Professional Documents
Culture Documents
These materials can be reproduced only with Gartner's written approval. Such approvals must be requested via e-
mail — quote.requests@gartner.com.
Tutorial: Everything I Know About Information Security I Learned From Being an Evil Overlord
The practice of information security is often seen as complex and confusing to the outsider, manager or business
unit liaison who must deal with the security organization and try to understand security issues. In point of fact,
good security practice usually breaks down into a set of relatively simple, 'common sense' principles that security
practitioners apply to any given situation, planning initiative or design task.
The classic "Evil Overlord" from fiction and film is similar to the outsider. He appears to have little idea what
rules and principles to follow and often ends up falling in the volcano or ejected into deep space because he
doesn't seem to have any common sense. In an effort to provide support for these needy Evil Overlords, Peter
Anspach and other contributors put together a list of Rules for Evil Overlords. We will examine a number of
those rules and see how they apply to the practice of information security and seven of its major principles.
The Evil Overlord List is Copyright 1996-1997 by Peter Anspach. If you enjoy it, feel free to pass it along or
post it anywhere, provided that (1) it is not altered in any way, and (2) this copyright notice is attached.
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is
forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to
the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the
Ray Wagner
information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to
achieve its intended results. The opinions expressed herein are subject to change without notice.
01A, SYM14, 10/04, AE Page 1
Tutorial: Everything I Know About Information Security I Learned From Being an Evil Overlord
181. I will decree that all hay be shipped in tightly packed bales.
Any wagonload of loose hay attempting to pass through a
checkpoint will be set on fire.
" Good Firewall Rules
Good security requires that business users, parties to transactions, and even processes and devices be strongly
authenticated before interacting with other resources. Shared access credentials (anyone wearing the regulation
white body armor is admitted) and weak methods of authentication (no picture ID) not only make unauthorized
access possible, they limit the ability of the organization to properly audit and trace such activities.
Ever since the firewall was invented, an arms race has pitted the attackers, who try to pass attacks through the
firewall masquerading as "normal" traffic, against the defenders, who try to recognize disguised attacks via
signatures and monitoring, incorporating these defenses into firewall rules.
A standard method for malicious attacks on protected systems consists of attempting to access accounts,
resources and privileges by using the out-of-the-box default credentials and methods distributed with the system
being attacked. This is often a very successful attack mechanism.
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is
forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to
the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the
Ray Wagner
information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to
achieve its intended results. The opinions expressed herein are subject to change without notice.
01A, SYM14, 10/04, AE Page 2
Tutorial: Everything I Know About Information Security I Learned From Being an Evil Overlord
An entire branch of IT that is often considered part of the practice of information security is business continuity
planning, which consists of modeling and creating plans for recovering critical business services in the event of
some kind of disaster or service outage.
Creating policy is one aspect of the practice of information security. Policy creation and education must be
paired with some level of policy enforcement.
Security practitioners will generally suggest that obscurity is not a good security defense. In practice, a
sophisticated attacker who is directly targeting a given resource or system will be able to pierce obscurity
defenses easily. However, obscurity can be used as one layer in a set of defenses which will deter some
undirected or unsophisticated attacks.
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is
forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to
the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the
Ray Wagner
information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to
achieve its intended results. The opinions expressed herein are subject to change without notice.
01A, SYM14, 10/04, AE Page 3
Tutorial: Everything I Know About Information Security I Learned From Being an Evil Overlord
1. Defense in Depth
As information systems have become more complex and networking more ubiquitous, providing security has
become significantly more difficult. At the same time, attackers and their methods have become much more
sophisticated at finding and exploiting vulnerabilities in defenses. Many defensive mechanisms are designed to
thwart a single type of class of attack and are thus generally unable to react to new types of attacks, especially
those designed specifically to avoid the defense mechanism. Defense in depth refers to the practice of providing
multiple defenses in layers around the protected resources. Layered defenses are less brittle — an attack that
avoids one defensive mechanism runs into others — and more difficult to attack. An organization that uses
defense in depth around its critical assets also will likely be less affected in the face of a successful attack against
one of those resources, as other resources are less likely to be exposed as a result of the compromise.
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is
forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to
the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the
Ray Wagner
information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to
achieve its intended results. The opinions expressed herein are subject to change without notice.
01A, SYM14, 10/04, AE Page 4
Tutorial: Everything I Know About Information Security I Learned From Being an Evil Overlord
Strategic Planning Assumption: By the first quarter of 2005, companies that don't enforce
security policies during network login will experience 200 percent more network downtime
than those that do (0.7 probability).
Scan
Results
There are two mechanisms to limit damage from these scenarios: proactive — only allow connection by
computers that are judged to be safe, and reactive — detect the actions of a malicious computer and quickly
isolate it from the rest of the network. A combination of the two strategies will be required to meet the demands
of future threats. Scan and Block: Once infected PCs attach to the internal network, worms can infect all
vulnerable internal PCs and Windows servers within minutes. Since there will always be some internal PCs and
servers that are in vulnerable states, security policies need to be enforced before network connections are
established. The basic protection requirement is a scan of the system as it attempts to connect to the network and
a block of network connection if the scan discovers missing patches, out-of-date antivirus signatures, a
misconfigured or missing personal firewall, or a combination of any of these. A scan after a full network
connection is established is a little too late, as attacks from a corrupted system can begin immediately at
connection. The methods to deploy a scan-and-block process with currently available technology and the depth
of the scan will vary based on whether or not the system is corporate-managed and the method of connection.
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is
forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to
the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the
Ray Wagner
information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to
achieve its intended results. The opinions expressed herein are subject to change without notice.
01A, SYM14, 10/04, AE Page 5
Tutorial: Everything I Know About Information Security I Learned From Being an Evil Overlord
The most "common sense" of all information security principles is most likely the Principle of Least Privilege,
which states that any user, process or resource within the organization or interacting with it should only have
access to the minimum set of organization resources (processes, users) necessary to execute its function. In
simpler terms, every resource within the organization should only be usable on a "need to know" basis. All
organizational access controls, from file permissions to centralized identity management to digital rights
management to even physical security, are designed to implement the Principle of Least Privilege. Least
privilege was merely a difficult problem in the batch processing era, when only the computer operator was
allowed into the machine room. With networked digital resources, however, completely meeting the Principle of
Least Privilege has remained an extremely difficult to near-impossible task, and it has gotten more difficult as
business needs have required even greater levels of openness of data.
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is
forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to
the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the
Ray Wagner
information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to
achieve its intended results. The opinions expressed herein are subject to change without notice.
01A, SYM14, 10/04, AE Page 6
Tutorial: Everything I Know About Information Security I Learned From Being an Evil Overlord
Client Issue: What business issues drive the identity and access management solution?
Decision Framework: Companies will use multiple products to manage the complexity of user
authentication and authorization in a heterogeneous environment.
As intranets, extranets and corporate Internet access evolves, security will become an even bigger issue than it is
today. Access by more users, from more locations and using more types of devices will become the norm.
Identity Management: The capability to manage (create, modify, delete) all user accounts, user profiles and so
forth that can be identified with each person across the heterogeneous IT environment via a combination of user
roles and business rules. Also, the capability to abstract and automatically correlate data from HR, customer
relationship management, e-mail systems (and other "identity stores") and from the managed systems. Fulfilment
is accomplished in a variety of ways: in response to a self-service request, for example, self-registration; a line
management request, for example, the manager has a new employee starting on a certain date, or an existing user
needs access to an existing application; a change in an HR system, for example, employee termination; or a bulk
load for purposes of a new application or merger/acquisition.
Access Management: The capability to manage (across multiple target systems) an access control policy (or
policies), including both policy administration and enforcement.
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is
forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to
the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the
Ray Wagner
information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to
achieve its intended results. The opinions expressed herein are subject to change without notice.
01A, SYM14, 10/04, AE Page 7
Tutorial: Everything I Know About Information Security I Learned From Being an Evil Overlord
28. My pet monster will be kept in a secure cage from which it cannot
escape and into which I could not accidentally stumble.
The primary challenge of the security practitioner in assessing a security system is to find vulnerabilities and
"fix" them. The principle at work in this scenario is that the security of a given system is only as good as the
weakest link. Therefore, only fixing the weakest link will increase the security of the system as a whole. Of
course, this does not mean that vulnerabilities in "stronger" links should not be fixed, but it does point out the
importance of being able to identify strong and weak areas of a security system, so as not to concentrate on areas
that are unlikely to be attacked. Good security is built on a firm foundation of security policy, security
standards/architecture, security culture and security technologies — any flaws in the lower levels will undermine
the effectiveness of security technologies you may deploy.
Unfortunately, a corollary to the Principle of the Weakest Link is that, very often in security systems, people are
the weakest link. Organizations often expend significant resources on security awareness training, key employee
background checking and security systems that remove responsibility for security from users.
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is
forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to
the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the
Ray Wagner
information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to
achieve its intended results. The opinions expressed herein are subject to change without notice.
01A, SYM14, 10/04, AE Page 8
Tutorial: Everything I Know About Information Security I Learned From Being an Evil Overlord
Auditing/Review
Technical (IT) Security
Physical and Organizational Security
User, Admin. and Management Education
Security Policies and Plans
Building Your Defenses
Defenses are built in layers and must start with clear, consistent, comprehensive and enforceable security
policies that are written in a security plan. Management, users and administrators must be trained on the policies
themselves, as well as on general security issues. If users understand the security issues, they are more likely to
comply with them or take note of suspicious behavior. The single strongest defense against social engineering is
education.
Security plans must be coordinated with physical/organizational security. It's common for a terminated employee
to have his or her building keys taken away, but keep an e-mail account or intranet access. Many social
engineering attacks depend on some kind of a physical breach; no firewall can protect a server in an unlocked
closet that an attacker can access directly.
After physical and technical issues are addressed and coordinated, the entire system must be regularly audited
and reviewed as the company evolves. This review must be incorporated into the security plan and operations,
including user education as appropriate.
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is
forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to
the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the
Ray Wagner
information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to
achieve its intended results. The opinions expressed herein are subject to change without notice.
01A, SYM14, 10/04, AE Page 9
Tutorial: Everything I Know About Information Security I Learned From Being an Evil Overlord
166. If the rebels manage to trick me, I will make a note of what they
did so that I do not keep falling for the same trick over and over
again.
Security for information systems is a complex problem, the possible solutions to which are often counter to the
business goals of the organization. Security may be perceived as a cost center or as an inhibitor to the
achievement of business goals. At the same time, security is not a commodity like air conditioning or phone
service, because modern information systems are extremely complex and not standardized. Good security is not
a box that can be easily checked off for the lowest price — there may be many different ways to provide the
necessary security for a system. The objective of the organization is to provide system security commensurate
with the risks to the given system, and this requires experience and expertise.
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is
forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to
the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the
Ray Wagner
information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to
achieve its intended results. The opinions expressed herein are subject to change without notice.
01A, SYM14, 10/04, AE Page 10
Tutorial: Everything I Know About Information Security I Learned From Being an Evil Overlord
Strategic Planning Assumptions: By 2005, 65 percent of the Global 2000 will staff a chief
information security office for the centralized development of information security policies,
standards and guidelines (0.8 probability).
Client Issue: What does a successful information security organization look like?
The CISO connects business process/policy directives and technical security. In the real-time enterprise,
companies must expand their security architecture to cover links with customers, trading partners and suppliers.
In centralized organizations, an administrator can handle thousands of users with a user provisioning tool, but
that is not true of e-business, where entire classes of users will administer their own access control rules. For
B2B, mechanisms that allow delegation of security administration to customers are required. For B2C, self-
service capabilities, such as self-registration and password reset, must be offered to keep the company profitable
and competitive.
As companies move more revenue into e-business channels, information security risks increase. They must
develop skills, tools, mechanisms and procedures to identify, isolate and correct information security attacks. A
computer incident response team must be able to respond to an incident within 30 minutes of detection. Proper
architecture, administrative procedures and emergency response processes will provide the new e-business
venture with lower risks.
Action Item: Establish a CISO office to ensure a formal business program will protect the company's
information assets. Centralized policy development/distributed implementation is a successful recipe.
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is
forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to
the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the
Ray Wagner
information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to
achieve its intended results. The opinions expressed herein are subject to change without notice.
01A, SYM14, 10/04, AE Page 11
Tutorial: Everything I Know About Information Security I Learned From Being an Evil Overlord
If security will ever be a requirement for a system, then it is best identified as a requirement early in the system's
design stage. It is easier to build an information system around a core of simple security functionality than to
attempt to graft security on top of a "finished" system right before or even after deployment. Unfortunately, large
numbers of systems are created in just this fashion, because system designers and implementers (logically) think
first about the new functionality that the system will deliver, rather than the security issues around all possible
uses of that functionality. Systems built and deployed in this way can, when security finally becomes an issue, be
subject to:
• More complex (and less secure) security systems, because security must adapt to the designed systems,
rather than vice versa. More complex systems will likely exhibit more unexpected vulnerabilities.
• Backward insecurity — if the system has reached deployment before security is implemented, there may
be backward compatibility issues that guarantee that some insecurity will persist.
• System redesign — often, systems designed without consideration for security are so difficult to secure
that major reengineering is necessary in order to implement security.
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is
forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to
the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the
Ray Wagner
information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to
achieve its intended results. The opinions expressed herein are subject to change without notice.
01A, SYM14, 10/04, AE Page 12
Tutorial: Everything I Know About Information Security I Learned From Being an Evil Overlord
Security Testing
Load Testing
Security Modeling
Defect Tracking
Development Phases
As the National Institute of Standards and Technology demonstrated in its 2002 study, "The Economic Impacts
of Insufficient Infrastructure for Software Testing," removing a software defect after a system is operational can
cost two to five times more than if the defect were fixed during final quality assurance (QA) testing. This study
emphasized that removing those defects during code and unit tests can reduce the cost impact by an additional
factor of between three and 20. Although defects ideally would be removed as early as the requirements analysis
and architectural design phase, Gartner estimates that if 50 percent of software vulnerabilities were removed
prior to production use for purchased and internally developed software, business configuration management
costs and incident response costs would be reduced by 75 percent each.
The cost of fixing vulnerabilities and regression testing the repaired code can be reduced by a factor of at least
three by detecting security errors during code and unit tests, compared with finding errors during integration
tests. By detecting commonly made coding errors during this phase, companies also can provide feedback to
other modules still in design and early coding to avoid repeating the same mistakes.
One problem: We estimate that there are only 500 software engineers with the skills and knowledge necessary to
scan code specifically for security problems efficiently and effectively.
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is
forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to
the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the
Ray Wagner
information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to
achieve its intended results. The opinions expressed herein are subject to change without notice.
01A, SYM14, 10/04, AE Page 13
Tutorial: Everything I Know About Information Security I Learned From Being an Evil Overlord
6. Be Paranoid
The practice of information security is by definition detail-oriented. A truly secure system is one in which every
possible threat has been assessed and every vulnerability has been identified and closed. Attackers can generally
be assumed to have significant time and resources at their disposal with which to probe for malicious entry
points. System designers think long and hard about how their systems will be used by people or processes that
are trying to use them correctly — they may spend significantly less time thinking about how their systems
might be "used" by people or processes that are trying to maliciously attack them. For this reason, the
information security practitioner must be paranoid about both assessing systems for vulnerabilities and about
considering every new kind of threat discovered in the context of his or her organization's security profile.
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is
forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to
the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the
Ray Wagner
information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to
achieve its intended results. The opinions expressed herein are subject to change without notice.
01A, SYM14, 10/04, AE Page 14
Tutorial: Everything I Know About Information Security I Learned From Being an Evil Overlord
Strategic Imperative: Information security threats will remain constant throughout the
planning period; businesses need to take a comprehensive, defensive view in an attempt to
achieve due care.
"Phishing" Spam
Spyware
Peer-to-Peer Exploits
DNS Viruses
Attacks
Cyberterrorism Identity
Theft
Xeno Threats
Hybrid Worms
Zero-Day Threats War Chalking
As of January 2004
Zero-day attacks are now being "hyped" — these occur before patches and signatures are available. eXtended
Enterprise Networks Overseas (Xeno) threats are anticipated because of increased outsourcing. Few viruses are
found on personal devices, but it is only a matter of time before these become more exploited. Spyware
programs probe systems and report user behavior to an advertiser or other party without the user's knowledge.
"Phishing" tricks users into revealing information, such as passwords, user IDs or credit card details, to
masquerading sites. Spam consumes resources and can lead to other problems. Seeking any open port, instant
messaging and other peer-to-peer programs can put networks and information at risk. Spim (unwanted
commercial messages delivered via instant messaging) is just emerging. Loss of confidence attributed to
speculated cyberterrorism has peaked and, barring new physical attacks or further evidence of cyberterrorist
activity, will remain static. Cyberterrorism hype causes more loss of confidence than actual attacks.
Organizations must protect wireless LANs, as they are prone to simple "find and mark" theft of service
techniques that can lead to loss of confidential information if targeted systems are unprotected. Hybrid worm
threats have moved rapidly through the hyperbole. Identity theft is a rampant and growing cybercrime. Viruses
remain a constant source of problems. Directory network service, social engineering and denial-of-service
attacks are almost unfashionable in terms of hype, but remain dangerous threats that organizations must address.
Action Item: Organizations should evaluate the changing threat landscape in the context of their specific
defensive requirements. As threats mature, so do defenses.
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is
forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to
the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the
Ray Wagner
information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to
achieve its intended results. The opinions expressed herein are subject to change without notice.
01A, SYM14, 10/04, AE Page 15
Tutorial: Everything I Know About Information Security I Learned From Being an Evil Overlord
Simple systems are easier to deploy, manage and maintain. They are also easier to secure. Unfortunately,
information systems and organizational IT environments tend to become larger and more complex over time. It
is important, therefore, for the security practitioner to continually identify ways to simplify systems, processes
and practices and to campaign for simplification efforts within the organization. There are several general
themes within this principle:
• Consolidation — any situation where multiple resources can be combined or redundant resources retired
reduces the complexity of the system as a whole. Consolidation has weaknesses as well, especially where
redundancy may be a security factor.
• Risk reduction — simpler, lower-value deployments not only reduce risk, they provide best-practice education
that will benefit later higher-value deployments.
• Replacement — newer technologies, when mature, often provide better functionality at less cost. This is also
true for security technologies.
• Automation — a policy that can be enforced automatically, even if it requires time to get exactly right, will
work better in the long run than a policy that requires manual intervention.
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is
forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to
the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the
Ray Wagner
information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to
achieve its intended results. The opinions expressed herein are subject to change without notice.
01A, SYM14, 10/04, AE Page 16
Tutorial: Everything I Know About Information Security I Learned From Being an Evil Overlord
Each new wave of technology disrupts existing security measures and introduces new vulnerabilities. Each new
technology in security, privacy and risk follows the Hype Cycle. Determining when to adopt an emerging
technology is a critical decision. If the technology is adopted too soon, the company will suffer the pain and
expense of an immature technology. If the technology is adopted too late, the company runs the risk of being left
behind by competitors that have made the technology work to their advantage. In the case of information
security, failing to deploy defensive solutions at the right time can leave the organization vulnerable. Delays in
identity, authentication and access control products or services can leave the business in a catch-up mode
regarding business opportunity.
Action Item: Investing in an overhyped technology too early can result in a complete waste of security funds.
Organizations should focus on their business needs and threat assessment to prioritize security needs. This
analysis should be combined with the Gartner Information Security Hype Cycle to deflate the hype spread by
security product and service vendors.
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is
forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to
the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the
Ray Wagner
information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to
achieve its intended results. The opinions expressed herein are subject to change without notice.
01A, SYM14, 10/04, AE Page 17
Tutorial: Everything I Know About Information Security I Learned From Being an Evil Overlord
Thanks to:
The Evil Overlord List©
www.eviloverlord.com
Peter Anspach: Compiler and Chief Overlord
and all of its evil contributors
© 2004 Gartner, Inc. and/or its Affiliates. All rights reserved. Reproduction of this publication in any form without prior written permission is
forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to
the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the
Ray Wagner
information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to
achieve its intended results. The opinions expressed herein are subject to change without notice.
01A, SYM14, 10/04, AE Page 18
This is the end of this presentation. Click any
where to continue.
These materials can be reproduced only with Gartner’s written approval. Such approvals must be requested via
e-mail — quote.requests@gartner.com.