Saturday, July 13, 2024

Lessons from the Gartner Security & Risk Management Summit

What are the important trends regarding business risk and all things cybersecurity? Here are my top takeaways from the Gartner conference I attended this week.  

While many of my security industry colleagues headed west to the RSA Conference in San Francisco this past week, I headed east (from Michigan) to the 2022 Gartner Security & Risk Management Summit. While RSA attracted over 26,000 attendees, including more than 600 speakers, 400 exhibitors and over 400 members of the media, the Gartner conference chair told me that about 4,200 people attended the event held in National Harbor, Md.

But before I dive into some of my major takeaways, I want to provide some context and (a ton) of helpful resources and valuable links.

To start, I highly recommend going to the Gartner Newsroom here. You will find daily summaries from top sessions along with materials and insights that usually cost thousands of dollars to obtain.

Here are a few key takeaways worth reviewing:

Day 1 Highlights

  • Opening Keynote: Cybersecurity 2032: Accelerating the Evolution of Cybersecurity
  • Outlook for Cloud Security
  • What Security Needs to Know and Do About the New AI Attack Surface

Day 2 Highlights

  • Top Trends in Security and Risk Management
  • The Key Drivers for CISO Effectiveness
  • The Top Cybersecurity Predictions for 2022-2023

Day 3 Highlights

  • The Multigenerational Workforce in Security
  • Outlook for Privacy, 2022-2023
  • Security Strategy Planning Best Practices

Cyber Budgets Trends

  • Gartner Survey Reveals Marketing Budgets Have Increased to 9.5% of Overall Company Revenue in 2022
  • Budgets Build Back, But Lag Pre-COVID-19 Levels
  • CMOs Confident On Brand Capabilities, But 58% Lack In-House Resources
Recommended:  Experts developed a method to bypass multiple companies' web application firewalls (WAF)

Interestingly enough, Friday’s stock market selloff also featured in this article on CNBC which talks about job cuts in cybersecurity — especially among startups. Here’s an excerpt:

“Nothing has lowered Cybereason’s expectations for growth. Rather, the continuing rise in ransomware attacks has forced its clients to bolster spending on security systems, putting the security software company ahead of schedule when it comes to revenue.

“But Cybereason is cutting costs anyway, confirming last week that it’s laying off 10 percent of its workforce, or about 100 employees. The reductions follow the dramatic swing in the economy this year and the beating that software stocks have taken on the public market.”


My favorite session at the conference this week was “The Top 10 Cybersecurity Value Metrics Every Organization Should Use.”

Paul Proctor started off by telling the audience that Gartner was wrong for many years when they told organizations that no one can tell you what metrics to use. They were also wrong when telling CISOs (and others) to never use operational metrics with executive decision-makers.

Now, Gartner says they can tell us exactly what metrics to use.

Historically, organizations have tended to report on the metrics they have, such as the number of threats or emails blocked. Also, few people knew what executives wanted to hear beyond “no breaches,” which is not practical.

Now, metrics need to be “outcome-driven,” which is a term we used in Michigan government back in the 1990s and is apparently coming back. Metrics need to inform priorities and investments, align to business outcomes, support differentiated investments across the organization and reflect cybersecurity outcomes.

Recommended:  How the metaverse could shape cybersecurity in 2022

I won’t walk through all the recommended metrics here, but here are a few:

  1. Mean time to remediate incidents (MTTR)
  2. Operating system (OS) patching cadence
  3. Third-party risk decisions
  4. Policy exceptions expired and unremedied
  5. Endpoint protection
  6. Recovery testing – core systems
  7. Cloud security automation
  8. Access – zero-trust multifactor authentication
  9. Security awareness training for staff
  10. Phishing training – click-through rates

To get the details and benchmarks recommended, you will need to talk with Gartner, but this list does provide a helpful guidepost to see what we should be measuring and benchmarking against peers to have a sense of “due diligence or due care.” This will become even more important moving forward as C-suite executives are graded on their preparation prior to cyber attacks like ransomware.


There were many other great sessions, including a keynote from CrowdStrike on the evolving 2022 cybersecurity threat landscape. They covered their recent report found here.

I also gained a better understanding of what cybersecurity mesh is all about, which will be the topic of another blog later this year. Cybersecurity mesh is one of the top trends for 2022.

Finally, I liked this material from a conference session on how cyber leaders can prepare for the future.

article source

Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Recommended:  YTStealer Malware Targets Accounts of YouTube Content Creators
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates