Q&A: Andrew Walls, Research Director, Gartner Australia

Andrew Walls, Gartner's local security analyst reveals data leakage and cloud computing will be hot topics during September's Gartner IT Security Summit.

What's different this year?
Walls: “We are trying a slightly different approach this year we are holding a one day security Summit in Singapore on the Friday before, simply because our Asian audience doesn’t want to travel to Sydney and our Sydney office doesn’t want to travel to Singapore.

“Each of these markets has different priorities so in certain categories, for example in London, identity management is big stuff. We tend to feature more on identity management topics.”

What do Australian audiences look for?
Walls: “In Australia, we tend to have more of a comprehensive coverage of security but with a practical focus. We have very little theoretical discussion and we don’t tend to focus too much on what’s going to happen in ten years time. We focus on what you need, to be secure today and what you anticipate in the next 18 months.

“There is a similar focus in Singapore, but [because] they are not cutting-edge adopters Gartner needs to go into a lot of issues. There is not as much of technology focus. Each place is somewhat different.”

What are the big issues this year?
Walls: “The top issue at the Sydney Summit is data security. In general it’s a high line issue for everyone. We’ve seen a lot of very public data security failures over the past couple of years part of that’s due to the breach disclosure laws of the US, making it impossible to hide these things anymore.

“We haven’t seen that much happening here in Australia but that doesn’t mean it hasn’t been going on. Being a security person I assume that these terrible things are happening here but no body talks about them. But, I might be wrong, maybe we’re not."Why is data security the big issue?
Walls: “Data security in general is a big issue, primarily because it’s showing up the limitations of a purely technological approach to security. Much of the emphasis in the market in the last five years or so has been on buying new technology to solve your problems, but people are seeing in graphic detail that technology is not sufficient.

“It is a necessary part of a security program but it has to be coupled with good education programs; with compliance programs and with the things that work on user behaviour. This is motivating many of our clients to get much more serious about taking security upstream into the business and not seeing it purely as an IT concern.

“Our more mature clients particularly in the Australian area now have personnel that are permanently deployed in business divisions as employees to work on security risk, to liaise with the business, to interpret policy and figure out the best way to do business in a secure fashion. Which is a good sign of maturity, it means that security is moving out of the back room and becoming just a normal part of risk management in a normal business.”

Does data security also include identity management and access control?
Walls: “Most definitely. In fact, we’re featuring a number of talks on identity management. Identity and access management are the bedrock of most security infrastructure and process use. It’s simply fundamental, at the same time companies can often get it wrong.

“Particularly as users require more and more transparency and identity management protocol they don’t want to carry three different security tokens and have five different passwords and so forth.

“[Companies] are looking for a more seamless interaction with systems. So that’s motivated a constant chase on the part of the security professionals to find a better way to do things and that doesn’t necessarily need technology, sometimes it’s process.

“It’s finding that right blend of human behaviour and technological systems to provide the user with seamless security. Identity and access management is critical of that.”

What about risk management?
Walls: “Managing security compliance and risk is a higher end portion of the Summit. It’s looking at the issues of how you actually manage a risk program, how do you build security as a business topic and how do you integrate it to your other operational risk, business risk, technological risk and management strategies. So it’s much more about management of functions.”

Is cloud computing an area of interest?
Walls: “I’m bringing in an analyst who specialises to a certain extend in that area, Neil McDonald. Cloud computing is becoming a big phrase [but] we’ve been talking about computing in the cloud for 15 years.

“There’s still a big debate about what it exactly means and the taxonomy definitely gets confused because different vendors come up with their own interpretations of what it means, so there’s not a single definition. You can say the Web and everyone knows what you’re talking about. Part of that is because it doesn’t really fully exist at this point. Part of it does, and it’s growing.

“I’m nervous about cloud computing and I tend to want to specify aspects of it. So software-as-a-service is an example of a cloud computing implementation and that sort of issue will come up a lot when looking at in many of the talks.

“We’re actually looking at things like, how do we provide security for software-as-a -service or if you’re outsourcing storage to data centres all over the world how do you actually secure your data in that environment? There are many talks that touch on these issues and try to show way of how you can take your current security approach and transform it to meet the needs of these new environments.

“I get a little tired of the marketing fight over who owns the concept. Let’s get on with the business of security and not worry too much.”

What about a virtual environment?
Walls: “We will be discussing virtualisation in a very practical sense in terms of how do you provide security assurance in a world consumed with virtualised servers, virtual desktops and so forth.

“Neil McDonald takes a very refreshing look at the impact of virtualisation and how we can still provide security, in fact how we can enhance security through use of virtualisation. We see it as an opportunity for applying virtual security infrastructure not just as a server.

“I’ll be speaking about some of the issues around the virtual environments social status such as Facebook and their impact on security in businesses. We have several businesses in Australian who are making greater and greater use of these sorts of environments go.

“[Furthermore], as petrol prices fluctuate, as cost of transport fluctuates more and more businesses are starting to look at the idea of remote business. Should we be doing video conferencing? Should we be using Skype for phone conferencing rather than flying to Canberra for a meeting? Should we simply all get together in a virtual simulated conference room and have our meetings that way?

“There is a lot exploration and experimentation in that space. We need to look at how do we secure this and how do we provide a confidential platform for that kind of interaction?

gartnersecuritysummitsydney