Gartner Blog Network

Jay Heiser
Research VP
6 years at Gartner
24 years IT industry

Jay Heiser is a research vice president specializing in the areas of IT risk management and compliance, security policy and organization, forensics, and investigation. Current research areas include cloud and SaaS computing risk and control, technologies and processes for the secure sharing of data… Read Full Bio

Summer of Cloud Incidents

by Jay Heiser  |  September 25, 2013

Although the actual events took place at widely varying times, the summer of 2013 has witnessed the public release of 3 major ‘inappropriate use of the cloud’ incidents. On July 28, Oregon Health & Science University (OHSU) felt compelled to notify 3,044 patients that while there was no reason to believe that their data had […]

Read more »

You have 2 weeks to pickup your cloud

by Jay Heiser  |  September 18, 2013

You’ve got 2 weeks to get several Petabytes of data from a dissipating cloud. Will you get it all back safely? Hundreds of Nirvanix customers are asking themselves that question right now. Although their web site remains blissfully mum about this unfortunate development, The Wall Street Journal is only one of several media organizations reporting […]

Read more »

Everything is more better with Cyber on it

by Jay Heiser  |  September 13, 2013

Computer Security is dead; long live computer security.

Read more »

Everything is better with cyber on it

by Jay Heiser  |  June 14, 2013

Gartner security analysts are being bombarded with questions about CYBER security. Is this cyber reality, or cyber hype? A few years ago, we had seriously entertained the idea of creating a sort of ‘IT Buzz Term Hype Cycle’, that would map overused prefixes across trigger, hype, disillusionment, and productivity. At the time, ‘I-‘ had reached […]

Read more »

The Dilemma that is Cloud

by Jay Heiser  |  June 3, 2013

Life in the cloud would be so much easier if there were only some sort of ‘cloud risk seal of approval’.  Most public cloud services seem to offer a reasonable risk proposition, but its extremely difficult to provide defensible evidence of this. A comprehensive and well-accepted ‘standard’ would go a long way towards bridging this […]

Read more »

Why do you classify?

by Jay Heiser  |  May 29, 2013

Gartner clients have a lot of questions about the topic of data classification. It is a primary concept that has long been enshrined in the canon of computer security, yet in practice, it remains a concept that is impractical for the majority of non-military organizations to successfully apply. In 1998, information security pioneer Donn Parker […]

Read more »

We say no because that’s what you ask us to say

by Jay Heiser  |  March 28, 2013

We’ve riffed for years on the distinction between “Dr. No” and “Mr/Ms Yes”, but many enterprises continue to back the security professional into the awkward far corner of the Business Prevention Department.  If the risk assessor is going to be blamed for security failures, then that person is always going to be motivated to make […]

Read more »

Hack back, jack?

by Jay Heiser  |  March 20, 2013

It would be the rare soul indeed, who, after spending hours or even days cleaning up from a hack, didn’t feel the strong red rage of revengeful urges. And how many PC owners or site managers, still recovering lost data, time, and pride, if presented an opportunity to strike back at their attacker, to make […]

Read more »

Including, but not limited to

by Jay Heiser  |  February 28, 2013

Any time your internal policies include the lawyerly language “Includes, but not limited to…”, it should be a sign that somebody needs to reexamine the text.  This is often a sort of cop out, an admission on the part of the policy writer that they actually do not know what the rules should be—but a […]

Read more »

If you don’t know how to do it, WHY do you want to do it?

by Jay Heiser  |  February 27, 2013

“We have decided to do this new thing. We think it has risks. What should we to to make sure that it doesn’t have any risks. This new thing that we’ve decided to do. Without knowing what the risks are, or whether the best practices for risk mitigation have matured.” Exactly

Read more »