'Perfect protection' a myth, says Gartner
Enterprises need balance between security and freedom to innovate
There is no such thing as ‘perfect protection', meaning that enterprises need to find a balance between maintaining acceptable levels of security and allowing business innovation, according to Erik Paulak, managing vice president of research at Gartner.
But speaking at Gartner's Middle East Security and Risk Management Summit today, Paulak explained that the Middle East focuses too much on "keeping the bad guys out," and not enough time "letting the good guys in." With this, he was alluding to the fact that box solutions to security - such as firewalls - were still highly popular in this region.
While acknowledging the need for some security equipment, Paulak said that other approaches also needed to be taken, lest the organisation stifle competitive innovation in the name of preserving security.
"The vast majority of money is being spent on traditional security. CIOs in this region are too focused on traditional perimeter defences," he said.
"You need to have the basics covered, but you also need to invest in user awareness, as well as reaction - what do you do in the event of an attack? The focus needs to come towards mitigation, not just perimeter defence."
In terms of "having the basics covered," Paulak admitted that, in the ever-changing world of security threats, there can be no guarantee of protection against an attack. However, he claimed that basic principles that have been around for 20 years would still cover up to 80% of an enterprise's security needs.
For example, he said, employees should not be allowed to use passwords such as ‘123456789'. Indeed, he said that there should be processes in place that actively prevent people from doing so. Another basic he said that a lot of enterprises fail to cover is to have all their software patches up to do, while another could be simply taking a closer look at how privileges are managed.
"It's critical to instil these best practices - you always have choices you can make to improve security and control costs," he said.