Like many industry analysts, Gartner's John Pescatore got his start working hands-on with technology. He began his career at government agencies, including the U.S. Secret Service, then spent 11 years at GTE. Now a vice president and Gartner fellow, covering security and privacy, Pescatore recently discussed his beginnings in IT with Denise Dubie and revealed how he has watched the hot market evolve over more than 25 years.
Tell me about your start in IT security.
I came right out of college in 1978 and went to work for the government at the National Security Agency. That was before network security and computer security; it was all about information security and communications security. From there, I stayed in the government for about another four years and went to work for the U.S. Secret Service, where I still worked building secure systems. Nobody back then called it an IT department, but we were building IT systems for specific uses in law enforcement in that case.
Then I left the government and went to private industry, working at GTE for 11 years. I worked there mostly as a defense contractor building secure computing systems for the intelligence community. That job had a lot of worries about secure computing systems before the Internet, such as things called the Orange Book and NSA requirements for multilevel security. That was in the 1985-to-1990 time frame.
What made you decide to move from working with technology to doing market analysis and advising others?
Working in that world, I realized even back then that security people were making this way too complex. And back then the world of computers was basically [Digital Equipment Corp.] VAXes and dumb terminals, which was beyond the mainframe but was still only DEC VAXes and dumb terminals, and the PC was just starting to come onto the scene. That is what influenced me to say, wait a minute, if security can only keep saying no to the business, then it is going to fail. That is what we saw happening in the government world of multilevel security. It just failed and went away. So after working at GTE for 11 years, both on government projects and working with the commercial side of GTE on projects, I realized it was time for a change for me. But I did some work with vendors that opened my eyes too.
What did you do on the vendor side of the business?
I worked for security-product vendors for three years, in the firewall and PKI industries, running consulting groups, helping companies set up security policies, architecture and organizations. And once again it reinforced for me that people in security were saying no and trying to stop things from happening, instead of saying, here's how we can do what the business needs to do securely.
The second thing I learned was the security-vendor industry was taking this approach called defense and depth. What that means to security vendors is a message to customers saying, keep spending on everything you were spending on and buy me, too. And I thought, this is crazy. Most of the times when you're doing consulting you're telling people, wait a minute, in the name of defense and depth you have three products doing basically the exact same thing. That's why in 1999, I went to Gartner.
How did you make the transition?
It was somewhat by accident, like most of my career has been. If you stay in one place long enough, like I was at GTE for 11 years, you take over a lot of responsibility. I managed all our research-and-development funds, and with all our capital equipment and technology investment, I owned the budgets basically. In order to do that job, you really had to be an analyst to decide, OK, I have this amount of money for R&D, capital equipment and software, and we have these business units making these requests, how do I analyze the requests against the business, against our company's needs, against are these projects sufficient and complete. Toward the end of 11 years there, I realized I was not doing engineering. My degree is in electrical engineering, but I was not building anything. I was analyzing what other people want to do, where they saw their own little piece, and I was comparing that against the needs of the big picture. That is how I started making recommendations to the head of our business unit about where we should spend money and how we should think it through. I was writing a lot of reports and researching technologies, so when the opportunity came to become an analyst, I realized they do the same thing, but instead of for one company, they do it for lots of companies.