Thursday, 2 October 2008

Magic Quadrant and the Colour of Security

This post combines feedback from the last two sessions of the conference. The first session was an explanation of the famous Gartner "Magic Quadrant", and during this session they exploded a few myths.

Magic Quadrants

Every vendor in the diagram is a worthy alternative—it depends on what you need from the product. If you have a niche need, then a niche product may be perfectly appropriate; but don't expect that you can make a purchase decision by just looking at the diagram; furthermore, don't expect to make a decision based on looking at the diagram and reading the analysis. Instead, look at the diagram, read the analysis and then speak to an analyst—through that last process, the analyst will sometimes suggest vendors that didn't meet the criteria for inclusion in the report but are more appropriate to us than the vendors listed.

Magic quadrant diagrams are only produced for markets that have reached a certain maturity, so the inclusion of a vendor on the diagram should give us an indication not only of their place in the market, but the maturity of the market altogether. Sometimes, magic quadrant reports get combined over time as markets become less siloed and products more integrated. We need to keep an eye on acquisitions ourselves, as diagrams are not updated especially to reflect events—only yearly on a schedule.

The Colour of Security

This session took the form of a panel discussion which asked two questions:

  1. Will business systems be more or less secure in ten years time?
  2. Will there be a separate IT security function in ten years or will it have become wholly integrated into IT operations?


 

Separate IT Security Function


 

Perpetual Arms Race


 

Security Nirvana


 

No Security Function


 

Chaos


 

Software Engineering

 


 

Less Secure


 

More Secure


 

The above grid was revealed to us after the final vote. Clearly, the descriptions are for the extremes, whereas reality is likely to be less clear cut (when is reality ever clear cut?)

Perpetual Arms Race: if there remains a separate IT security organisation, more and more will move to IT operations (as they are seeing anti-virus and anti-malware moving now) but there will always be new threats to be mitigated in the future and IT security experts to mitigate them.

Chaos: if IT security organisations are operationalized and yet we are less secure, the world will descend into chaos (or at least towards chaos.

Security Nirvana: if IT security professionals maintain a separate function, but the world is more secure, then their world (and ours) will be a better place.

Software Engineering: If we end up more secure, yet there is no separate IT function, it is because we have solved the problems of IT security through software engineering.

When an American audience was asked to vote before the debates, they predicted a security nirvana; after the debate, they predicted an arms race. We, the European audience were able immediately to predict the arms race, and stuck with that prediction after the debate.

The arguments are these:

  1. IT security products are almost wholly reactive, so we will always be on the back foot—preparing for the most recently discovered hack, but never predicting the next one (and adequately defending against it).
  2. Ross Anderson (www.ross-anderson.com ) who spoke the previous day, indicated that security vulnerability in emerging technologies was virtually an economic certainty—only when markets mature, can vendors afford to get security right (look at Windows, look at the internet).
  3. Hackers are becoming professional, and are in it for the money, not the fame—that means that their priorities are different. TJ Maxxs (TK Maxxs to us) was breached months before they realised and it was even longer before their customers were told. This particular point kept me thinking—how many other institutions have been breached already and simply haven't found out yet…

Separate from my blog, I am developing a slide deck that I will post when it's ready highlighting my feedback from the conference.

No comments: