Gartner Blog Network


Bye-bye, Compliance Thinking. Welcome, Military Thinking!

by Anton Chuvakin  |  April 12, 2013  |  1 Comment

While listening to the keynote by Vice Admiral Gerald Beaman at a recent SINET ITSEF event, the following occurred to me: now in 2013, all the “hottest” security thinking has military roots … again.  Kill chain, defense, intelligence, adversary, TTPs, campaigns, engaging [the adversary], even the whole cyber thing all have roots in either DoD, DIB or surrounding area.

Here are a few more examples observed recently:

  • Incident response practices are moving away from automatic “find badness – flatten the box” and (in some cases!) started to include deception (such as honeypot redirection, much discussed for a decade, but done VERY rarely – until now) and attacker observation in live production environments [please recover from your shock quickly Smile] To fight the adversary, you need to know what they are likely to do next, and not just “make them go away” for now. Winning the battle [at this one PC] is not winning the war.
  • Goals of some security programs have shifted to mission resilience/survivability as opposed to control compliance and pondering “are we secure?” [I totally get that this is old news for The Enlightened Few aka “security-haves” – the point is not that there is this dude who can now say “I told ya so”, but that is actually happening!] This change has obvious military roots, IMHO, as few wars were won because all tanks had proper maintenance done …
  • Focus on the threats, long predicted by some people and dismissed by the majority, is slowly replacing the view that “we can do nothing about the threats, lets focus on vulnerabilities.” If threats are assumed to be persistent, doing something about them becomes an unavoidable priority since one can not fix all the vulnerabilities, all the time. Obviously, there was no age in history when the military ONLY perfected armor and ignored the gun (spear, bow, missile, laser, malware, whatever)

In the same speech, it was also quite interesting to observe the admiral take a very long-term view of information security and put some of its current security challenges in the context of a technological gap ( = US has less people to field a military than some other countries, thus it must maintain a technology advantage). Quite a few of other organizations can benefit from the same focus on the mission [=business] and its survival.  BTW, here is a fun fact: this excellent paper [PDF] treats “a zero-day wielding professional attacker” as … threat Tier 3 of 6. Who is Tier 6? Well, read the paper Smile

On top of this, I recently noticed the following a phenomenon, a few times already: Google for “site:new_security_vendor.com compliance” and see NO RESULTS. Despite that, “compliance is not dead” and a long list of security basics needs to be executed first – and executed well! However, the cutting edge is most definitely no longer anywhere near compliance …

P.S. Yes, this post is a bit of a rant or an incomplete thought. Well, that is why it is tagged philosophy

Category: philosophy  security  

Tags: security  

Anton Chuvakin
Research VP
5+ years with Gartner
16 years IT industry

Anton Chuvakin is a research VP at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Bye-bye, Compliance Thinking. Welcome, Military Thinking!


  1. […] Bye-bye, Compliance Thinking. Welcome, Military Thinking! Anton Chuvakin is a research director at Gartner’s IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities … blogs.gartner.com/…/bye-bye-compliance-thinking-welcome-… […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.