Paul Proctor

A member of the Gartner Blog Network

Paul Proctor
VP Distinguished Analyst
10 years at Gartner
28 years IT Industry

Paul Proctor is a vice president, distinguished analyst, and the chief of research for security and risk management. He helps organizations build mature risk and security programs that are aligned with business need. Read Full Bio

Sony Pictures Hack: Advice-apalooza

by Paul Proctor  |  January 4, 2015  |  Submit a Comment

I have taken lead on organizing Gartner’s guidance to our clients following the Sony Hack revelations. Of course you have already read dozens of blogs and news articles packed with advice so why would you need more?

The simple answer is that all the eyeball grabbers out there seeking to be first to print are only giving your eyeballs something to do. Long after the press and bloggers have moved on to the next shiny object, our clients are going to be fighting through the strategic repercussions of this event.

With 60+ analysts covering risk and security, our perspectives range from “we are all going to die” to “what’s the big deal?” but we are generating some very concrete guidance. Here are some early observations:

  • North Korea, Shmorth Korea. The implications of this event do not hinge on North Korean involvement.
  • Business disruption attacks are the new black. Regardless of who did it, the fact that you can walk into work one morning and everything will be down…hard…and it will take weeks to recover has not been seen before. Yes, we’ve seen this in nation state related enterprises in events such as Stuxnet and Saudi-Aramco, but downing (with prejudice) a commercial enterprise with no state sponsorship is new.
  • What’s old is new again. We’ve been through hacks that capture executive attention many times before, but executives are already primed to listen this time. Don’t bang the drum on pet projects; there are new things to do, and old things to finally fix.
  • Changes in the standard of due care. The low bar for security programs is going up.

In my previous blog post on Sony, I mentioned that behavior change is critical to success and that Gartner has some guidance on that with our people-centric security guidance. My colleague Tom Scholtz has written a guest blog: People-Centric Security Can Help Limit Sony-esque Damage

Gartner clients should stay tuned for more good, practical Gartner advice in the wake of this event.

Follow me on Twitter (@peproctor)

Submit a Comment »

Category: Uncategorized     Tags:

People-Centric Security Can Help Limit Sony-esque Damage

by Paul Proctor  |  January 3, 2015  |  5 Comments

This is a guest blog entry by my colleague and friend Tom Scholtz.

The compromise of several unencrypted files containing administrative passwords apparently exacerbated the impact of the Sony cybersecurity breach.

Many commentators have argued that Sony should have mandated some kind of encrypted password vault solution that the sysadmins must use. The reality however is that even if such a policy and control existed, the sysadmins would in all probability have circumvented it if they believed is slowed them down in the execution of their jobs.

People-centric security (PCS) is a strategic approach to information security that emphasizes individual accountability and trust, and de-emphasizes restrictive, preventive security controls.

If a password management tool was suggested as part of a PCS strategy, rather than mandated by central dictate, maybe the sysadmins in Sony would have voluntarily adopted the solution. Especially given that they would be held personally responsible for any compromise of any unprotected passwords. And dramatically reduced the impact of the breach.

Indeed, pioneer implementers of PCS strategies tell us that they believe their security controls adoption and compliance increased markedly after PCS is implemented.

So one of the lessons of the Sony breach might be to consider the systems admin domain a potential target for implementing PCS.

- Tom Scholtz


Follow me on Twitter (@peproctor)


Category: Uncategorized     Tags:

Stop Picking on Sony Security over North Korea Hack

by Paul Proctor  |  December 9, 2014  |  Comments Off

It’s easy to pick on the security of a company that has just been hacked, but I don’t think it is fair, accurate, or defensible. Make no mistake, there are companies with terrible security practices who have been hacked and likely deserve derision, but I have trouble believing that Sony Pictures is one of them.

Let’s look at what is known publically. Several files were dumped on the internet that allegedly come from their internal networks. Many of these are said to contain passwords.

“How can this be so?!” cries the ambulance chasing security pontificators. “Sony has terrible security practices!”

What we also know publically about Sony is that they are a for profit company dealing in a digital medium with obvious devastating impact for unauthorized access to their products. They have every motivation to pour a lot of resource into protecting their lifeblood. But what about their administrator’s behavior

Dumping sensitive data into unprotected text files is a practice as old as time and I have seen it at many companies. This is typically the result of administrators who have a job to do. If you need access to 50,000 passwords, this is a convenient way to get it. Sure it is against policy. Sure it is risky. But what’s the probability of a pervasive and comprehensive attack that will compromise such a file?

Risk and security programs have a lot of priorities and employees ignoring policy has not been at the top of the list. Sony security should not be lambasted for doing exactly what they should have been doing which is focusing limited resources on the most important assets in the company.

If you want to cast the first stone, you better consider your own glass house. (I love mixing my metaphors.) Basically, every enterprise has this problem with people and behavior. Everyone reading this has unencrypted files in their company with sensitive data.

However, the Sony hack changes the game. If North Korea is involved, a nation state attacking an enterprise with malice creates a very different security problem with user behavior that will not be solved by technology.

Security programs and user education need a boost with special attention on these risky practices for convenience. Simple behavior changes will do more to protect your enterprise than spending millions on complicated technology that will make users miserable. Users will immediately seek to bypass poorly conceived technical solutions and put even more data at risk. Avoid this outcome.

Gartner’s research in people-centric security recognizes the criticality of user behavior as a control and seeks a better answer than posters and mousepads that say security is important. It is the integration of security and social science designed to motivate users to want to do the right thing.

Never waste a crisis. Sony is not the first serious, game changing hack and it won’t be the last. Use the visibility this creates with executives to institutionalize better practices that will survive the times when they go back to sleep over security. You could do that… or you could use this opportunity to push through the budget for that DLP system you’ve been trying to get for 3 years. Your choice.

And stop picking on Sony.

Follow me on Twitter (@peproctor)

Comments Off

Category: Uncategorized     Tags:

Is the Internet Already Secure Enough?

by Paul Proctor  |  October 2, 2014  |  1 Comment

Is the Internet Secure Enough?

How could it be? Have you read the headlines, seen the regulatory requirements, or experienced the hysteria?

And yet those millenials will give away any information they have for a free taco. They seem to trust the Internet, and yet most of us don’t.

Trust is an interesting concept in digital business and the new collaborative economy. The dictionary defines trust as the firm belief in the ability, reliability or strength of someone… or something. I made the mistake of searching the internet for trust models and this is a fraction of what popped up:

141002 Trust Models Slide

Here’s what I learned. Don’t go to the Internet to learn about trust models.

Trust is a web.

  • Do you trust the Uber driver who may have less training and certification than the driver from a regulated cab or limo company?
  • If you are a homeowner, are you ready to throw your property up on Airbnb? How much do you trust the strangers you will be inviting to stay in your home?
  • Your customers trust your company. Failure has customer satisfaction and revenue implications.
  • Your executives trust you. Failure there has salary and career implications.
  • PhDs study the trust relationship between pilots and aircraft automation.
  • We all trust technologies. Do you trust cloud?
  • Do you trust your employees? Your security people sure don’t because they keep trying to lock everything down in the name of protecting your company.

Trust is never absolute. It sits on a sliding scale.

Those millenials may give away all their information for a taco, but they draw the line when you ask them for information about their friends… or if you cross a creepy line in mobile marketing. So even those crazy millenials have limits on their trust.

There’s a power company in California that put up a website in the 1990s to communicate with their customers. That worked out well so they put up on-line billing. Then some genius decided to hook their nuclear power plants to the Internet. The point is that each of these requires higher levels of protection and more trust.

Even identity and access management has become more “dynamic.” It’s not just usernames and passwords anymore. Increasingly it is how are you coming in, and where are you coming from? The more I know about you, the more willing I will be to give you access to sensitive information. The less I know about you, the more likely I am to keep you in a box away from the sensitive data.

Once you are comfortable with this idea that trust sits on a sliding scale, then you can work with it. Manipulate it. Maybe generate a little more trust …or a little less trust.

You are all familiar with service levels. Would you like bronze, silver, or gold service? Each of these comes with a little more protection, a little more trust …and a little more cost. We are now introducing the idea of choice into the mix.

Trust can be manipulated in technology. Gartner has this concept of a spectrum of trust in mobility. We have defined 6 different categories of trust including the platform, container, app, file system, cloud, and viewer. In each of these categories you can deploy a variety of technologies that will influence how much trust you have in your mobility deployment.

By 2016, 75% of large enterprises will have deployed technologies falling into four or more categories on the Spectrum of Trust for securely providing access to enterprise resources from mobile devices, up from 30% today.

But technology has its limitations. It doesn’t generate perfect protections or perfect outcomes.

I ran data loss prevention (DLP) technology coverage at Gartner for 7 years. This is really cool technology that can recognize sensitive data on the fly and enact a policy. For example, if someone is sending out an email with sensitive information, DLP can catch this action and stop it. The downside is that with every email you stop, you are stopping a little bit of business.

When I took hundreds of calls in a year on DLP, the first question was always something like “I need to stop people from sending out emails with sensitive information. What product should I buy?”

My response was always the same, “Before we get into technologies, have you asked them not to?”

With the acceleration of digital business and capabilities like cloud, mobile and social, people are being offered more choice. We can’t just shut them down and control them with technologies. We have to trust people more and more.

Gartner has developed people-centric security (PCS) to help organizations motivate their employees to do the right thing. This is far beyond the security training of the past that mostly consisted of posters and mouse pads that say “Security is Important!” PCS is the integration of security and the social sciences. It is about giving people rights and responsibilities so that they have a stake in the security outcomes.

In PCS we have this concept of a trust space that is a measure of how much you trust people vs how much you rely on technology to make them do what you want. With digital business the trust space is growing for the people. You need to start thinking about this.

Trust an artifact of your decisions and your actions.

This is very good news! It means we have some control over the amount of trust we have. There is no such thing as perfect trust, and yet we still have to trust people and we need people to trust us. We need to trust technologies as well.

Risk management can help us because there is a relationship between trust and risk. As we accept more risk, we engender less trust and vice versa.

Risk management is the conscious recognition that we can’t protect ourselves from everything. Every day we make choices. On the one hand, we can invest in controls and experience less risk or save some money and experience more risk. These two points create a continuum.


It is a legitimate business decision to exist anywhere on this continuum.

This is also very good news! It means we have choices! The only mistake that everyone makes is they think they live on the right hand side (low risk), but in reality they live on the left hand side (high risk). Or they have no visibility in where they are on this continuum.

We are seeking a balance between the needs to protect and the needs to run the business.

To create this balance, we need to get better at making conscious decisions regarding risk. Earlier this year I was helping a large consumer software products company who wanted to accelerate their use of public cloud. I helped them build a risk model that guided decisions like which applications go into the cloud, which don’t, which data goes into the cloud, and what controls are necessary.

Every step of the way they were making conscious risk decisions that created efficiencies, saved costs, managed risk, and most importantly managed the trust relationship between them and their customers. They were managing risk to create real business value.

But making these decisions can be difficult and it requires you and your organization to think in a different way. It was summed up best by the head of risk and controls for a global bank who I was speaking to recently. He said “I don’t need risk experts. They always come in with an answer. I need people who can THINK!”

To help organizations think differently we provide research on a model to integrate risk and corporate performance. We also have a brand new risk treatment model that is designed to abstract out all the technology and help get the appropriate non-IT executives involved in making some serious risk-based decisions.

The best way to guide your decisions is to put them in a business context and connect them to desired business outcomes. Consider the following for success:

  • How much trust to you really need? People and technologies.
  • What are the business opportunities for enhanced trust? They are out there, you just need to find them.
  • How much risk and security is appropriate?

This brings me back to my original question. Is the Internet secure enough?

The answer, my friends, is entirely up to you.


Follow me on Twitter (@peproctor)

1 Comment »

Category: Uncategorized     Tags:

Gartner GRC Reset: And the Vendors are…

by Paul Proctor  |  September 8, 2014  |  1 Comment

We are 8 months in to our GRC process reset and we have selected the vendor participants for many of the use cases. For a complete discussion of our reset process, read this post.

Brief context: GRC is one of the most flexible terms in the vendor lexicon, because most of them use it to describe whatever they are selling. Also, many of these products are shells that can be programmed to do whatever you need them to do, so we are putting the emphasis on production usage.

Process update: We have completed the reference process receiving 350 completed surveys out of almost 600 provided. Our 60% response rate is a little disappointing but July/August can be a challenging time of year in many countries due to vacations. However, we have more than sufficient response to do our analysis.

We have done final vendor selection for MQ analysis based on revenue and market presence targets for most of our deliverables. This selection does not guarantee publication in the final deliverable pending our analysis.

One of our team has been out on maternity leave and another chose to leave Gartner so it’s been an exciting summer for our process. As a result 2 deliverables are on delay until Q115.

Updates by top 6 use cases

ITRM – Magic Quadrant for IT risk management

Estimated Publication: November, 2014

Vendors in final MQ analysis:

  • Allgress
  • RSA Archer
  • IBM
  • Brinqa
  • Agiliance
  • ControlCase
  • Lockpath
  • MetricStream
  • Modulo
  • Nasdaq Bwise
  • RSAM

ORM – Magic Quadrant for Operational risk management

Estimated Publication: November, 2014

Vendors in final MQ analysis:

  • IBM (OpenPages)
  • Wynyard Group
  • MetricStream
  • Nasdaq BWise
  • EMC-RSA Archer
  • Modulo
  • SAP
  • Mega
  • Enablon
  • Protiviti
  • SAS
  • Sword Group
  • Thomson-Reuters (Accelus)
  • BPSResolver/ResolverGRC
  • Rivo Software
  • Covalent Software

VRM – Magic Quadrant for Vendor risk management

Estimated Publication: October, 2014

Vendors in final MQ analysis:

  • Agiliance
  • Allgress
  • Brinqa
  • EMC-RSA Archer
  • LockPath
  • MetricStream
  • Modulo
  • Quantivate
  • RSAM
  • Prevalent

BCMP – Magic Quadradnt for Business Continuity Management and Planning

Published August 7, 2014

GRC Vendors in final MQ analysis (out of 18 total vendors in the MQ)

  • RSA Archer
  • MetricStream
  • Modulo
  • Quantivate
  • Lockpath

AM – Market Guide for Audit management

Estimated Publication: Q115

Our colleague Khushbu Pratap is returning from maternity leave this week and will be in touch with vendors who are being considered for the market guide.

CCO – Market Guide for Corporate Compliance & Oversight

Estimated Publication: Q115

Our colleague French Caldwell has retired from Gartner. We are currently seeking a replacement to complete the work on this market guide.

* Please keep in mind that these selections should not be considered endorsements by Gartner. Our rigorous MQ methodology will produce insights to help our clients select the most appropriate technologies for their requirements.

In other GRC process news:

The early returns on the reference surveys are looking very promising. We will be able to identify the most common competitors for the various use cases, the most common reasons vendors are selected, and the most common reasons they are NOT selected. We will also know customer satisfaction by major functional category.

We plan to publish several other documents with the insights gained from this process.

On a personal note, I am in London this week delivering our risk and security keynote and an update presentation on our GRC process. London is a bit of a homecoming because we kicked off this effort 1 year ago here with a presentation called “Killing GRC”. Last week we were in Sydney, and next week we are in Dubai delivering our first risk and security conference in the Middle East.

Follow me on Twitter (@peproctor)

1 Comment »

Category: Uncategorized     Tags:

An Update on the Gartner GRC Reset

by Paul Proctor  |  July 1, 2014  |  1 Comment

This post is being updated periodically to address vendor categorization changes. Last update 9 July 2014

We are 6 months in to our GRC process reset and we have some progress to report. A quick disclaimer: This blog post contains no Gartner analysis, because to this point, our process has (mostly) been a self-selecting process. For a complete discussion of our reset process, read this post.

Here is a quick recap: GRC is one of the most flexible terms in the vendor lexicon, because most of them use it to describe whatever they are selling. Also, many of these products are shells that can be programmed to do whatever you need them to do, so we are putting the emphasis on production usage.

By the numbers
9 – Number of Gartner analysts in our GRC working group

1000 – Number of calls these 9 analysts take on GRC each year

6 – Number of common use cases

78 – Number of vendors we contacted

37 – Number of vendors who responded with references

15 – Number of vendors who have not yet produced references

16 – Number of vendors we dropped

600+ – Number of references produced by 37 vendors

4 – Number of vendors able to produce 5 references in all 6 use cases


The top 6 use cases:

-          ITRM – IT risk management

-          ORM – Operational risk management

-          VRM – Vendor risk management

-          BCMP – Business continuity management and planning

-          AM – Audit management

-          CCO – Corporate compliance & oversight


We asked 73 vendors to provide 5 references  for each of these use cases, and absent our rigorous research process, what they were willing (or able) to produce is interesting all by itself.

The following vendors produced references for specific use cases. THESE ARE NOT GARTNER RECOMMENDATIONS. Our reports in September will vet these and produce recommended vendors for each use case.

These are the vendors who produced one or more references for one or more of our defined use cases. The codes in parens are the first letter of the use cases for which they produced references.

  • ACL (A)
  • Agiliance (I, O, V, B)
  • Allgress (A, I, V, C)
  • BPS Resolver (O, A, C)
  • Brinqa (I, V)
  • CMO Compliance (O, V, C, A)
  • ControlCase (I)
  • Covalent Software (A, O)
  • DF Labs (O)
  • eGestalt (I, O, A, B, V, C)
  • Enablon (O, A, C)
  • Group Enode (O)
  • Happiest Minds (I)
  • IBM OpenPages (A, O, I, C)
  • Ideagen (I, A, B, V)
  • LockPath (I, O, A, B, V, C)
  • Magique Galileo (A, O)
  • Mega (A, O, C)
  • MetricStream (I, O, A, B, V, C)
  • MKinsight/Morgan Kai (A)
  • Modulo (I, O, B, V)
  • Nasdaq BWise (I, O, A, B, C)
  • ProcessGene (A, I, C)
  • Protivity (A, O, C)
  • Quantivate (O, V)
  • Rivo Software (O, A, C)
  • RSA/Archer (I, O, A, B, V, C)
  • Rsam (I, O, A, V, C)
  • SAP (I, O)
  • SAS (O)
  • Securimate (A, O, C)
  • Sword Group (A, O, C)
  • TeamMate (A)
  • Thomson Reuters (O, A, C)
  • Tripwire (O, I, C)
  • Wolters Kluwer (O, A, C)
  • Wynyard Group (O)
  • Xactium (O)

The following vendors are likely to be included in our analysis, but have not produced references.

  • ANX
  • Aruvio
  • Coalfire
  • Fusion Risk
  • Hiperos (recently acquired by Opus Global)
  • Prevari
  • ProcessUnity
  • SAI Global
  • SecondFloor
  • Software AG
  • The Network
  • TraceSecurity
  • RESI-Informatica

Notable vendors who do not address the Gartner definitions of the GRC use cases for ITRM, ORM, AM, BCMP, VRM, or CCO.

  • Symantec (No longer positions in the GRC market)
  • Hewlett Packard (Reported that they do not have any offerings that address our use cases)
  • McAfee (Has not responded to our inquiries)
  • Microsoft (Reported that our use cases do not fit their strategic direction)
  • NetIQ (Has not responded to our inquiries)
  • Qualys  (Has not responded to our inquiries)
  • Trustwave
  • Oracle GRC – A company is free to use any name they want for their product, but this product addresses SOD in ERP

Vendors who are on our radar, but do not meet our inclusion criteria for one reason or another.

  • 12feet
  • SDG TruOps
  • Happiest Minds
  • Optial

The next step in the process is to send a rigorous survey to each of the references and a survey to the vendors to complete our analysis process. We expect to publish in the fall.

NOTE: If you have used any of these products for a GRC project and would like to be a reference, please tweet me (@peproctor).

NOTE: If you are a vendor and have corrections to this post, please contact me at Gartner.

Follow me on Twitter (@peproctor)

1 Comment »

Category: Uncategorized     Tags:

Digital Business Forever Changes How Risk and Security Deliver Value

by Paul Proctor  |  June 2, 2014  |  2 Comments

Risk and security teams are going through a major transformation. Mobile, social and cloud move business data and processes move outside of the perimeter, and outside of traditional enterprise control. Plus, these are dynamic environments with no stability or predictability. Managing appropriate levels of risk in this environment will require a new approach.

Watch the video:  Digital Business Will Force You to Reset Your Risk and Security Program.

Non-Gartner clients can also access this video by registering.


2014-04-29_101922 (John and Paul)promo_security_role_webinar4

Unless you live under a rock, you have probably seen the term “digital business” popping up all over the place. The term “digital” has been around for decades, often in the context of technology marketing. However, only in the past three years has it really become a major driver associated with the progressive use of technology at the wider business strategy level.

Gartner’s definition of “digital business” is the creation of new business designs by blurring the physical and digital worlds. It’s not about getting your business on-line, it’s about dramatically shaking up business models. For example, the way Airbnb is shaking up the big hotel chains and the way Uber and Lyft are challenging traditional taxi services.

Digital Business (Final)

Digital business is fueled by the integration of technology and business models. This includes traditional IT environments, cloud, mobile, operational technology, telephony, audio, video, and IoT.

Digital risk and security refers to the management of risks on all forms of technology that use digital information. Connected products are the new and disruptive forces to which companies must adapt over the next three years. You need to be ready for the next generation of digital business decisions and risk planning.

A consistent, unified approach to digital risk has the potential to support cost efficiencies and greater assurance for business processes. But development of a digital risk capability will require the re-engineering of current organizational structures and responsibilities. We need to develop new capabilities in security and risk assessment, monitoring, analysis and control.

Buckle up Dorothy, because Kansas is going bye-bye.

Follow me on Twitter (@peproctor)


Category: Uncategorized     Tags:

Security and Privacy Remain Doomed with the Rise of Digital Business

by Paul Proctor  |  February 20, 2014  |  1 Comment

You think Target was a big deal? Get ready for more of the same thanks to the attitudes and understanding of consumers and corporate leadership.

The cultural disconnect between business decision makers and technology risk remains epic. They still believe this is a technical problem, handled by technical people, buried in IT. You don’t need to look any further than this report by NPR on digital startups and security at CES by Aarti Shahani (@aarti411).

In the piece, one startup CEO for a wearable that is gathering sensitive health information says, “So what kind of security you will need with your own sleep and wellness data, which is stored in your own mobile device?”

I get the fact that he is focusing on feature and function because he has limited resources, but c’mon man! He was being interviewed by a national radio program and demonstrated complete ignorance of the security risk. This is not some thoughtful trade-off, or strategy, this is pure ignorance.

This is a CEO who, if he is successful with his company, will be wondering later why he has to invest in all this “security” stuff. Didn’t he hire people to take care of this? Did he hire the wrong people?

Or worse, after his wearable gadget leads to the compromise of millions of people’s personal health information, will he feel responsible, or just scramble to find a way to save his company?

Has he signed off on the privacy language on the website with equal lack of knowledge? The FTC loves to hold companies liable who carelessly promise security to consumers and fail to deliver.

With such wanton ignorance, will he skip any consideration of public-cloud related risk when he decides that’s a great new strategy that will benefit his customers and his shareholders?

In another story on NPR by Dan Charles (@nprdancharles) about sensitive information in the cloud, the focus is on both customer knowledge and corporate decision making. This is a story about farmers allowing the big agricultural companies like Monsanto and John Deere to gather sensitive, detailed information on their entire cycle of crop management. There are questions posed about cloud security, farmer knowledge of technical risks, and the use of the data to potentially manipulate markets.

The farmer says (I’m paraphrasing): “I don’t have a problem with them gathering this information. They’re my partner.” The companies say: “We will always protect the information and we would never share it or manipulate markets.” Does this tune sound familiar?

I’m explicitly not calling into question Monsanto or John Deere’s decision making because I have no knowledge of it, unlike the CEO above.  I’m calling attention to the issues that are swirling around us and a continued ignorance of consumers and many corporations. As digital business rises more failures will mount until understanding and decision making improves across the board.

Accepting risk is always a legitimate business decision, but it is only defensible if it follows a serious consideration of the attendant risks. You can’t just stay willfully ignorant and say “we accepted the risk.”

Security by heroes doesn’t work anymore. “IT risk is business risk” is not just a platitude anymore. Business decision makers can’t remain disconnected from a proactive consideration of technology and privacy risks as they engage in digital business.

I applaud NPR for their stories and I hope to see others in the press keep after these issues.

Follow me on Twitter (@peproctor)

1 Comment »

Category: Uncategorized     Tags:

Information Security Headlines are Misleading

by Paul Proctor  |  February 11, 2014  |  2 Comments

The headlines are schizophrenic. One day it is “Oh no! Oh no! We’re all gonna die!” and the next day it’s “What? Me worry?” The more dangerous of these are the headlines that suggest that we are all going to be fine, because the FUD may be annoying, but organizations are always seeking an excuse to ignore the problem.

While both extremes should be expected from a profit-driven, eye-ball grabbing press, there is a very practical reality somewhere in the middle that should not be ignored. Neither of the extremes really support appropriate levels of attention on  this critical topic. Here are a few examples from very recent headlines that mislead.

“Information Security? What Security?”

“Forget Prevention, says Venture Capitalist Ted Schlein, Focus on Limiting Damage” says the subtitle below the headline. This is a videotaped interview published in the Wall Street Journal on February 11, 2014 with some transcription that includes these gems, ripe for misinterpretation by a non-subject-matter-expert reader (AKA everyone reading the article).

“I’m a firm believer there are only two kinds of companies—those that have been breached and know it, and those that have been breached and don’t know it.” – Ironically, he has worked FUD into a commentary that most people will interpret as you are wasting your time with security.

“Most of what we do in security is around prevention, prevention, prevention. Great. Just know it won’t work. Know that they’re going to get in.” – This is one of those mixtures of fact and fiction that is completely misleading. “…just know it won’t work” is not at all true and gives a license to decision makers to reduce security investment in a very bad way. I believe he is trying to say that there are new and exciting technologies to address security that don’t focus exclusively on prevention. What it sounds like he’s saying is that prevention is a waste of time.

“You ought to be thinking, “Hey, I want to find out where they are as fast as humanly possible, contain it and remediate it.” – Then he follows up with a confirmation that yes, he did mean that prevention is a waste of time. So you can skip all that vulnerability patching! Just drop all the defenses and remediate compromised machines! Remember that this is coming from a VC who has likely invested in some of those companies that provide these capabilities.

“How Cyber-Security Laws are Outdated”

In this article also published in the Wall Street Journal on February 11, 2014 Mike McConnell, Former director of the National Security Agency and of National Intelligence talks about the details of the NSA’s surveillance program and tells how Edward Snowden stole classified information from the agency. Basically his focus on nation-state hacking and a focus on public private information sharing with a headline that suggests our cybersecurity laws are out of date just creates a jumble of information that would leave most people saying “what, the what?”

“Gartner: CIOs Deprioritize Security” and “CIOs Downgrade Cybersecurity”

In these two blog posts (that were highlighted in the Journal’s CIO Journal) from mid-January 2014, WSJ reporter Michael Hickins (@Michael_Curator) seizes upon Gartner’s own CIO study that discusses the relative priority of cybersecurity vs all the other priorities a CIO addresses. He notes: Security ranks at #8 on the list of strategic priorities ranked by CIOs; 10 years ago it ranked as the top priority…”

Full disclosure, he quotes Gartner’s own Dave Aron who was a co-lead on the study. But as Dave tells me, he never left the impression that security was not important to CIOs even though that is the impression the headline gives. Evidently Michael thought it was a noteworthy enough observation that he repeated it in a blog post the very next day.

The bottom line: Headlines are made to grab eye-balls, I get that, but information security and IT risk are critical topics that are going through a sensitive, and in many ways fragile, cultural shift. These misleading headlines are not helping.

The WSJ is not the only media source doing this. I just read the WSJ every day so this is where I pulled my examples.

Follow me on Twitter (@peproctor)


Category: Uncategorized     Tags:

Think Sochi is a Cyber-War Zone? Try Your Local Library.

by Paul Proctor  |  February 6, 2014  |  10 Comments

Richard Engle and NBC News recently posted several reports from Sochi, Russia based on an “experiment” they did.

I applaud them for bringing attention to the critical condition of cybersecurity, but the report is misleading in two major respects. First, they have directly positioned this as just turning on your mobile device and computer will result in you being “hacked.” To quote Brian Williams introducing the story:

“If <travelers to Sochi> fire up their phones at baggage claim, it’s probably too late to save the integrity of their electronics and everything inside them. Visitors to Russia can expect to get hacked. It is not a matter of if, but when.” This is an overstatement and misleading.

Second, most everything they describe in the story is as equally true at your local Starbucks as it is in Sochi. Therein they miss the opportunity to present a more accurate picture of global security, as opposed to the “evil Russians.”

Researching this blog post, I wrote down a lot of the quotes from the story but I have decided it would bore all of you to walk through them. Here are a few that tell the tale:

    • “<after plugging in brand new machines> it doesn’t take long for someone to TRY to tap into your<device>” and “within a minute hackers were SNOOPING around TRYING to see how secure the machines were.” – So reconnaissance is confused with turning on your machine and becoming hacked.
    • “…and very soon I was sent a CUSTOMIZED PHISHING email.” – I have 3 customized phishing emails sitting in junk mail right now. So do you.
    • “We did a little browsing and almost immediately landed on a site that infected our brand new phone.” – So they had to surf to an infected site for the demonstration. Those pesky Russian hackers! I’m glad that website won’t infect me if I click on it from San Diego.
    • “<known as a> ‘honeypot’ an attractive target, left out in the open for hackers to come at.” – So they created an open and attractive target then reported that it attracted interest? Knock me over with a feather.

And here is the biggest mislead of all: none of this requires you (or the hackers) to be in Russia. In fact, I’ll bet the “Russians” they were hacked by were smart enough to route their traffic through compromised machines in China. That would have been an interesting and ironic twist, but it would detract from the story line.

Basically they had to make all these bad things happen, they were not location dependent, and they waited till the very end to mention that maybe you shouldn’t click on links you don’t recognize from people you don’t know.

Here’s the bottom line: NBC missed an opportunity to point out that you are not really “safe” anywhere and that your behavior is the deciding factor in your risk of being hacked regardless of location.

I would encourage Richard Engle and NBC News to repeat the same experiment in a local library anywhere. Those same “Russians” are right there, waiting for them… and you.

Follow me on Twitter (@peproctor)


Category: Uncategorized     Tags: