Gartner Blog Network

Jumping Security Maturity FAIL!

by Anton Chuvakin  |  January 6, 2016  |  5 Comments

Strategic threat intel before patching? Malware reversing before firewalls? Honeypots before NIPS? Are you freaking insane?!

Well, are you? Why are you doing this? What good do you think it will do? Well, it gets your boss’s boss points for “being innovative” and “using cutting edge tech”… I will give you that. Also, it lets you play with new tech to prepare for your next job…maybe. However, apart from these dubious points, you probably mostly get FAIL – at least in regards to security the environment and reducing risk.

Many of my readers know me as an unrelenting fan of approaching hard security problems with the security maturity lens in mind. For example, here are some posts related to security maturity – SIEM maturity, IR maturity [BTW, also see this fun overview of some security maturity discussions]. When we give advice to Gartner GTP clients, we want to “tint” it based on their security maturity – we want them to grow (if they want/need to), but grow in a realistic, achievable manner, in order to make our advice not just “right”, but also feasible.

One common pattern that emerged in my work – an anti-pattern, rather – is a concept of “jumping maturity” or “stand/crawl/RUN/walk” pattern. For example:

All the above items smell like FAIL! While there is clearly no ONE right sequence to implement security safeguards, as it depend on your business, risks, threats, regulations, etc – there are some examples of sequences that are very likely to be wrong since the layers of solid security architecture can only be built on …well.. other solid layers and not on wishful thinking.

As all good rules, this better have exceptions! What are some of those?

  • Good monitoring at a badly secured network MAY make sense (trade control for visibility model); mind you, it is not a happy model and it can get stressful as hell, but likely better than poorly secured network with poor monitoring
  • If your environment is very non-traditional (like, say all SaaS and clouds), some of the security basics are either useless, wasteful or – rarely – harmful. In this case, some more advanced stuff (CASB? UEBA?) may in fact be the recipe to WIN

There you have it! Keep this in mind when planning your security process improvement and tech acquisition.

Select blog posts tagged “philosophical”:

Category: philosophy  security  

Anton Chuvakin
Research VP
5+ years with Gartner
16 years IT industry

Anton Chuvakin is a research VP at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Thoughts on Jumping Security Maturity FAIL!

  1. Matthew Gardiner says:

    Fully agree. Current security Maturity – across people, processes, & technology – is probably the most important factor we use when recommending security investments @ RSA for customers. While you can jump technologies, you can’t jump maturity.

  2. […] “strategic” activities as patching Windows and cleaning up infected machines – and they are in no shape to engage the attackers with deception […]

  3. An excellent article showing great insight into the real problem of organisations that just can’t even get the basics right investing in the shiny new toys of the security industry’s detect and respond technology portfolio without any acceptance and understanding that you need a SOC to be able to run and manage these. The ASD Top 4 mitigations should be the baseline before going down the wormhole.

    • Thanks a lot for the comment, Jonathan. Indeed, “cool” tools before basics [and some proven to be effective basics like ASD top 4] rarely leads to happiness….

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.