It's been a few years since I attended Gartner's IT Security Summit. This year's event was held at the beautiful, new Gaylord National Convention Center just outside Washington DC. Great location, some great content, but after a while I have to admit that I get tired of listening to Gartner analysts over and over again. Gartner analysts easily make up 90% of the event's speakers.
A couple of sessions stand out:
- I attended a vendor session sponsored by Fortify Software in which Richard Lansing of Bloomberg discussed his model for evaluating and securing Bloomberg's 25 years of custom applications. Called "Pump & Sluice", Lansing had a nice model set up to review all of Bloomberg's code and likened it to the way gold miners once panned for gold using a sluice. It was a great model that helped to streamline an 18 month process in which code was pumped into an analyzer and then filtered into one of several sluices that either identified the code as clean, having a security issue, having a coding issue, or an unknown issue that was then routed for manual analysis. The analyzer tool was then trained to automate commonly found code issues to speed the sluice process. At one point Lansing had 32 pumps working. Lansing said that the whole process was streamlined because security at Bloomberg reports into the head of Bloomberg, eliminating potential bottlenecks and turf wars as they fought for the necessary funding.
- I also attended a session by John Pescatore and Jeff Vining that examined the role of Video Surveillance and Convergence. The focus was on the suspected evolution of CCTV to become predictive instead of reactive...a great goal for all of security...and the related privacy implications. Vining noted a tug of war between users and vendors, with vendors pushing bleeding edge applications of video and that while users initially interested in that, they ultimately receded to a more mainstream model for video technology. Vining talked about a lot of pie-in-the-sky stuff for video use in the near term but it is not necessarily what I think we will see out there until much later. While Gartner is looking for more widespread adoption by 2012, I think it will be much further out. Adoption of the "bleeding edge" is really limited to specific implementations and government uses. This is because the vast majority of implementations are in commercial settings where price is often the ultimate driver and a cost of $3,000 per camera vs. an average of $250 per camera is going to be a tough sell for the incremental value delivered at the bleeding edge. I found the Gartner look at convergence a little confusing as well as many of the numbers aren't jiving with what I see elsewhere. They focused on convergence as something that would happen broadly within an organization and I've always seen it as something that happens exclusively at the management level. Their projections that 20% of large organizations will converge physical and IT security by 2012 seem off the mark because I don't believe you'll ever see that wholesale convergence. When, however, IT and physical security report to the same executive leader, I believe that the numbers are already higher. Some recent data I have seen indicates that it may already be north of 30% at large businesses and 39% across all businesses. They did raise some very interesting questions though: the role of data mining in video and the applicability of video in relation to e-discovery issues. Both things to watch moving forward.
All in all, Gartner is a fine event but it would benefit greatly by presenting a more diverse set of opinions.
