Cybersecurity In-Depth

The Edge

An Analyst View of Gartner Security & Risk Management Summit 2023

As a former Gartner analyst, it was interesting to be on the other side, listening as others explored the impact of CEO and CIO priorities on security.

GARTNER SECURITY & RISK MANAGEMENT SUMMIT 2023 — National Harbor, Md. — At the opening keynote for the Gartner Security & Risk Management Summit 2023, Gartner distinguished VP analyst Leigh McMullen and senior director analyst Henrique Teixeira emphasized that cybersecurity can generate massive value for enterprises. However, professionals in this field must be willing to challenge misconceptions and move beyond obsolete practices.

This keynote discussed the importance of adopting a minimum effective mindset across business engagement, technology, and talent. This approach refers to the input, not the outcome, with a deliberate, ROI-driven strategy to lead cybersecurity into the future.

McMullen and Teixeira took aim at four prevalent myths in the cybersecurity field:

  1. More data equals better protection: Instead, they suggested pursuing the least amount of information needed, to draw a line between the funding of cybersecurity and the amount of vulnerability that funding addresses.
  2. More technology equals better protection: They warned against the mindset that some forthcoming technology will solve all problems, leading to the premature acquisition of solutions.
  3. More cybersecurity pros equal better protection: They argued that there's no way to scale services to match the enterprise pace merely by hiring more professionals.
  4. More controls equal better protection: They pointed out that controls that are circumvented are worse than no controls at all, highlighting the friction employees often experience with secure behavior.

Gene Alvarez, a distinguished VP analyst at Gartner, presented another keynote on the metaverse and digital twins concepts that will become increasingly important as our thinking about identity management evolves.

In another session, Katell Thielemann, distinguished VP analyst at Gartner, presented on the current CIO and CEO agenda. She highlighted the top priorities of executive leaders and the implications for security. According to Thielemann, boards are willing to increase risks but want results, and CEOs want tangible growth from digital investments. CIOs, on the other hand, need to deliver outcomes by prioritizing the right digital initiatives. She emphasized that CISOs need to adopt a more rigorous approach to prioritizing security resources due to the accelerated enterprise demand for information security expertise caused by digitization.

Walking the vendor floor, I saw many solutions aimed at very familiar use cases, and I heard attendees comment how so many products appeared to replicate solutions to the same problems. Of course, many of the leading sector vendors were there, covering email and messaging security and endpoint protection. Some interesting vendors were taking a fresh look at secure browsers, which for a long time lacked effective enterprise controls despite being a key plank in the endpoint security posture. I must admit that I was somewhat relieved that no one tried to explain to me how GenAI was the source of, or the solution to, all of life's problems.