Greg Young
Research VP
6 years at Gartner
22 years IT security
Greg Young is a research vice president in Gartner and the lead analyst for network security. Mr. Young has experience in IT security in product companies, and in both the private and public sectors. He spent his military career in technology security… Read Full Bio
by Greg Young | June 21, 2010 | Comments Off
Today I tried a new format of presentation panel – entitled “Analyst Invitational: Network Security Vendors on the Hot Seat”.
First, I’d like to thank my three guests. Each represented themselves and their companies well. It was a very contentious, intelligent and fast-paced discussion, and the feedback from the attendees was overwhelmingly positive. I tried to pick a mix of network security participants who would agree on a few things and disagree on more, but not revert to party line or disagree for the sake of disagreement. The points of agreements amongst us were on that netsec is hitting one a major change point, and that IPS signatures cannot be stacked up indefinitely. Opinions differed on when IPv6 will hit most enterprises, but there is agreement that IPv6 in security will cause mischief.
Tom Gillis, GM Security, Cisco
Rees Johnson, SVP and GM Network Security, McAfee
Nir Zuk, CTO Palo Alto Networks
Once again, it was the most though-provoking session I have participated in and I plan to submit it for next year’s Summit.
Category: Uncategorized Tags:
by Greg Young | June 15, 2010 | 1 Comment
I’m looking forward to our 16th Gartner Security Summit next week. Here is a quick list of the sessions and events I am presenting:
Sunday 7:30pm
Tweet & Greet
Hotel Sports Bar
Monday 2:30pm
Analyst Invitational: Network Security Vendors on the Hot Seat
Potomac Ballroom C
Monday 5:40pm (Rapidfire session)
New Black Boxes
Potomac Ballroom 1
Wednesday 8:30am (pre-registration required)
Top Five Mistakes and Top Five Network Security Architecture Best-Practices Workshop
Chesapeake Ballroom F
Wednesday 11:00am
Magic Quadrants, MarketScopes, Market Shares and the Future of Information Security
Potomac Ballroom C
I look forward to seeing you there.
Category: Uncategorized Tags:
by Greg Young | June 15, 2010 | 1 Comment
The 2nd annual informal Tweet & Greet at the Gartner Security Summit will be on Sunday, June 20th at 7:30 pm at the sports bar on the ground floor of the Gaylord National Hotel.
Hashtag will be #GartnerSecurity and my Twitter handle is @GartnerGreg
I’ll be inviting my analyst colleagues and look forward to seeing you there!
Category: Uncategorized Tags:
by Greg Young | May 25, 2010 | Comments Off
Gartner has an Event Note on titled “Symantec Faces Serious Challenges With VeriSign Security Buy“, and a companion note for our Gartner Invest customers from colleague John Rizzuto.
The research note document summary is “Symantec plans to acquire the key components of VeriSign’s identity business. Both market dynamics and the lack of synergy suggest that the acquisition will not improve Symantec’s competitiveness in security.”
Category: Uncategorized Tags:
by Greg Young | March 12, 2010 | Comments Off
There was an internal discussion thread in our InfoSec research community on the news of an alleged insider-attempted breach here, and the practices of ‘walking the employee to the door’.
However the bigger story for me here is the over-reliance people in these processes:
· If physical presence is the safeguard you were doomed when you hired them. Employees started hoarding important files on USB drives when they starting knowing they would be walked to the door.
· With consumerization we don’t own the devices or a lot of the locations where the important stuff lives.
· Someone recently said “When HR sold their souls and shifted from helping employees being successful and engaged to being the enforcement arm of the legal department we increased the adversarial nature in these workplaces and our risk.” I think the point there is if you are relying on humans to do security enforcement, then don’t treat the humans like computers. Nice workplaces have fewer of these human related problems. Of course, I don’t advise relying too much on humans. Humans bad.
· Employment status is a quaint artifact: We walk the salesperson to the door because he was terminated for viewing naughty pictures but we keep onboard the retiring salesperson who hasn’t told us she is going to a competitor in a month? We watch consultants like hawks but we let full time employees have the run of the network?
All that being said I’d still walk ‘em to the door, but knowing that I had done a lot of other things that didn’t rely on people
Give me a cold, loyal, ruthless security appliance any day.
Category: Uncategorized Tags:
by Greg Young | March 10, 2010 | 2 Comments
Guest blog by Peter Firstbrook
While doing the research for our forthcoming secure email gateway Magic Quadrant, we are very disappointed with how few anti-spam solutions have reports that show the false positive (legit email tagged as spam) and false negative (spam that get to the inbox) rates. While there is no perfect way to measure spam accuracy exactly there are good proxies that can be easily measured; false positives can be represented by the emails that were released from quarantines, and false negatives are messages that make it into the inbox that users reported as spam. (And while we are at it, shame on any anti-spam solution that does not even offer an email client “is Spam” button.) Do anti-spam solutions have something to hide? Most brag about their “honeypot” catch rates but “honeypots” rarely get legitimate email.
Although Gartner customers almost never complain about false positive rates, I wonder if false positives are under estimated. End users rarely complain about false positives, but they are very vocal reporting Spam in their inbox. Box Sentry (www.boxsentry.com) recently did a tests in a number of organizations and found the false positive rate in some organizations using popular ant-spam tools was as high as 13% of legitimate emails. The largest proportion of false positives in their study was legitimate person-to-person traffic. While it could be that these organizations have over-tuned their systems to block more Spam at the expense of quarantining more legit email, the reality was the email administrators had no idea they had such a high false positive rate because they never checked. Have you? Organizations that do not send daily digests to end users should check their quarantine to ensure that it is not a tar pit of business critical communications. Let us know what you find.
Peter Firstbrook| Research Director| Gartner
Malware and antispam
Category: Uncategorized Tags:
by Greg Young | February 2, 2010 | 1 Comment
This topic could be a blog unto itself. I liked the comment from Steve L. about ‘experts’.
I’ll end my 3 part series today with a pragmatic one: opaque proposals. I see hundreds of these each year from our Gartner customers. One line proposals with nothing more than a part numbers and a 6 or 7 figure amount after. Sometimes the vendor name. Customers don’t want a binder, but at least describe in a few words what the customer is buying.
In the lifecycle phase after we have helped with needs (“do I”)and selection (“with whom”, I take a lot of calls where, armed with the bill of goods and advise customers on whether what they are buying is indeed what they identified in their requirements and is it priced competitively.
But here is the little something extra. This isn’t (just) about being nice to your customer: this stuff stops deals for vendors and deployments for enterprises. I speak often with procurement staff who have rightfully put the brakes on the hurried (“you are either with us in the fight against hackers and the Russian mafia, or you are delaying this purchase and are with the hackers and the Russian mafia.”) yet cryptic purchase of SCU1914383-2525-09-456-YOO (“its technical – you won’t understand”).
To procurement officers who haven’t called me, just say “I’m pretty sure SCU1914383-2525-09-456-YOO is the single port 5U 1 mbps token-ring model. I sure hope that is the one you want since we can’t return it” and you’ll get the proposal Description section converted to human readable format.
Category: Uncategorized Tags:
by Greg Young | January 31, 2010 | 4 Comments
Thank you for the comments and emails for the least post.
Here is the second, the Chameleon. I see a lot of this worst practice from security companies with products that are in the “climbing the slope” of enlightenment phase of the hype cycle, who miss the buzz of those products that are new and seen to be cool at the Technology Trigger phase. Of course, they forget that there isn’t usually much money for pre-Slope products.
Although not unique to security markets, security has a high incidence rate because of the fast rate of new product introduction. The security market has this high rate in response to the change in threats, and the introduction of new technologies that need securing.
I used to see this a lot with products being called a new kind of IPS, and today see it with sometimes with NAC,DLP, or next-generation firewalls being thrown about liberally. In the slide below, “See also #1″ refers to the slide here.
Category: Uncategorized Tags:
by Greg Young | January 29, 2010 | 6 Comments
I was invited to give a keynote at a vendor’s sales kickoff last week. This was kind of brave of them considering Gartner doesn’t allow for any real censorship or vetoing of the presentation.
One section I included was the Worst and Best sales practices I see in security from our interaction with our customers. Here’s the first of the 3 slides I used in that section, with the others to follow in the next few days.
The slides are sparse, but I hope you enjoy them. Please feel free to comment.
Category: Uncategorized Tags:
by Greg Young | December 2, 2009 | 4 Comments
Every Gartner analyst has a list of ‘Notes I Want To Write’ sitting under a pile of vendor marketing material somewhere on or near his or her desk. The list grows by 5 or more entries for every one that actually gets published, so, even when you take into account that most those ideas are the crackpot musings of an addled mind, there is still a huge amount of good stuff that might never see the light of day.
One that Greg Young and I have on our lists is titled, ‘Personal Security for Corporate IT Workers’. Our thought was to create a Best Practices note on ways the individual can protect themselves, their jobs, and their personal information when working in the corporate environment. Many of the Best Practices in this area may be self-evident. For example, keeping in mind that pretty much anything you do on a corporate device or using a corporate network may be archived and/or monitored seems pretty straight-forward. So if you’re going to be sending a lot of email to any recruiters, you might want to do it from home.
However, there are some things that may be less obvious. Usually, this occurs in situations where the corporate security policy may not take into account the needs of the user, or the user may need more strict protections. For example, making sure you have your own personal backups of important work documents regardless of the company backup policy is a good idea (unless you are specifically forbidden from doing so). Even if your company has a great backup policy and good technology in place, the important file you lose might take awhile to find (or, more likely, the backup will have run just before you made major updates). With 8 gig USB sticks selling for pennies (OK, nickels), it’s relatively easy to make sure you have copies of at least the most important stuff with you. This would apply especially to records of any ‘contentious’ communications with any business participant.
There’s a lot of blending of work life and personal life today, and it’s not unusual for IT workers to have some personal data on their work machines. However, there are times for that NOT to be the case – crossing certain international borders, for example. You certainly might lose the data for anywhere from 10 minutes to forever, and there could be other consequences which I’d rather not (Midnight Express) contemplate. Some countries are testing policies in which you MUST provide them with the password to any encrypted information or face criminal charges, so having a scrambled disk may not be as big a protection as it seems.
This is a discussion that could go on and on, and maybe we’ll manage to write that research note in 2010. For now, it’s still on my list, sitting right….um…it’s around here somewhere.
Ray Wagner, Ph.D. | Managing Vice President | Gartner
Information Security and Privacy | Secure Business Enablement
ray.wagner@gartner.com
Category: Uncategorized Tags:
Tom Gillis, GM Security, Cisco
Rees Johnson, SVP and GM Network Security, McAfee
Nir Zuk, CTO Palo Alto Networks
