Gartner Security and Risk Summit 2023: Expectations vs. Reality
In a recent blog post, I shared my expectations for the Gartner Security and Risk Management Summit 2023 held in London at the end of September. Now, with the event behind us, let’s reflect on how accurately my predictions aligned with the actual experience.
This year, the summit relocated to London’s ExCeL Centre, which is also home to both Black Hat Europe and Infosecurity Europe. The shift certainly sparked diverse opinions. Despite being necessary to accommodate a growing exhibition hall, the venue admittedly lacked much of the intimacy that the show had in previous years.
I attended the event with a specific interest in hearing more about Gartner’s concept of a Continuous Threat Exposure Management (CTEM) program, and I was not disappointed as this was a consistent theme across the three days, from the opening keynote onwards.
Debunking Key Cybersecurity Myths at the 2023 Gartner Security and Risk Summit
The conference opened with an engaging session looking at four key myths that security leaders need to address to evolve their cybersecurity programs. These were:
- Myth #1: More data equals better protection. “Instead of just more data, savvy cybersecurity shops pursue the least amount of information needed to help draw a straight line between the enterprise’s funding of cybersecurity and the amount of vulnerability that funding addresses.”
- Myth #2: More technology equals better protection. “This is based on another pervasive myth: the idea that just around the corner, some technology is coming to save us. This mindset causes us to buy and acquire solutions before we are quite sure how or whether there will truly be additive value.”
- Myth #3: More cybersecurity pros equals better protection. “There is simply no way to scale our services to match the pace of the enterprise just by hiring more cybersecurity pros.”
- Myth #4: More controls equals better protection. “Employees report a huge amount of friction involved with secure behavior. Controls that are circumvented are worse than no controls at all.”
Some interesting takeaways from this session including the need to focus on a ‘minimum effort mindset’ to drive the maximum impact, which is a more deliberate, ROI-driven approach to cybersecurity. Security leaders know that they cannot do everything, so effective prioritization is critical.
We often see this desire to gather too much information and this speaks to myths #1 and #2, where tool sprawl and massive security data lakes are an inhibitor or effective decision making, rather than an enabler. As Gartner says, security leaders need to think about the human impact of tool acquisition and how to get to the ‘minimum effective insights’ with the ‘minimum effective toolset’, and CTEM is an effective approach here to structure thinking around the right scope.
Evolving Threat Exposure Management Beyond Vulnerability Management
There were several sessions that looked at how security teams need to address their ‘unpatchable’ attack surface and think differently about security hygiene. The session on the ‘Outlook for Threat Exposure Management’ from Jeremy D’Hoinne looked at the ‘fix’ mindset that security has and broke it down into 3 fundamental challenges:
- We don’t know what to fix.
- We can’t get the fixes we want.
- We can’t trust our fixes to work.
The first problem is central to Cyber Asset Attack Surface Management (CAASM). If we don’t know what we have, how do we know what’s important? We may not be able to discover everything, but we need to be sure that we have identified everything that is critical to the business, this is why the ‘scope’ element of a CTEM program is as important as the ‘discovery’ part.
The problem of how we know that our fixes are working, or that our controls are effective was covered in other talks too. It was the topic for Jeremy D’Hoinne’s talk on Cybersecurity Validation and also touched on by Jie Zhang in her session on the Outlook for Cyber Risk Management. This is about taking information from existing tooling around attack surface and posture management and using ‘smart’ automation to take the attackers’ perspective and ensure that our compensating controls are doing their job. As before, we can’t do everything so this needs to tie back to prioritization.
Many of these trends were echoed in other talks covering the future of Zero Trust, how best to manage Third Party risk, the future of the SIEM and more. If there was a consensus, it’s that security leaders need to be more pragmatic, less driven by individual tools and more aligned to the business need when considering cyber risk.
In new research announced at the show, Gartner forecasts that global security and risk management spending is going to grow by 14% in 2024, with the continued adoption of cloud and increasing regulatory pressure driving greater investment in those areas.
But one of the major themes I took from this year’s event was that the concept of ‘Posture Management’ has never been higher on the CISO’s agenda, whether this is across Data, Identity, Applications, Cloud or Endpoints, and that security leaders that better manage this shift will be best positioned to reduce their organization’s risk exposure while meeting the needs of the business.
You can learn more about Gartner’s perspective on innovative cybersecurity technologies from the latest 2023 Gartner ® Hype Cycle for Security Operations, get your copy here.