John Pescatore

A member of the Gartner Blog Network

John Pescatore
VP Distinguished Analyst
11 years at Gartner
32 years IT industry

John Pescatore is a vice president and research fellow in Gartner Research. Mr. Pescatore has 32 years of experience in computer, network and information security. Prior to joining Gartner, Mr. Pescatore was senior consultant for Entrust Technologies and Trusted Information Systems… Read Full Bio

Coverage Areas:

Financial Freakout Friday: How Does the Financial Tsunami Impact Information Security

by John Pescatore  |  October 10, 2008  |  4 Comments

It doesn’t take much to see that the problems of three little people don’t amount to a hill of beans in this crazy world.  Humphrey Bogart, Casablanca

It’s hard to concentrate on the day to day blocking and tackling while the global financial system melts down around you. But it does remind me of another one of my favorite sayings:

Don’t worry about the horse being blind, just keep loading up the wagon.

But to that one I add the caveat: but be prepared for a bumpy ride. So, there are a number of impacts we can already predict:

  1. A rise in email scams trying to take advantage of fear, uncertainty and doubt – worth a reminder to your staff and customers that your company will never ask them to provide password or other sensitive information via email.
  2. Procurement and hiring freezes, as a minimum – the best case will be staying at the staffing and spending level you currently have and not getting any new funds or hires approved. A more likely case for many is being forced to do more with less – prepare your cut list and your defense of the absolute bare minimum. Take a look at where you can get things done with non-scalable approaches (like open source tools, scripts, integrated “good enough” product features, manual work arounds) to make it through drastic cuts.
  3. Opportunistic after-shocks – as much as I hate to say it, the likelihood of terrorist events (real, physical events) is now much, much higher.  This is a good time to check your mail room security procedures (look here for some good guidelines) and your overall physical security status if you are in any of the critical infrastructure areas. Layoffs are likely, employee disgruntlement will rise – check those processes for dealing with the IT security issues of firing people, too.
  4. Irrational exuberance on the way back up – being an eternally hopeful species, we all assume there will be a bottom and a rise. When that happens is a whole nuther story, but once it does we all know that the rush will be on to do all kinds of dangerous things as euphoria returns and everyone starts to say “it is different now!” While fear, uncertainty and doubt are still rampant is the best time to make some progress on building in some key security processes like network access control, application vulnerability testing for all software, stronger authentication and authorization, etc.

Have a nice weekend!

4 Comments »

Category: Uncategorized     Tags:

4 responses so far ↓

  • 1 Joe   October 10, 2008 at 12:45 pm

    “Don’t worry about the horse being blind, just keep loading up the wagon.”

    Excellent 13-word summary of months worth of news and analysis.

  • 2 David, Business Technology Roundtable   October 10, 2008 at 3:38 pm

    Perhaps another “call to action” scenario to consider is a managed security services solution.

    Sometimes substantive progress will come from the apparent need to address a crisis. It’s one of the few times that some people in IT willingly venture outside of their status-quo way of doing business.

  • 3 John Pescatore   October 10, 2008 at 3:47 pm

    As part of cost cutting, MSSPs generally make sense when you have to have 24 x 7 coverage – they will always be less expensive that staffing up for full 24 x 7. However, if you convince yourself that you only need 10 x 5 coverage, the savings are not as evident. For many, outsourcing may still increase security and maybe even reduce true total cost of ownership – but it results in an increase in visible costs.

    Agree that often a jolt to the system provides opportunities for disrupting business as usual but these economic swings (like the dot com bust and the post September 11, 2001 drop) don’t seem to work that way, with one exception: where there is a lot of M&A activity, the security programs of the merged companies sometimes get the critical mass the smaller separate programs were lacking. If the management of the business is good at integrating acquisitions (most are not), then the new security organization can be much further up the maturity scale.

  • 4 Fatalistic Friday: Even Though You Can See the Iceberg, You Still Have to Patch the Titanic   October 24, 2008 at 7:53 am

    [...] crisis – there has been a lot of loss of gruntle out there. This is what I was worried about in a post a few weeks [...]

Leave a Comment