Q&A: Gartner analyst talks about 25 years of network security

Like many industry analysts, Gartner's John Pescatore got his start working hands-on with technology. He began his career at government agencies, including the U.S. Secret Service, then spent 11 years at GTE. Now a vice president and Gartner fellow, covering security and privacy, Pescatore recently discussed his beginnings in IT with Network World Senior Editor Denise Dubie and revealed how he has watched the hot market evolve over more than 25 years.

Tell me about your start in IT security.

I came right out of college in 1978 and went to work for the government at the National Security Agency. That was before network security and computer security; it was all about information security and communications security. From there, I stayed in the government for about another four years and went to work for the U.S. Secret Service, where I still worked building secure systems. Nobody back then called it an IT department, but we were building IT systems for specific uses in law enforcement in that case.

Then I left the government and went to private industry, working at GTE for 11 years. I worked there mostly as a defense contractor building secure computing systems for the intelligence community. That job had a lot of worries about secure computing systems before the Internet, such as things called the Orange Book and NSA requirements for multilevel security. That was in the 1985-to-1990 time frame.

What made you decide to move from working with technology to doing market analysis and advising others?

Working in that world, I realized even back then that security people were making this way too complex. And back then the world of computers was basically [Digital Equipment Corp.] VAXes and dumb terminals, which was beyond the mainframe but was still only DEC VAXes and dumb terminals, and the PC was just starting to come onto the scene. That is what influenced me to say, wait a minute, if security can only keep saying no to the business, then it is going to fail. That is what we saw happening in the government world of multilevel security. It just failed and went away. So after working at GTE for 11 years, both on government projects and working with the commercial side of GTE on projects, I realized it was time for a change for me. But I did some work with vendors that opened my eyes too.

What did you do on the vendor side of the business?

I worked for security-product vendors for three years, in the firewall and PKI industries, running consulting groups, helping companies set up security policies, architecture and organizations. And once again it reinforced for me that people in security were saying no and trying to stop things from happening, instead of saying, here's how we can do what the business needs to do securely.

The second thing I learned was the security-vendor industry was taking this approach called defense in depth. What that means to security vendors is a message to customers saying, keep spending on everything you were spending on and buy me, too. And I thought, this is crazy. Most of the times when you're doing consulting you're telling people, wait a minute, in the name of defense in depth you have three products doing basically the exact same thing. That's why in 1999, I went to Gartner.