Gartner Blog Network


Getting Cybersecurity to Work isn’t Going to Work without Doing the Work

by Earl Perkins  |  January 2, 2015  |  6 Comments

I thought it would be appropriate to start off 2015 by adding my voice to a rising chorus from advisors, consultants and others in the cybersecurity industry with a short and simple message. We as an industry cannot help you if you’re not willing to help yourselves. And helping yourselves means you have to do (at the very least) the minimum required to secure yourselves from the most common types of cybersecurity threats and attacks.

Now this may seem to be an obvious comment and you may be wondering “why is he wasting my time telling me this”. I’m taking the time to do so because frankly many of you do not appear to be listening. It may be time to be a bit more blunt and direct. There are and have been reams of research and guidance written and delivered over the years that outline the basic principles and practices to establish cybersecurity strategy, governance, planning, management and operations. Descriptions of these steps to core competence can be found not only in Gartner research but from many other sources. Establishing this core competence for many of you does not require large or expensive purchases of technology and services, nor does it require major shifts or changes in process or organization. But it DOES require a level of discipline, structure and cultural change regarding where cybersecurity fits within your organization and the priority that you give changes that must and should occur. This core competence does require a level of communication and awareness that is apparently not working in its current form of delivery. It requires a level of coordination with service providers, supply chain partners and external parties that does not appear to be taking place.

Let me be as clear as I can be: unless you take these first, basic steps, we cannot help you. As one recent publication reported bluntly, “you can’t fix stupid”. While it is not my intention to insult some of our readers, I need for this core idea to take root– if you’re not willing to establish a basic cybersecurity foundation to counter the most common and predictable threats facing you, no expenditure on technology, process change, organizational change, or outsourcing will solve the more complex and challenging cybersecurity threats that are arising today.

To me, this is the biggest issue today in cybersecurity. The sophistication and volume of attacks are increasing. We can no longer depend upon attackers to simply “reuse” old attack methods and old malware slightly modified to mount new attacks. Operational technology (OT) systems and the Internet of Things (IoT) are using new ideas and approaches along with IT to deliver their services, and those that want to mount attacks on these targets are using new ideas and approaches to deny, disrupt and destroy those services.

If we continue to have to address ALL levels of cybersecurity maturity in an organization, we will fall further and further behind in providing a more united front against these types of attacks. We MUST grow up. We must have a foundation upon which to build a more robust and sophisticated approach to more robust and sophisticated cybersecurity attacks. Having that foundation should be a given. Without it, attackers don’t have to be sophisticated in their approach. They can continue to use the tried and true methods that have worked for decades now to succeed.

Make a New Year’s resolution that you will establish basic cybersecurity principles and practice in your organization. Take the necessary steps to prioritize cybersecurity discipline and DO it. Time is running out, and we have bigger things to address than stupid cybersecurity mistakes. If you haven’t yet modified your risk equation to take into account what is happening in cybersecurity, now’s the time to do it.

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: cybersecurity  industrial-automation-and-control-systems  industrial-control-systems  internet-of-things  it-governance  operational-technology  security  

Earl Perkins
Research VP
5 years at Gartner
32 years IT industry

Earl Perkins is a research vice president in the Security and Privacy team at Gartner. His focus areas include identity and access management (IAM), including user provisioning, role life cycle management… Read Full Bio


Thoughts on Getting Cybersecurity to Work isn’t Going to Work without Doing the Work


  1. David Mytton says:

    Do you have any references/resources to link to for your “basic cybersecurity” recommendation?

  2. Earl Perkins says:

    Actually, I do. Within Gartner research, here is a small sample:

    – Security Management Strategy Planning Best Practices (G00223694)
    – Toolkit: Simple Functional Information Security Taxonomy (G00260445)
    – Eight Practical Tips to Link Risk and Security to Corporate Performance (G00264758)
    – Best Practices for Managing ‘Insider’ Security Threats, 2014 Update
    (G00255544)
    – Best Practices for Managing Passwords: End-User Policies Must Balance Risk, Compliance and Usability Needs; Update (G00263956)

    These and many others are updated from research that is over a decade old and continually refreshed. The fact that we work from advice we’ve been giving for decades says something about its adoption rate. I am not saying that a mature, well-structured cybersecurity program is immune to attack. I am saying that a mature, well-structured cybersecurity program has less risk of successful attacks and when they are successful, detection and remediation is swift and damage is minimized much more effectively than in an organization that has no such program.

  3. Mani says:

    Hello Earl,
    It is always pleasure to read/ listen to when you say something. For the 1st time (this year), am reading something extremely candid & it makes perfect sense.
    More often than not, many misunderstand a consultants statements that says “I might not be of great help, unless…” … Well, that gets misconstrued as incompetence, in some aspects..

    But, Bang on.. You just said it..
    Will catch up soon (again)..

    Have a splendid year ahead Earl..

    Cheers,
    Mani.

  4. […] Getting Cybersecurity to Work isn’t Going to Work without Doing the Work [Gartner Blogs] […]

  5. […] Get the rest of the article here: Getting Cybersecurity to Work isn’t Going to Work without Doing the Work. […]

  6. […] Getting Cybersecurity to Work isn t Going to Work without Doing the Work3 Gartner Blogs […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.