I had the privilege of attending the recent Gartner Security and Risk Management Summit. It was an engaging week of keynotes, educational sessions, and discussions, with more than 5,000 security and risk-management executives from across the globe in attendance.
It is a new era for cyber security and risk management. That was loud and clear. The game has changed. Criminals are highly organized, the attack surface and threat landscape has expanded drastically, budgets are limited, burnout for cyber professionals is high, and the talent deficiency is a genuine struggle.
It’s a bleak list, but there is hope. The biggest takeaway from the past week was a positive one. Security and risk professionals are coming together to support each other, help solve challenges, and share invaluable insights into the latest cybersecurity tactics and strategies. Overall, I left feeling energized and with a strong sense that this is an empowered industry coming together to collaborate, share, support, and uplift each other.
Some of the hot trends discussed across the sessions this week, included:
With more than 300 sessions, there was so much to unpack over the course of the week. (And yes, many sessions included jokes that artificial intelligence or ChatGPT should be leveraged or feared.)
Watch my video summary from the event!
It’s clear, everyone is navigating some sort of hybrid environment today. The risks are similar for both cloud and your data center, but the controls you deploy in the cloud to treat those risks are different. Today’s risks come with complexity, expanded attack surfaces, difficult remediation paths, and visibility. But we also need to navigate regulations/compliance gaps, sovereignty, supply-chain issues, data loss/exfiltration, and resource theft.
“We have changed the landscape. And we now need a different set of controls, and a different way of thinking about those controls, in order to protect the way we have shifted from working in an office every day to working remotely.”
—Morey Haber, CSO, Beyond Trust
Multiple sessions discussed the difference in mindset between security and cloud teams. There was particular focus on how disruptive cloud transformation can be to your security approach. It is tough to govern what happens in the cloud. Cloud solutions design often prioritized being agile and innovative, over being governable. Containers were designed to circumvent the adults in the room. Software-as-a-service is often deployed in all areas of the organization before security teams have the skills or tools to secure the environment to address it.
“Technology deployments will continue to outpace your ability to secure them.”
–Katell Thielemann, Distinguished VP Analyst, Gartner
It is important to maintain open discussion between teams, work more transparently, and reduce security debt in the cloud. There are some harsh realities here. Security and risk will never win the popularity contest. Developers will always find ways to work around mandated rules. Innovation is always paramount, so it’s important that teams work together to balance both teams’ objectives and focus on empowering innovation. Many sessions openly discussed the need to adopt human-centric design practices and innovation-inclusive approaches to security strategy.
In the “Outlook for Cloud Security” session, Jay Heiser, VP Analyst Gartner, asked bluntly, “How many of you are backing up SFDC?” A very small group raised their hands. His response included a nervous laugh with, “You are supposed to do it!”
With today’s work anywhere, anytime, and anyplace reality, adopting a Zero Trust mindset is the best strategy. Beyond the buzzword hype and all its misuse, it’s a critical point. Bottom line: Continuously authenticate and verify all users, devices, and applications. Trust no one. You shouldn’t trust devices or assets either.
The days of single-factor authentication are over. Authentication best practices like multi-factor authentication (MFA) and biometrics are ideal. Make your access policies dynamic. Always grant access based on the least privileges needed to complete a given task. Then, constantly re-evaluate and evolve your adopted strategy to prevent unauthorized access to data and services across the organization. It is important to collect and use data to improve your security posture.
“In 10 years, we will still view Zero Trust as something we are working on.”
—Oscar Isaka, Sr. Director Analyst, Gartner
It's important to note that adopting a Zero Trust strategy takes time and requires an “all hands on deck” mentality. No magic product or tool will get you there. To achieve Zero Trust, you need to make corporate culture, companywide processes, employee education, and a security mindset paramount throughout the entire organization. Here’s some help: Last year the U.S. Department of Defense outlined 152 controls to achieving Zero Trust.
“Use the adoption of the cloud as a catalyst to adopt Zero Trust by default”
—Jay Heiser, VP Analyst, Gartner
Learn how architect your Zero Trust posture.
An important theme throughout the week focused on how proactive and connected workflows for data visibility, threat monitoring, backup, and recovery are essential aspects of your security strategy. In today’s environment—where everything connects, and your data is irreplaceable—recovery is key.
Start with data visibility. Ensure you know all the data you store and use, especially the sensitive and mission-critical data. Dark data remains a major risk. Build data visibility and governance by creating clear policies for lifecycle, discovery, classification, and retention. Focus on securing areas of high-risk and high-value data, especially regulated data. Adopt robust data analytics that monitor and mitigate risk. Anomaly detection and malware scanning capabilities will notify quickly if something out of the ordinary happens in your environment.
Most critical is the ability to recover from backups. Typically, this has not been something that security teams own, but it is important to now get involved and be in the loop.
“We call it the 3-2-1+1. Three copies: preferably two are in different types of formats, you really want to have one offsite, and there’s a fourth one for immutable storage, which ensures it won’t get corrupted or changed if you get hit from ransomware.” —Wayne Hankins, Sr. Director Analyst, Gartner
In addition to the 3-2-1+1 backup strategy, it is vital that you can rapidly recover during an attack. This requires testing and performing recovery exercises regularly so that the first time that you recover is not during an attack.
Learn how to address data visibility, threat monitoring, backup, and recovery.
I really enjoyed attending the Gartner Security and Risk Management Summit with my colleagues, Brad Vincent, Sonya Duffin and Tim Burlowski. It was a great week diving into the challenges faced today and soaking in all the learning.