Security Curve Weblog

Gartner's Getting the Word Out...

So, Gartner's been busy stirring up the waters the past few days. They've made the claim that the recent move by the OMB (Office of Management and Budget) to require security incidents to get reported to the Computer Emergency Readiness Team (CERT) within one hour of discovery is nothing but a a PR stunt; of course, the way the press spins it, they make it sound like Pescatore set fire to the OMB seal and mooned their office building. Either way, pretty strong words from the ol' G-bone. Frankly, I have to admit that I'm surprised - I would have thought that they would have been completely on-board with having a central incident response body in the loop - and in timely fashion at that.

They've also gone on-record to say that firms with a high level of "security maturity" (like after your program starts to grow hair and get pimples) can spin down security spending because the whole security situation is totally under control now:

Mogull, who chaired the recent Gartner IT Security Summit in Sydney, says there are now solutions to most information security problems. “It’s just a matter of implementing the technology efficiently and effectively so resources can be focused on new threats. While information security has become a highly specialised branch of IT, commodity security functions are often being returned to IT operations."

So, apparently the key is to implement the right technology efficiently and effectively. The article implies that the metric they use to analyze maturity is as a function of past spending, so apparently "right technology" means "technology that you've spent money on in the past." So, while I agree that their premise seems logical (mature organizations can afford to spend less on security), I disagree that "mature" is linked directly to budget; if, for example, I go out and buy ergonomic chairs for all employees with the security budget, clearly this represents "aggresive spending" of the security budget. But does that mean that as a whole I'm more mature with respect to the security program? Clearly not. Of course, I don't have access to their research (since it's 'spensive), so maybe that's totally the press and not Gartner...

By the way: the hilarious picture of the kid with the bullhorn is from the Glouster Virginia information page.