Gartner Blog Network

Network Security Worst Practices (Part 2, Friday the 13th Edition)

by Andrew Lerner  |  November 13, 2015  |  Submit a Comment

What better time to talk about worst practices than Friday the 13th? Back in January, we published research (and a blog) on the 12 network security worst practices. These “dirty dozen” include:

  • Shiny new object syndrome
  • Culture of no
  • Insufficient focus on users and business requirements
  • Defense with inadequate depth
  • Organizational misalignment
  • Suboptimal branch architecture
  • Security blind spots
  • Uncoordinated policy management
  • Noncompetitive vendor selections
  • Hazardous network segmentation
  • Inadequate end user education
  • Inadequate security event management

For each “worst practice”, we provide a definition and real-world examples, identify their impact, and provide specific guidance to avoid them. Here’s an example (a snippet from the published research):

Security Blind Spots (AKA “Not my job” and “my hardware can’t handle SSL decryption”)

Gartner observes that specific functional areas within an organization’s infrastructure have significant security gaps. In particular, IT security tends to focus strictly on IP security, not the more holistic IT security. Common examples where security is too thin include:

Most security gaps are already known by the security team, but have not been addressed because of other priorities. This problem has played a major role in some well-publicized and high-impact breaches.

Action: Perform regular penetration tests to uncover gaps and highlight the risks associated with attacks caused by security blind spots. Update existing security metrics to include risks related to security gaps. Create specific metrics for security coverage that highlights insufficient visibility in order to defend the business case for specific funding. Consider detection and response as well as preventative controls when architecting security solutions. See “Agenda Overview for Information Security Technologies and Services, 2015” and “A Guide to Security and Risk-Related Hype Cycles, 2014.”

Regards, Andrew

Note:  We will be publishing a new “worst networking practices” note within the next month or two also…

Additional Resources

Five Board Questions That Security and Risk Leaders Must Be Prepared to Answer

As board members realize how critical security and risk management is, they are asking leaders more complex and nuanced questions. This research helps security and risk management leaders decipher five categories of questions they must be prepared to answer at any board or executive meeting.

Read Free Gartner Research

Category: culture  networking  security-of-applications-and-data  waf  

Tags: network-security  

Andrew Lerner
Research Vice President
6+ years at Gartner
21 years IT Industry

Andrew Lerner is a Vice President in Gartner Research. He covers enterprise networking, including data center, campus and WAN with a focus on emerging technologies (SDN, SD-WAN, and Intent-based networking). Read Full Bio

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.