Gartner Blog Network

It Doesn’t Matter How Many Raindrops There Are, It is All About How Wet You Get

by John Pescatore  |  March 26, 2009  |  5 Comments

Greg Young of Gartner posted here about the sorry state of security  – but is that really the case?

Before there was postal mail, all fraud and scams were done in person. Of course, there were a lot fewer transactions because everyone had to be near each other to transact. Once postal mail came along, mail scams followed and fraud went up – but transactions went up faster.

Once the telephone came along, telephone scams came about and grew tremendously – but transactions grew faster. As soon as they had office phones, employees started calling sex lines and accepting calls from fraudsters – but business use of telephones increased the business bottom line faster. When the mainframe penetrated  businesses, users and admins found ways to access and misuse data – but the business value went up faster.

Once dial up modems came about, computer scams and viruses started up – but business value went up faster. Once high speed Internet/wireless LANs/Web 2.0/etc. etc. happened, more malware/viruses/scams/fraud – but transactions go up faster. And so it goes.

The total number of attacks or malware is meaningless – its all about the percentages. If the number of people with a disease increases 5% but the total population increased 10%, is the problem getting worse or getting better? Online commerce has lead to an explosion of exposure incidents, but a bigger explosion in revenue.

In many industries there is decades of evidence that loss of revenue of roughly 2-3% due to crime and fraud is typical. That loss is generally equally split between the actual loss of of revenue and the cost of the controls required to keep the loss at that level. As new forms of fraud come up the number goes up a bit, then the controls are adapted and the total loss of revenue stabilizes again. 

Technology, threats and businesses are not going to stand still and users are not going to become security experts in the cyber-world any more than this has occurred in the physical world. Heck, Bernie Madoff ran the oldest scam in book and took people for $50B – and really didn’t need a single computer hack to do so.

Its all about getting more efficient (consuming less resources) to deal with the old threats and getting more effective (applying resources more quickly) in dealing with emerging threats – that’s how we get things back to an acceptable level of impact to the business bottom line. Businesses that get out of balance in either direction (avoid attacks but reduce business too much/incur too many attacks but no business restriction) both have unsuccessful security programs. The total number of threats in the universe or the total number of column inches publicizing attacks are for entertainment purposes only.

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research


John Pescatore
VP Distinguished Analyst
11 years at Gartner
32 years IT industry

John Pescatore is a vice president and research fellow in Gartner Research. Mr. Pescatore has 32 years of experience in computer, network and information security. Prior to joining Gartner, Mr. Pescatore was senior consultant for Entrust Technologies and Trusted Information Systems… Read Full Bio

Thoughts on It Doesn’t Matter How Many Raindrops There Are, It is All About How Wet You Get

  1. Kevin Rowney says:

    This is an excellent response to the recent outbreak of blog posts claiming the info-sec sky now falls. There are plenty of reasons to be optimistic and its just basic realism to embrace the manageable risks that come together with the huge benefits of information technology.

    And anyway, Its just never productive to forecast maximum doom. Like John Dutra at Sun says, “The quickest way to become irrelevant in any conversation is to say ‘the sky is falling’.”

    Of course, there is plenty of room for improvement. Breach rates are high and rising. Malware capabilities are advancing rapidly. There’s many skirmishes between enterprises and bad guys where the bad guys come out on top.

    I remain optimistic because of: A) ongoing new advances in technical capabilities, and B) new trade-craft; that both point towards a future where the rising tide of breach events can be stemmed and where the malware-driven perimeter incursions can be kept to a tolerable level of damages relative to the (enormous) benefits that a connection to a network provide.

  2. Rob Lewis says:

    I think that part of the problem in achieving that balance is the disconnect between the language of business operations and resulting rules, and that of IT security policies.

    I think what is needed post authentication is an authorization component that has traditionally been missing, and for that authorization component to be successful, it should incorporate the language and rules of business operations.

  3. That authorization component hasn’t been missing – what today we call Web Access Management has long had that capability. Many of them would use logic to try to implement business rules of the sort “Platinum resellers are allowed this level of access, Gold only this level.” Today there are efforts to capture this logic in XML syntaxes and schema, but I don’t think that is the biggest part of the problem.

    The major issue is the vast and largely unresolvable difference between security policies and business rules. For example, at 0900 today the business could decide that the line between Gold and Platinum changes from $100k sales/month up to $150,000 because there are too many Platinum resellers. Oh, and that reseller in South America has been screwing us on large deals, so they will still not be allowed access to this area…

    That’s why I always draw a major distinction between “Let the Good Guys In” and “Keep the Bad Guys Out” – major different drivers.

  4. Rob Lewis says:

    Well, I hope that you will find some value in a technology that does resolve the vast and largely unresolvable difference between security policies and business rules.

    With our solution, the business rules ARE the security policies. The example you gave could be handled in a straight forward manner with a few rule changes, by changing any parameter for inclusion into a certain user group, and with a simple deny access rule to your South American reseller.

  5. Naithan says:

    It’s all about acceptable risk. The sky falls daily and then the sun shines again. A big bad breach happens, we all cry and hug, spend money, and then forget until the next one. Thats the cycle. Acceptable risk is business specific. FUD helps no one. Mainly because FUD is reactionary. It is just irresponsible to practice risk in a reactionary manner is if you are managing server availability. This is where IT sec has to be understood as a business practice much moreso than it’s other IT counterparts. If FUD is used to drive awareness and culture then we have all lost. FUD isn’t even the point anymore, or at least it should be, because IT Sec is a mature practice now.

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.