ORLANDO -- Gartner Symposium and ITXpo -- Security Now is on the road again. After a week in Orlando for Microsoft Ignite, we’re back in The City Beautiful for Gartner Symposium/ITExpo, an annual gathering of CIOs, CEOs and executives eager to learn what the future holds for their IT operations. Security will be a big part of the proceedings and we look forward to bringing you the news on the Big Next in IT security.
As I type this on Monday morning, though, the word "security" has taken on a new importance. The word from Las Vegas is grim: the current news is more than 50 are dead and more than 400 have been wounded by a shooter who decided that spraying bullets into a crowd was the correct response to... something. As the hours flow by, there will be more news, there will be analysis, there will be predictable political responses and predictable outrage. That much I know. What I don't know is whether there will be lessons learned that can be applied in order to make future gatherings more secure.
It's impossible to pretend that this will be just another week. When a hole the size of the one blasted open in Las Vegas is ripped into our collective lives, it leaves profound lingering pain and a vivid scar. Yes, this conference will go on (as business, school and life will go on for millions of Americans), but not precisely as was planned 24 hours ago.
One notion that I'll write about today, and will talk about with people here all week, is the notion of friction. A security leader I spoke with several months ago talked about "differential friction" as a key concept in security. That is, you ideally want to make things as difficult as possible for the bad guys, while making things as easy as possible for legitimate users and people just living their lives. Unfortunately, in the rush to respond to a catastrophe, many of the initial suggestions have the effect of throwing sand into the gears driving every process and event.
Bruce Schneier has written a great deal about "security theater" -- actions and processes that are designed to make people feel more secure while doing little to actually improve security. We've been trained to believe that security must be intrusive, bothersome and inefficient. Therefore, if we inject intrusion, bother and inefficiency into the system, users will think that they’re being made more secure.
In IT security there are a number of problems with security theater, not the least of which is that it provides both users and business executives with the illusion that they (and the organization) are far more secure than facts would support. The illusion can lead to complacency and complacency leads, in more cases than not, to new and devastating breaches that are the cause of new reaction and a whole new cycle of theater and illusion.
I truly hope that officials and managers will allow their organizations to learn from this horrific event. After the wave of grief has crested and crashed all around us, there will be time for reflection and new ideas.
Here at Gartner, the morning started with a moment of silence. I'll be back with more information on what the analysts and guests have to say about security and the enterprise. Until then, I'll ask: What do you think the lessons from Gartner will be this year? What's your take on the flow of security?
— Curtis Franklin is the editor of SecurityNow.com. Follow him on Twitter @kg4gwa.