Blog post

The Other Security Chasm

By Anton Chuvakin | April 05, 2019 | 3 Comments


You guys recall my security chasm post from 2014? Because clearly some of you obsessively reread what I wrote 5 years ago … not 🙂

That post basically built on an idea of security “haves” and “have-nots” that some of my industry colleagues created. While many associate the “security have-nots” with small businesses, there are in fact many large organizations with an information security team of ONE and perhaps still a few with a security team of NONE …

However, over the years, I became aware of yet another chasm in the industry. A few recent encounters really made this chasm more visible. Here are two fictitious quotes to explain this chasm:

[I] “We prefer a managed service since we don’t have enough people to INSTALL AND RUN a commercial SIEM.” [this is really not about SIEM, just an example]


[II] “Ah, that’s the tool you sell? Actually, our engineers can WRITE A BETTER TOOL and/or assemble it from open source in time you typically spent to close a large deal.”

This tweet from Richard also summarizes it well (it was my inspiration for this post … eh … 5 months later):

Naturally, I tend to see a lot more of [I] in my work than [II], but the main point is that these organizations essentially exist in parallel universes. Perhaps this has significant overlap with the other chasm, but IMHO this also has different aspects to it.

We have organizations lacking resources to RUN a well-supported (eh … just say “supported”, Anton…) commercial tool. And by the way, I do mean RUN rather than “run, operationalize and use effectively.” They do not have the people to install a tool and to keep it running. I’ve met people who say they don’t have time to install and configure a basic log management tool! On the other edge of the chasm, we have organizations with resources to WRITE tools superior to many/most commercial tools. They would think nothing of modifying an open source tool to better fit their requirements and, in fact, making it better for others in the process.

What bothers me even more, much of the advice given by the people from the [II] organizations won’t work at all at a [I] organization and will in fact sound condescending, offensive and/or idiotic. “Use more open source” sounds smart to people from the [II] organizations (“Hey, we don’t have to write this code, Kafka does pretty much this already, we just need to tweak it here and over here”), but it sounds like “100X more work than we have people” to a [I] organization. Even “adjust/tune the tool X you already have to do useful things in other areas” advice occasionally falls flat for the same reason: no people, no skills, no time.

What does it mean? As I explore in this post, I suspect that this will eventually boost the chances of quality MSSPs and MDRs, as well as SaaS-delivered security tools (despite this). This also serves as a grim reminder to vendors: most organizations don’t have time for you and your niche tools…

P.S. If you have to ask, this has nothing to do with orcs.

Vaguely related posts:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Arian says:

    Excellent. Totally agree. Can’t wait to catch up with you on this subject!

  • Jason Keirstead says:

    It’s an interesting observation and one I have seen forever and a day as well.

    However one thing to point out about the II group, and it ties into why security data lake projects always tend to fail…. Because I would argue that the II group is also the group who tend to go on these “data lake adventures”. The point I want to raise is this – open source can get you far, and in fact most all commercial tools rely significantly on open source under the hood. However, there are a lot of “non sexy” parts of a successful siem/data lake/UEBA toolchain that open source is not going to get you far on… things like log parsers, data cleansing, data normalization. Open source is not going to help you with these non-sexy tasks… the kinds of tasks that people will only do of they are paid to do it… by a commercial company.

    That is why you can string together a bunch of open source into a hyper-scale data lake and hunting tool, very easily. But good luck trying to get any real value out of the data inside without commercial help because you likely won’t have the time or money to pay dozens of folks to write parsers and correlation scripts for the next 12 months on top of your open source to get it where it needs to be…