Gartner Blog Network


On Wild Security Maturity Overestimation

by Anton Chuvakin  |  November 13, 2017  |  1 Comment

Want to know what my absolute #1 insight that I learned working at Gartner for 6+ years is? No jokes, this is serious!

Any guesses from the audience?

In any case, this would be a huge number of organizations that are way, way, way worse in information security compared to your wildest, most pessimistic view of the world. And I mean “sit there, get depressed, then get really depressed, then think of a number of organizations with minimal security … then multiply it by a factor of 2” type of stuff.

We are talking about stuff like this (all representative fakes, NOT real quotes):

  • How do you spell SIEM? (ok, perhaps this one is a real question)
  • What is this new technology called DLP?
  • Can you recommend a SIEM that requires no work at all?
  • Why can’t we just use a firewall?
  • What do you mean by “we need to patch 3rd party applications too”?
  • How to convince our management that we need a vulnerability scanner?
  • Why do we need to collect (!) all those logs, it seems awfully hard?
  • We are a $1b organization and we just hired a security guy. Do we need another one?
  • (and of course, the absolute winner!) We patch Windows twice a year, is this often enough?

However, I see a lot of journalists and “shallow analysts” bounce around numbers like “38% of organizations use security orchestration tools” and other comedy like that. Recently somebody said that “most organizations will soon have a security data lake” and I thought “riiiiiight.”

Typically, they are driven by mindless surveys of the kind that produces results like “73% of respondents prefer teleportation to driving.” Even some of our own surveys often show excessive tool adoption not validated by real life. I’ve seen really hilarious tech adoption polls that vendors commissioned so they essentially deceived themselves at their own expense.

An astute reader may opine that some of this is driven by selection bias (“I pick 3 people at random among my friends, and they know my name, ergo all humans on Earth know me by name”) and not by sheer idiocy, but frankly I think this is worse than that. Selection bias alone cannot explain some wild views of overall security maturity across organizations that you can find out there.

So, Anton, what is your message here? Ah, but this one: dear vendors, don’t build and sell products based on stupid assumptions and incorrect fact bases – most likely, much of the world is NOT ready for your technology. If you want to make it ready faster, prepare to pay big bucks to educate and evangelize. Get better facts, do NOT learn about the world from the media – talk to real technology users [(or to analysts who talk to real users)]

Related posts:

Category: philosophy  security  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on On Wild Security Maturity Overestimation


  1. Matthew Gardiner says:

    Fully agree…This is why “basic” security controls like cloud-based email security services are growing at 30%+, but all those other “cutting edge” techs are not. The vast majority of organizations need and can only handle complete services and not science experiments!



Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.