Gartner Says IT Security Industry Becomes Proactive As It Advances into the Third Phase of Its Evolution

Gartner Analysts Examine the Future Scenario of Security during Gartner Symposium/ITxpo, October 8-13, in Orlando

ORLANDO, Fla., October 10, 2006 � Reducing security breaches is a key business priority for CIOs, and the security industry is addressing this priority as it moves to the next phase of its evolution, according to Gartner, Inc. This next phase for the security market will integrate security into each new wave of technology when it enters the market, not after a security attack.

Since the personal computer appeared in businesses in the early 1980s, the information security industry has evolved through two phases, and now it is moving into the third phase. Gartner analysts have provided the latest information security scenario during the Gartner Symposium/ITxpo, being held her through October 13.

The first phase of security was typified by dumb terminals, batch processing and centralized planning of applications and IT. Security was maintained by dictating what users could do, and computing power and data was controlled by the IT department.

The second phase of security fell behind user driven IT trends and resulted in hackers and cyber criminals successfully exploiting technology vulnerabilities to impact the business, and then security leaders had to react to each new threat by applying a point product to shield the vulnerability from attacks.

As the security industry moves to this third phase in its evolution, security leaders will be building security into each new wave of technology when it enters the business, as well as into each new business process.

�Going back to the first phase of security is not an option � increased consumerization of IT, increased mobility and new trends such as Web 2.0 mean users will gain more control, not less, at the most successful businesses,� said John Pescatore, vice president and distinguished analyst at Gartner. �This next phase of security is about building security in as the users� needs move forward, not chasing them.�

Most businesses have approached regulatory compliance with reactive and one-off implementations. More mature organizations have already moved to a more proactive and coordinated implementation to reduce the cost of compliance.

�This third phase of security focuses on protecting customer and business data first and then implementing automated processes and integrated compliance efforts to demonstrate how those security controls satisfy compliance requirements,� Mr. Pescatore said.

Laying the foundation for an integrated compliance and operational risk architecture is key for mature information security organizations. This architecture will enable the elimination of some compliance process controls because equivalent system controls will be inherent in the evolving architecture.

�Before spending a lot on compliance technology, companies should first use a risk assessment to identify which are their key controls and standardize those controls across the business,� Mr. Pescatore said. �Those key controls are where to focus technology investment.�

During this third phase of security, the goal for IT leaders is to keep up with the pace of business while reducing the overall cost of security to the business. IT leaders must have security standards and architectures, so that all new business systems can implement critical security controls and integrate into critical security processes.

�Companies should manage the selection of IT and IT security vendors to focus on the most effective solutions, not the best of breed on a single product basis, but not on a single vendor either,� Mr. Pescatore said. �Choose the best security platforms, while maintaining a separate security control panel to allow fast reaction to new threats.�

About Gartner Symposium/ITxpo

Gartner Symposium/ITxpo is the IT industry’s largest and most strategic conference, providing business leaders with a look at the future of IT. For more than 14,000 IT professionals from the world’s leading enterprises, Gartner’s annual Symposium/ITxpo events are key components of their annual planning efforts. Attendees rely on Gartner Symposium/ITxpo to gain insight into how their organizations can use technology to address business challenges and improve operational efficiency.

In Orlando, an integral part of the Gartner Symposium is the ITxpo showfloor, where more than 150 technology companies are showcasing the latest technology solutions. There are nine ITxpo marketplaces, including business applications and BPM, business intelligence and data warehousing, outsourcing and IT services and security. ITxpo marketplaces are focused areas designed to aggregate solution providers into a specific market and link conference topics to market solutions. Attendees can attend technology company presentations and schedule face to face meetings with exhibitors of their choice. Additional information is available at

About Gartner:

Gartner, Inc. (NYSE: IT) delivers the technology-related insight necessary for its clients to make the right decisions, every day. Gartner serves 10,000 organizations, including chief information officers and other senior IT executives in corporations and government agencies, as well as technology companies and the investment community. The Company consists of Gartner Research, Gartner Executive Programs, Gartner Consulting and Gartner Events. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, U.S.A., and has 3,700 associates, including 1,200 research analysts and consultants in 75 countries worldwide. For more information, visit