Reflecting on the 2023 Gartner Security & Risk Management Summit

Gartner recently held its annual Gartner Security & Risk Management Summit, and this year’s event focused heavily on the growing link between the security and business arms of modern enterprises. The summit brought security and risk management professionals from across the globe together just outside of Washington, DC, to collaborate and learn from one another through a series of presentations, panels, and networking opportunities.

I was pleased to attend the conference with several Cymulators and present during the event, and we came away with plenty to think about.    

Gartner events are always engaging, and this conference was no exception. Cymulate conducted an educational session this year as well, in which my former colleague Tony Cole (now the CEO of ColeSec LLC) and I discussed strategies for treating cybersecurity resilience as a business process, and how to better communicate security risk and efficacy to senior leadership and the board. The topic fits nicely with Gartner’s recent focus on exposure management, including its recent prediction that Continuous Threat Exposure Management (CTEM) and security validation would be among 2023’s key security trends.  

Of course, ours was just one of many informative presentations at the summit—let’s look at some of the event highlights. The keynote speakers set the tone for the conference, so it’s always interesting to see what they choose to address. This year’s group of keynotes covered a range of topics and were both informative and inspirational.  

• Cutting Through the Lies That Obscure Cybersecurity’s Full Value. The opening keynote did not mince words. Gartner executives Leigh McMullen and Henrique Teixeira centered their talk around “the lies that we as cybersecurity professionals tell ourselves.” Such as those that stagnate innovation and lead many to cling to obsolete principles and practices. The duo offered advice on how to better align with executive partners and treat security as a business enabler—a topic that underscored the main theme of this year’s conference. 
• How to Get People to Care About Security and Risk. Gartner Managing Vice President Mary Mesaglio discussed how to generate security buy-in, not just at the board room level, but at the everyday employee level. Mary is on motivating employees who may be suffering from “crisis fatigue;” so she brings a considerable amount of expertise and experience on this topic. Generating employee buy-in for new (and existing) security measures is a challenge almost every organization faces, and it was good to see the topic put front and center at this year’s event.
• Disability and Innovation. One of the guest keynotes was given by Haben Girma, the first deafblind graduate of Harvard Law School and a staunch disability rights advocate. She spoke on the benefits of inclusiveness, and the ways in which improved accessibility benefits not just the disabled population, but the nondisabled population as well. She emphasized that prioritizing accessibility does not stifle innovation—in fact, it facilitates it. It was a stirring speech, particularly as the security industry continues to grapple with improving its approach to diversity and inclusivity.  

Key Takeaways from Workshops, Roundtables, and Other Interactive Sessions  

As interesting as the keynotes always are, some of the most memorable experiences at any Gartner summit come from the workshops, breakout groups, and other demonstrations. This year, there were a number of tracks that attendees could follow, including Cybersecurity Leadership, Cyber and IT Risk Management, and Application and Data Security. Of course, one could also jump around to attend specific sessions, and there were a number that caught my eye:   

• How to Respond to the Evolving Threat Environment, 2023. The emergence of AI-based attack tools has introduced a new and unpredictable element to the threat landscape. This session was designed to help organizations better understand how they can prepare for that uncertainty by investing in cyber resilience rather than specific defensive postures that may not be effective against certain attacks.
   
• The Expanding Attack Surface: Discovering and Prioritizing Your Unknown Risks. This presentation focused on a problem that hasn’t received enough attention: the alarming growth of non-patchable attack surfaces. It covered the need for exposure management solutions to help address that threat—a topic near and dear to our hearts at Cymulate. As the attack surface continues to expand, organizations will need compensating controls to mitigate vulnerabilities that cannot be patched.
   
• Drive Cybersecurity Investments with the Gartner Cybersecurity Value Benchmark. Gartner used this presentation to highlight its own value benchmarking system, which provided attendees with a worthwhile reminder that outcome-driven metrics are one of the most important ways for an organization to gauge its level of protection. Quantifying security outcomes can be a challenge, and this offered a fresh perspective on the problem.
   
• Weaponize Risk Appetite with Protection Level Agreements. On a similar note, this session discussed risk appetite—the amount of risk an organization is willing to accept. It focused on how to leverage the low risk appetite of most business leaders to justify investment in the security solutions needed to further lower the organization’s level of exposure. It was a clever way to frame the issue and a thought-provoking approach to the ever-present challenge of budgetary restrictions.
   
• Cybersecurity Validation: Attack Simulation, Pentesting and the Future of Red Teaming. Gartner VP analyst Jeremy D’Hoinne led this presentation, which focused on the value of breach and attack simulation (BAS), particularly when used in conjunction with penetration testing and red teaming. The session recommended adopting the attacker’s view in order to assess the effectiveness of security controls—advice we would certainly agree with.   

• Start Your Threat Exposure Management Program with These Three Steps. D’Hoinne led this engagement as well, and outlined the steps needed to implement an effective CTEM strategy. He discussed how to define your objectives, how to incorporate validation, and how to ensure that the program improves over time. He again emphasized the importance of adopting the attacker’s view, as well as the importance of working across business groups to implement tactical and strategic recommendations.
   
• Outlook for Threat Exposure Management: Be Ready or Be Sorry. Digging deeper into CTEM, this session outlined the value to be gained by testing defenses—both to discover their weaknesses and to highlight their strengths. CTEM can expand the organization’s approach to cybersecurity validation, foster improved mobilization, and monitor progress from automated tools and other solutions to ensure they are working as intended. The speakers emphasized CTEM as a continuous journey—one that helps organizations constantly assess and improve their defenses.
   
• From the Boiler Room to the Board Room. Finally, our own presentation. I was pleased to reconnect with my colleague Tony Cole to discuss how to communicate security risk and efficacy to the board. The security industry has been steadily shifting away from threat management toward exposure management, and our goal was to convey how that has changed the way we assess and manage risk. As that shift continues, it will be critical to ensure that security teams have the tools they need to accurately contextualize and convey that risk to senior leadership, board members, and other executives.  

This is just a small selection of the many, many sessions available to attendees. Gartner events always cover a broad range of topics, so it was encouraging to see so many of them touch on BAS, CTEM, Exposure Management, and other areas of focus for Cymulate.   

Enjoying the Return of In-Person Events  

For Cymulate, it was refreshing to see the conference shine a spotlight on the link between business and security. That topic has long been a focus for us, and we make it easier for organizations to put exposure management and security validation into a business context. It’s a message we’ve brought far and wide—in addition to the Gartner conference, we recently hosted a session at the Infosecurity Europe Conference that illustrated the real-life lessons we’ve learned from analyzing over 1.7 million hours of security assessments. Every day, we’re helping our partners and customers get better at putting their security needs and capabilities in context.   

The dates for next year’s Gartner Security & Risk Management Summit have already been set, and I look forward to connecting with professionals from around the industry in National Harbor again next June. In-person conferences have been few and far between in recent years, so it has been both exciting and refreshing to return to face-to-face interactions. It was great to hear from the experts at Gartner and to connect with colleagues bringing such a wealth of experience to the table. Thank you to Gartner for putting together such a wonderful event, and we hope to see you all again next year!