Gartner: We don’t need security superheroes

Businesses and their IT security departments need to be on the same page, so that problems are prevented before security superheroes' have to put out the fire.

This was one of the messages from a Gartner analyst meeting today in London.

Research vice president Jay Heiser said that, in the past, security was managed through superheroes' who were good at reacting when something bad had already happened, but useless at preventing incidents in the future.

"Something bad happens, they come riding in fix the problem and then back away," he said. "We still need some of those people, but what we really need more than these cartoon characters are committees."

"Committees are the mechanisms where we overcome the artificial segregation inherent in today's organisations," he added.

Committees would allow information security to be properly aligned and integrated with business needs.

Earlier, another Gartner research vice president Tom Schultz explained that if IT security did "bridge the gap" and integrate with the rest of the organisation, then security could be improved even if companies were spending less.

He said that businesses may have actually overspent on security in the past, for example going for best-of-breed security products, rather than cheaper solutions that were all they actually needed.

"I think it's fair to say there is some opportunity for cost optimisation and improved efficiencies within our organisations," Schultz said.

Rather thinking simply of keeping the bad guys out', it was now a case of being cost-effective' in keeping them out, he added.

"We can implement a lot of controls, but if we have too many controls it is too expensive and ends up being prohibitive for an organisation," Schultz said.

He added that Gartner had seen examples of big organisations with large security budgets that weren't in a good position, usually because they had over-engineered from a security perspective.