But before I dive into some of my major takeaways, I want to provide some context and (a ton) of helpful resources and valuable links.
To start, I highly recommend going to the Gartner Newsroom here. You will find daily summaries from top sessions along with materials and insights that usually cost thousands of dollars to obtain.
Here are a few key takeaways worth reviewing:
Day 1 Highlights
- Opening Keynote: Cybersecurity 2032: Accelerating the Evolution of Cybersecurity
- Outlook for Cloud Security
- What Security Needs to Know and Do About the New AI Attack Surface
- Top Trends in Security and Risk Management
- The Key Drivers for CISO Effectiveness
- The Top Cybersecurity Predictions for 2022-2023
- The Multigenerational Workforce in Security
- Outlook for Privacy, 2022-2023
- Security Strategy Planning Best Practices
Cyber Budgets Trends
- Gartner Survey Reveals Marketing Budgets Have Increased to 9.5% of Overall Company Revenue in 2022
- Budgets Build Back, But Lag Pre-COVID-19 Levels
- CMOs Confident On Brand Capabilities, But 58% Lack In-House Resources
Dan Lohrmann
“Nothing has lowered Cybereason’s expectations for growth. Rather, the continuing rise in ransomware attacks has forced its clients to bolster spending on security systems, putting the security software company ahead of schedule when it comes to revenue.
"But Cybereason is cutting costs anyway, confirming last week that it’s laying off 10 percent of its workforce, or about 100 employees. The reductions follow the dramatic swing in the economy this year and the beating that software stocks have taken on the public market."
MY FAVORITE SESSION AT THE GARTNER SUMMIT
My favorite session at the conference this week was “The Top 10 Cybersecurity Value Metrics Every Organization Should Use.”
Paul Proctor started off by telling the audience that Gartner was wrong for many years when they told organizations that no one can tell you what metrics to use. They were also wrong when telling CISOs (and others) to never use operational metrics with executive decision-makers.
Now, Gartner says they can tell us exactly what metrics to use.
Historically, organizations have tended to report on the metrics they have, such as the number of threats or emails blocked. Also, few people knew what executives wanted to hear beyond “no breaches,” which is not practical.
Now, metrics need to be “outcome-driven,” which is a term we used in Michigan government back in the 1990s and is apparently coming back. Metrics need to inform priorities and investments, align to business outcomes, support differentiated investments across the organization and reflect cybersecurity outcomes.
I won’t walk through all the recommended metrics here, but here are a few:
- Mean time to remediate incidents (MTTR)
- Operating system (OS) patching cadence
- Third-party risk decisions
- Policy exceptions expired and unremedied
- Endpoint protection
- Recovery testing – core systems
- Cloud security automation
- Access – zero-trust multifactor authentication
- Security awareness training for staff
- Phishing training – click-through rates
To get the details and benchmarks recommended, you will need to talk with Gartner, but this list does provide a helpful guidepost to see what we should be measuring and benchmarking against peers to have a sense of “due diligence or due care.” This will become even more important moving forward as C-suite executives are graded on their preparation prior to cyber attacks like ransomware.
FINAL THOUGHTS
There were many other great sessions, including a keynote from CrowdStrike on the evolving 2022 cybersecurity threat landscape. They covered their recent report found here.
I also gained a better understanding of what cybersecurity mesh is all about, which will be the topic of another blog later this year. Cybersecurity mesh is one of the top trends for 2022.
Finally, I liked this material from a conference session on how cyber leaders can prepare for the future.
