Security Curve Weblog

Gartner's Top Five Steps to Prevent Disclosures

Have you seen Gartner's top five steps to prevent information disclosure? In case you missed it, here they are:

- Deploy Content Monitoring and Filtering
- Encrypt Backup Tapes and Mass Storage
- Secure Workstations, Restrict Home Computers and Lock Portable Storage
- Encrypt Laptops
- Deploy Database Activity Monitoring

This kind of thing never fails to get my goat. Look, no matter how cool it would be, there are no "easy to follow steps" to preventing disclosures. Heaven knows I wish there were, but there aren't. Why not? Because businesses are different, risks vary according to industry, and deploying this stuff's not like flipping a light-switch.

Take number 2 for example - it's easy to say "Encrypt Backup Tapes and Mass Storage" and (if you're Gartner), you're likely to get press out of saying it. However, how realistic is it for firms to encrypt all their mass storage? Should they encrypt it all? What kind of encryption should they use? What happens to the keys? How do they store the keys? When do they change them? Is it "spare no expense", or can they compromise a bit in order to meet their budget? How about using some intelligence to gauge level of appropriateness for the business - for example, is it really worth it to spend millions encrypting ALL the backup tapes? Really? Even the ones that don't store sensitive data? Would it be worth it, for example, (if everyone in the firm has laptops) to bankrupt the firm in order to encrypt even those laptops without access to sensitive data? Maybe not.

Look, my point isn't that Gartner sux (because they don't) nor that they shouldn't write this stuff (because clearly somebody should) - my point instead is don't expect Garter to understand your business for you. Just because somebody comes around and says that "content filtering software" is the most important step you can take for security nowadays, don't just snap-to without thinking about it... Think about your business and what forwards your goals. After all, who knows if Gartner's even right? Trust me, they've been wrong before.