Gartner's John Pescatore on 2010 Threats, Trends

Know what scares security expert John Pescatore the most? The image of a remote employee sitting a home office or public setting, plugging into an unsecured network, accessing critical data via a personal laptop or PDA.

Organizations have never had so many security risks in so many remote locations, says Pescatore, VP and Distinguished Analyst with Gartner, Inc. Mitigating these risks will be among the primary challenges for information security leaders in 2010. In a discussion of security trends, Pescatore offers insight on:

Emerging threats;
Emerging solutions;
The role of education and training to help meet security needs.

Pescatore has 31 years of experience in computer, network and information security. Prior to joining Gartner, he was senior consultant for Entrust Technologies and Trusted Information Systems, where he started and managed security consulting groups. His previous experience includes 11 years with GTE, as well as employment with NSA and the U.S. Secret Service.

TOM FIELD: What are the top information security issues facing businesses and government agencies as we look to 2010? Hi, I'm Tom Field, Editorial Director with Information Security Media Group. I'm talking today with John Pescatore, Vice President and distinguished analyst with Gartner Inc. John, thanks so much for joining me.

JOHN PESCATORE: Sure, good to be here.

FIELD: John, just to start out, why don't you tell us a bit about yourself and the types of issues you are most focused on these days at Gartner?

PESCATORE: Sure, well my background: I've been in security for something like 31 years now. I went to work for the National Security Agency right out of college in the late '70's. I worked for NSA and the Secret Service and then 11 years for GTE and telecom security, and a couple of years with security vendors, and then here the past 10 years with Gartner. So I have a pretty broad background in security.

At Gartner we have 25 analysts in the security practice, and many of them focused on individual specialty areas within security. I tend to work in the threat area and the areas that pull together multiple security disciplines like dealing with some of the business process changes and threat changes that break the older type systems and the older approaches to security.

FIELD: Now, John, everybody from the president on down this year is talking about cyber security. What do you see is the top information security issues that face businesses and government agencies as we head into the New Year?

PESCATORE: Well, I think there are new challenges and there are some continually old challenges. I mean, one consistent question or message we get from Chief Information Security Officers is around security metrics and trying to answer the CEO or the CIO question, "Are we safe?" You know, that is still a very hard question to answer. It's hard to express that in business terms. There have been a lot of tries just treating security like you would treat other business risks like financial risk, and that hasn't worked.

So I think one major challenge continues for CISO's is just demonstrating the value of the cyber security or information security program, but also trying to give a dashboard look at "Are we safe? Are there problems coming? Are we spending too much or too little?" Now that is a continuing problem.

However, there are two very new challenges. What we're seeing happening right now is certainly the threats have changed, but also business processes and the demands put on the IT organization and the information security organization are changing at the same time. At the same time that threats are getting more targeted, the business, even government agencies, are demanding that users be allowed to use home PC's, their own smart phones, iPhones and the like, being allowed to work from home, being allowed to use social networks, use consumer grade things like Google apps and Skype and the like.

So at the same time that the threats are getting more focused, IT is being forced to relinquish some control over the hardware and software and services that users use to get the business done and touch privacy related information and critical business processes. So dealing with those two challenges simultaneously, we're targeted deeper threats and having to give up some levels of control. That, I believe, is the major challenge facing security programs today.

FIELD: John, a few minutes ago you mentioned threats. Which threats concern you the most these days?

Around the Network