Gartner Blog Network

On Security Maturity and Being Realistic

by Ian McShane  |  March 14, 2017  |  3 Comments

For the last week or so, a lot of my inquiries remain sun-tanned with the post-RSA Conference 2017 glow that is “We need some of that machine learning, please”.  In fact, it’s been more common than “We need some of that next-gen AV, please”.  One of the recurring phrases* I have been using is “You should be planning from the inside out, not outside in” – what does your organization need to do to improve your security maturity.  You’re heading toward a bad time if you’re making tactical purchasing decisions based on vendor claims, instead of addressing the requirements and gaps in your security strategy (you do have a strategy, right?).

Think about realistic threat models that actually apply to your organization, and spend less time thinking about protecting against the next media-hyped cache of zero-day kernel threats.

So, how can you figure out what is the right next step?  What can you realistically do that will actually improve your security?  Rather than allowing the “hot” security startup of the day to define security investments,  evaluate existing investments, policies, and processes, to determine where they are deficient.  You should be thinking about how mature your security controls are, and what will take them to the next level.  More often than not, hiring staff will allow you to accomplish more than deploying another system.

Mario de Boer – Research VP in the Gartner for Technical Professionals team  – has an excellent upcoming research paper and tool-kit that will not only help identify where your organization ranks on a security maturity scale, but also help you understand what policies and security controls are implemented at the next level on that scale.  If you really are still stuck for what to do next, then I bet there is always work to be done in your patch and vulnerability management.

In the meantime, I noticed a small trend through February of EPP vendors publishing quick guidelines on how to protect against an attack vector that is still growing in use: abusing Microsoft PowerShell.  (Although, IMO you should be preventing the use of PowerShell, except for those user accounts that actually need it…)

Note: These are just examples.  Other EPP vendors are able to provide this protection in varying ways, this isn’t endorsement… etc etc, yadda yadda..


* Other recurring phrases include:

  • What does “next-gen” AV mean to you?  You probably already have shiny “next-gen stuff” in your existing EPP.
  • Don’t let talk of zero-day threats distract you from the bigger picture.
  • Yes, that NSS Labs report was interesting, but it’s only useful as one data point of the highly pixellated image that is “right for your organization” protection.

Category: endpoint-protection  

Tags: powershell  

Ian McShane
Research Director
1 years at Gartner
16 years IT Industry

Ian McShane is a Research Director/Analyst in Gartner Research, Security and Risk Management - Digital Workplace Security. Mr. McShane's area of expertise includes endpoint protection platforms (EPP), endpoint detection and response (EDR), and he assists organizations choosing strategic vendors, security products and services, and implementing best practices. Read Full Bio

Thoughts on On Security Maturity and Being Realistic

  1. An excellent post — new competition for Gartner top blogger rosters [sadly, I just undermined myself by RT’ing this post :-)]

  2. Grace Chung says:

    Great post! Thanks for this balanced view.

  3. Great post – one thing I constantly notice with organisations of all sizes is the lack of adequate internal controls. You correctly mention companies always wanting the latest, greatest tech…..perhaps they should actually correctly configure what they already have!

    I’ve lost count how many times I’ve come across a security appliance or software where an administrator has literally clicked next, next, finish and thinks their organisation is now safe. Without correctly understanding the current security posture, how can any organisation correctly identify future requirements?

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.