Gartner Blog Network

Ben Tomhave
Research Director
1 years at Gartner
19 years IT Industry

Ben is conducting research within the Security and Risk Management Strategies team under Gartner for Technical Professionals.

Updated Research on AppSec Testing

by Ben Tomhave  |  February 2, 2015

As of January 30th, we have an updated paper out titled “How to Perform Application Security Testing for Web and Mobile Applications” (GTP subscription required). Following is the summary from the document: “Application security testing remains a critical application security practice for developers, testers and security team members. This document explains how to implement three […]

Read more »

You Can’t Fix Stupid: Renewed Calls For Cybersecurity Legislation (U.S.)

by Ben Tomhave  |  January 14, 2015

(yes, I’m feeling a bit cheeky today;) As you’ve undoubtedly heard by now, President Obama renewed calls increased cybersecurity legislation, all apparently because Sony Pictures Entertain (SPE) got hacked? If you’ve not heard, check out the mainstream press coverage here: President Obama’s Letter to the House of Representatives SECURING CYBERSPACE – President Obama Announces New […]

Read more »

Sonys and Targets and Heartbleeds! Oh My!

by Ben Tomhave  |  January 9, 2015

Now that we can soundly close the book on 2014, it’s perhaps a good time to take a quick think back as we consider our best path forward. 2014 was indeed the year of infosec insanity, based on the sheer number of large breaches, number of breaches, number of “major, earth-shattering” vulnerability disclosures, etcetera etcetera […]

Read more »

Facebook and the Derpness of Enabling Their 2FA

by Ben Tomhave  |  December 1, 2014

I was awoken around 5am post-Thanksgiving Saturday by multiple text messages from Facebook instructing me to click a link and enter a code to reset my password. It seems someone decided to try and takeover my account. This led me to conclude that now would be a good time to quit putting-off enabling 2-factor authentication […]

Read more »

Updating GTP’s DLP Coverage

by Ben Tomhave  |  November 12, 2014

It’s been a couple years since the last update of our DLP coverage. In the process of updating it this go-round, I’ll be taking the reins from Anton Chuvakin and picking up primary coverage of DLP for the SRMS team. In addition to revising the existing documents (Enterprise Content-Aware DLP Solution Comparison and Select Vendor […]

Read more »

Recent GTP Security Research

by Ben Tomhave  |  November 12, 2014

Before resuming delving into any philosophical meanderings about infosec or info risk mgmt, I wanted to first highlight some recent research for you all. All of the following require a GTP subscription (go here to contact us if you’re interested in getting access). 2015 Planning Guide for Security and Risk Management 02 October 2014 G00264325 […]

Read more »

Writer’s Block and the Long Summer

by Ben Tomhave  |  November 5, 2014

It’s been several months since I last posted here, and for good reason. For one thing, June-October tends to be a blur. It started off with Gartner’s Security & Risk Management Summit over in National Harbor, MD, followed by a couple weeks of vacation, a week of sales support, a couple weeks of catch-up, then […]

Read more »

Things That Aren’t Risk Assessments

by Ben Tomhave  |  July 24, 2014

In my ongoing battle against the misuse of the term “risk,” I wanted to spend a little time here pontificating on various activities that ARE NOT “risk assessments.” We all too often hear just about every scan or questionnaire described as a “risk assessment,” and yet when you get down to it, they’re not. As […]

Read more »

Three Epic “Security” Mindset Failures (“ignorance is bliss”)?

by Ben Tomhave  |  May 6, 2014

I saw this graphic a couple weeks ago while trolling Flickr for CCby2.0-permissioned images and it got me thinking… there are a number of mindset failures that lead us down the road to badness in infosec. Consider this an incomplete list… As long as [monitoring/SIEM] is happy, you’re happy. As long as [auditor/checklist] is happy, […]

Read more »

New Research: Security in a DevOps World

by Ben Tomhave  |  April 30, 2014

Hot off the presses, new research from Sean Kenefick and me titled “Security in a DevOps World,” which is available to Gartner for Tech Professionals subscribers at Some of the key takeaways from this research include: Automation is key! AppSec programs must find ways to integrate testing and feedback capabilities directly into the build […]

Read more »