Gartner Blog Network


We need to update security regulations

by Lawrence Pingree  |  December 17, 2016  |  2 Comments

Today’s information security regulatory standards are out of date. They need to be updated with more prescriptive guidance. For example, almost all security practitioners know they need updated technologies like malware sandboxing, exploit prevention (memory protection) on desktops, enhanced network traffic visibility, distributed deception platforms, web application firewalls and enhanced SIEM systems that can leverage user behavior and machine learning vs simple correlation to move up against the attackers of today. Why is it that our regulators don’t see (and more quickly respond to) how even compliant organizations are being breached every day? Maybe I’m just on a soapbox, but we need to get real with the attacker. It is my belief that we must push our regulators and contractual obligations like PCI, HIPAA, CIP and other regulations and regulators to evolve to be more relevant to today’s threats.

Today’s threats need new technology approaches to be successful. For example, many organizations I speak to still don’t have adequate headcounts, despite this, they still don’t use technologies that would lower the headcount required. Many of the technologies (especially user behavioral monitoring, machine learning and distributed deception platforms)  can and do lower the number of headcounts required to raise detection and prevention.

Does it mean you should reduce staff after getting them? No – but we need to stop this bleeding and do so fast, else the next Dyn-style attacks are going to place our entire economy at risk. We need to ask this question:Will we concede and be like “oh well”? We all know what and how we can improve it – but not doing it and not updating regulations that are sorely needed is akin to throwing up our hands and giving up! Lets not give up! Lets keep our heads high! Realize quickly that what we are doing is failing and move forward to quickly address it!

#end angry rant

Am I being too provocative? Thoughts?

Category: security  

Lawrence Pingree
Research Director
6+ years with Gartner
19 years industry experience

Lawrence Pingree is a Research Director in Gartner's Security Technology and Service provider group. His responsibilities include providing critical insights to both end users and technology providers. He closely tracks the information security markets, technologies, technology and adoption trends, and competitive market dynamics.… Read Full Bio


Thoughts on We need to update security regulations


  1. Great discussion Lawrence. It is time we think about evolving compliance to be in line with security innovation. Being a veteran of security and involved in many of the innovations that make today’s enterprise networks safe, it is concerning to see these innovations are not being more thought of when it comes to compliance. Without these kinds of changes, enterprises are left to wander the security ecosystem and make their own conclusions, many of which do not fit with the objectives of higher security without increased team burden. Let’s get the conversation started.

  2. tim eades says:

    Dead on Lawrence! PCI and the FFIEC are now pushing segmentation and micro segmentation and in finance world the auditors are regulating it (FFIEC Maturity Model) but it has been years…



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.