rather than concentrate on controlling access to information, maybe we need to think about detecting and limiting the misuse of the data. For example, if I can’t prevent my credit card number from being compromised, perhaps I can detect when an attempt is made to misuse it. This is obviously a simple example and the issue becomes more difficult when we talk about sensitive financial information or trade secrets. But it seems to me that we need to move beyond the idea that we can assume any type of “secure” environment (on the network, on the client, or on the hosts).

Posted by at 10:42 AM in Eric Maiwald, security | | Comments (1) | TrackBack (0)

|

December 22, 2008

The New IT Reality, Security and the Role of Vendors


Bloggers this week: Eric Maiwald, Phil Schacter, Dan Blum, Trent Henry, Ramon Krikken

This week’s blog post features another discussion between Burton Group security analysts on the new IT reality and how this impacts security.

Eric kicked off the discussion with this thought-provoking list of questions for the team to consider.

 One question we have not asked is “who (which vendor) is best positioned to help our clients in the new IT reality?” The new reality I’m speaking of includes cloud computing, virtualization, consumerization of IT, etc. We know that things are changing and we also are guessing that the economy will accelerate some of the technology changes. We have themes that talk about security organization and about technology (ie. security for data in transit, data stored on mobile devices, and data that is transiently resident in virtualized and cloud-hosted IT infrastructures) but which of the many security vendors (or non-security vendors) is best positioned to help deal with this? And just as important – what makes that vendor or those vendors best positioned? Is it technology? Integration of technology? Services? Services and technology? Size? Stability? What about reach into non-security areas of IT?


I (Phil) piped up with the following comment. Even figuring out what attributes to look for in a cloud vendor, or the related discussion of what terms to look for in the SLA from your favorite cloud vendor will be new and somewhat controversial ground to consider. I recall a few years ago when Microsoft tried to offer Passport as an identity solution for the cloud, and of course it failed – perhaps because of the issue of placing trust in any vendor, especially a vendor that’s always been aggressive in the market, such as Microsoft.

Next, Dan entered the fray with an examination of IT’s shifting reality, and offering a series of insights on how we might measure vendors and their capabilities to help organizations deal with their IT challenges.

Is there a new IT reality? We’ve had clouds and ASPs and SLAs and revolutions against IT and downturns before. However, virtualization is more disruptive than anything I’ve seen since the web and WiFi which are still disrupting, and web services/SOA seems to at least moderately disruptive. Reality is always in the process of reinventing itself but perhaps we do have a bit more of a new reality in IT than usual. I’ll grant you that.

Ok, so you wish to assess which vendors will thrive (and enable customers to thrive) on this new IT reality? It occurs to me that the discussion of the vendors is premature, since we had not defined the yardsticks by which to assess them.

The yardstick might include measures of financial, organizational, market and technological strength for the vendors. In terms of technological strength the vendor must enable customers to provide:

  • Web-centric computing
  • User centric experiences
  • Mobile computing
  • Resource dynamism, and
  • Fine grained understanding and control of information

These are all things we could attempt to measure. And yet…the ticklish distinction between being some kind of IT vendor versus some kind security vendor (or both), the fact that customers are so different and have thousands of alternatives for how to protect their IT environments, and the long tail phenomena that keeps the market in a structural state of permanent disruption all suggest to me that it may be a futile exercise to try and assess the big vendors in security at this level of abstraction.

Trent was the next analyst to join the discussion.

When you used the word “disruptive,” Dan, it got me thinking. We could have an entire discussion on that alone. My own thought is that the introduction of the personal computer was the most disruptive thing I ever saw—a move from centralized to distributed computing paradigms. Ironically, virtualization plays a role in returning us to centralization once again.

Which vendors actually introduce disruptive technologies or “new ways to work?” It’s never the security vendors, IMHO. Often, technology vendors simply respond to innovation or changing business requirements in customer environments. And security vendors tend to follow even a step (or two, three) behind them. But elements of consumerization, cloud computing, new-fangled collaboration, etc are spearheaded by vendors on occasion. With investments in R&D labs to conduct fundamental research, Google, IBM, Microsoft, and others are not merely reacting to new trends but are creating the vision (and tools) to realize the future. How does this figure into an evaluation equation? (And what does it mean when former research heavies like DEC  or Xerox—whose PARC has been greatly minimized—are no longer as important?)

Ultimately, this discussion has to rise above just security unless we narrow the question to “How are vendors going to successfully help organizations protect information and infrastructure?” But ultimately, that’s just one piece of the larger, “How can IT enable business?” question.

As often seems to happen lately, the last word fell to Ramon.

I’m also inclined to think that the PC was most disruptive from a security perspective. While we used to have a centralized system with a few terminals and printers, the number of inputs and outputs, as well as the complexity and unpredictability of the environment greatly increased with large-scale adoption of distributed computing. And although many of the basic virtualization concepts really don’t differ much from how it was implemented on the mainframe, coupling it with distributed computing complicates things: yes, it does allow a certain amount of centralization on hardware, but increased mobility capabilities through connectivity and hardware in all forms will mean that from a risk perspective this will likely show up as a more decentralized, complex, and unpredictable environment (SaaS, cloud, mobile devices, etc.) It is a potential second wave of disruption to security, but this is one where we’re (security) actually involved in trying to shape the wave.

If vendors only respond to customer demand, then it makes sense that security vendors are at least second in line. After all, few security controls are used as a direct business tool. The exceptions are those systems used by security teams, who are in the business of providing security services (and so this is where, for example, innovation can happen in the ‘GRC’ market or in something like SIEM.) In most other cases I can think of, security controls are a constraint on ‘regular’ business processes, and security vendors will naturally have to respond to what their customers (the makers of the business tools) need.

The unpredictability of the future environment makes it incredibly difficult to assess which fundamental security technologies will work. What seems most difficult at this point is that we have a number of emerging concepts such as consumerization, the cloud, ubiquitous connectivity, and persistent storage, but we have no clue on how, for whom, and to what extent these are going to take off. All of these impact the level of control one has over the environment. The amount of control determines the ease of implementing the trusted path, and the trusted path determines on how well you can implement use control.

Posted by at 05:50 PM in security | | Comments (0) | TrackBack (0)

|

Next »

  • Burton Group Free Resources Stay Connected Stay Connected Stay Connected Stay Connected

Categories


Archives

More...

About

Blog powered by TypePad