Gartner Says Disruptive Technologies Create Continuing IT Security Challenges; IT Leaders Need Sustained Focus to 'Keep the Bad Guys Out', in Opening Session of Gartner IT Security Summit in Washington D.C

Business Wire, June 6, 2005

WASHINGTON -- Spending on security issues as a portion of overall costs for information technology (IT) is leveling off in many enterprises after steady increases for several years, according to Gartner, Inc.

Yet new challenges created by the continuing flow of new technologies in coming years are certain to keep security threats on the list of IT leaders' major concerns, the head of Gartner, Inc.'s security research team said here today during the opening of the annual IT Security Summit.

"Each wave of technology obliterates the security architecture appropriate for its predecessor," Victor S. Wheatman, Gartner managing vice president, said in a presentation today opening Gartner's 11th annual IT Security Summit. The conference, at the Marriott Wardman Park Hotel, runs through Wednesday.

"Enterprises will often rely on outside support, such as consultants and outsourcers, at the onset of any change," Mr. Wheatman said. "Security funding will shift from traditional solution purchaser to a broader, better-defined risk management process involving investment in three objectives: keeping the bad guys out, letting the good guys in, and keeping the wheels on (maintaining operations)."

In the past 20 years, for example, security challenges have arisen in mainframe computing, personal computers, networked PCs, distributed applications running across local area networks followed by external networks, wireless networking devices and Web services.

"Disruptive innovation means the need for information security is here to stay," he said. During the next few years, some major new IT security threats will include phishing, attacks on wireless and mobile devices, spyware, and vulnerabilities in operating systems and voice-over-internet.

Mr. Wheatman advised the audience of IT decision-makers from business, government and non-profit organizations to follow these steps in analyzing emerging or unforeseen security threats when new technologies are brought into their organizations:

--Apply risk assessment to each new business process to determine the appropriate defensive action

--Evaluate the changing threat landscape in the context of your defensive requirements. As threats mature, so do defenses

--Focus on your business needs and threat assessment to set priorities for security requirements. Investing in an over-hyped technology too early can result in a complete waste of enterprise security funds

Most organizations are using regulatory pressures, such as those created by Sarbanes-Oxley financial reforms in the U.S. requiring publicly traded companies to document more details, to fund IT security projects and to better integrate IT security with business units.

This is an ideal opportunity for IT leaders to integrate IT security management with broader business or operational issues, Mr. Wheatman said. He added, however, that spending emphasis must be placed on IT security concerns even as processes are created to comply with new standards for financial reporting, audits and other compliance issues.

"Protect customer data first, then document it, not the reverse," he said. "Compliance changes priorities but shouldn't reduce security. Let management know when generating compliance reports starts to interfere with core IT security operations that could hurt business."

Mr. Wheatman said many enterprises have placed increasing strategic importance on IT security concerns. This is especially true in highly regulated organizations, in which managing information security is considered a vital element of enterprise governance processes. In these organizations, the chief information security officer often reports outside the IT department to a chief financial officer, chief risk officer or chief compliance officer.

"Increasingly, information security is being given greater independence," Mr. Wheatman said.

About Gartner IT Security Conference

Gartner IT Security Summit hits the critical spot between strategic planning and tactical advice. Gartner analysts, industry experts and IT security practitioners will deliver unbiased, realistic analysis on the current state of IT security, as well as an independent overview of the market over the next 12-18 months. For more information, please visit www.gartner.com/us/itsecurity.> About Gartner

Gartner, Inc. (NYSE: IT and ITB) is the leading provider of research and analysis on the global information technology industry. Gartner serves more than 10,000 clients, including chief information officers and other senior IT executives in corporations and government agencies, as well as technology companies and the investment community. The Company focuses on delivering objective, in-depth analysis and actionable advice to enable clients to make more informed business and technology decisions. The Company's businesses consist of Research and Events for IT professionals; Gartner Executive Programs, membership programs and peer networking services; and Gartner Consulting, customized engagements with a specific emphasis on outsourcing and IT management. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, and has over 3,900 associates, including more than 1,100 research analysts and consultants, in more than 75 locations worldwide. For more information, visit www.gartner.com.