Blog post

On Security Maturity and Being Realistic

By | March 14, 2017 | 3 Comments

For the last week or so, a lot of my inquiries remain sun-tanned with the post-RSA Conference 2017 glow that is “We need some of that machine learning, please”.  In fact, it’s been more common than “We need some of that next-gen AV, please”.  One of the recurring phrases* I have been using is “You should be planning from the inside out, not outside in” – what does your organization need to do to improve your security maturity.  You’re heading toward a bad time if you’re making tactical purchasing decisions based on vendor claims, instead of addressing the requirements and gaps in your security strategy (you do have a strategy, right?).

Think about realistic threat models that actually apply to your organization, and spend less time thinking about protecting against the next media-hyped cache of zero-day kernel threats.

So, how can you figure out what is the right next step?  What can you realistically do that will actually improve your security?  Rather than allowing the “hot” security startup of the day to define security investments,  evaluate existing investments, policies, and processes, to determine where they are deficient.  You should be thinking about how mature your security controls are, and what will take them to the next level.  More often than not, hiring staff will allow you to accomplish more than deploying another system.

Mario de Boer – Research VP in the Gartner for Technical Professionals team  – has an excellent upcoming research paper and tool-kit that will not only help identify where your organization ranks on a security maturity scale, but also help you understand what policies and security controls are implemented at the next level on that scale.  If you really are still stuck for what to do next, then I bet there is always work to be done in your patch and vulnerability management.

In the meantime, I noticed a small trend through February of EPP vendors publishing quick guidelines on how to protect against an attack vector that is still growing in use: abusing Microsoft PowerShell.  (Although, IMO you should be preventing the use of PowerShell, except for those user accounts that actually need it…)

Note: These are just examples.  Other EPP vendors are able to provide this protection in varying ways, this isn’t endorsement… etc etc, yadda yadda..


* Other recurring phrases include:

  • What does “next-gen” AV mean to you?  You probably already have shiny “next-gen stuff” in your existing EPP.
  • Don’t let talk of zero-day threats distract you from the bigger picture.
  • Yes, that NSS Labs report was interesting, but it’s only useful as one data point of the highly pixellated image that is “right for your organization” protection.

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Leave a Comment


  • An excellent post — new competition for Gartner top blogger rosters [sadly, I just undermined myself by RT’ing this post :-)]

  • Grace Chung says:

    Great post! Thanks for this balanced view.

  • Great post – one thing I constantly notice with organisations of all sizes is the lack of adequate internal controls. You correctly mention companies always wanting the latest, greatest tech…..perhaps they should actually correctly configure what they already have!

    I’ve lost count how many times I’ve come across a security appliance or software where an administrator has literally clicked next, next, finish and thinks their organisation is now safe. Without correctly understanding the current security posture, how can any organisation correctly identify future requirements?