John Pescatore

A member of the Gartner Blog Network

John Pescatore
VP Distinguished Analyst
11 years at Gartner
32 years IT industry

John Pescatore is a vice president and research fellow in Gartner Research. Mr. Pescatore has 32 years of experience in computer, network and information security. Prior to joining Gartner, Mr. Pescatore was senior consultant for Entrust Technologies and Trusted Information Systems… Read Full Bio

Coverage Areas:

Shovel-Ready Security

by John Pescatore  |  January 12, 2009  |  Submit a Comment

The American Dialect Society selected “bailout” as the 2008 word of the year. One popular choice was “shovel-ready” but it came in 4th, after “bailout”, “Barack Obama” and “lipstick on a pig.” I have a nomination: the “grrrr” noise Clint Eastwood makes frequently in the recently released movie “Gran Torino” – it really does capture the essence of 2008 to me. But I guess that is a sound, not a word – so back to shovel-ready.

2009 is widely viewed as year where corporate spending will be cut, impacting IT budgets and, by extension, security budgets. The number of layoffs has been enormous, so there is no doubt that per employee spending will be decreased. In a morbid way, that represents an opportunity for security – it means the price tag for pushing out improved security to desktops has gone down, since there are fewer desktops. Of course, the opposite is true, too: network and server side security solutions will look more expensive, without desktop security spending consuming as large (usually the largest) a slice of the security budget.

In any event, 2009 is going to be a tough budgetary year. But, like pine cone seeds being freed by forest fires, there will be funding opportunities that may spring forth from the ruins. Whether it is because of federal stimulus funding or deals offered by vendors to try to maintain sales or through mergers and acquisitions, you should have some “shovel-ready security” plans ready if the fairy godmother does wave her wand your way.

Here’s a few I would prioritize:

  1. Laptop encryption – if you’ve got laptops, they are going to get lost or stolen. Encrypt that data.
  2. Consolidate remote access to SSL VPN with NAC – ignoring TCO during tough times is a given, so the pressure to allow employee-owned IT (already high) will only increase. Moving away from IPSec remote access licenses to this may not cost you more.
  3. Application vulnerability testing before apps go onto production systems – this is only a step in the direction of application security, but it isn’t that expensive anymore and you might be able to get it baked into the app dev or QA budget.
  4. In the name of hiring freezes, outsource the routine – 24×7 monitoring of firewalls, IPS, and other defensive security controls is usually cheaper and done better by managed service providers. 

These all require new spending but are all shovel-ready – they won’t take years to implement and will show immediate security benefit. Any other ideas?

Submit a Comment »

Category: Uncategorized     Tags:

0 responses so far ↓

  • There are no comments yet...Kick things off by filling out the form below.

Leave a Comment