Aligning Business & Risk: Recapping 2023's Gartner Security Summit
In this blog
It was great to be back in National Harbor, Maryland, at the Gartner Security and Risk Management Summit. With 4300+ attendees and 300+ vendors showcasing their solutions, there was an energetic positive vibe throughout the massive Gaylord resort and its 19-story glass atrium with views of the historic Potomac River. Some of the many industry icons present included Amit Yoran (current CEO of Tenable), Ron Gula (developer of one of the first commercial network IDS - Dragon Intrusion Detection System), and Dorit Dor (CTO of Check Point Software Technologies) was a personal highlight for us.
This year's theme was all about being business-aligned and risk-focused. This refers to an approach or strategy that emphasizes the alignment of business objectives and activities with sound risk management practices. It involves integrating risk management considerations into the decision-making processes of an organization (board down) to ensure that risks are identified, assessed, and addressed in a way that supports the achievement of business goals.
The opening keynote was focused on having an effective mindset in cybersecurity to fight misalignment. "Cybersecurity can generate massive value for our enterprises, but only if we have the courage to challenge the lies that we as cybersecurity professionals tell ourselves. Our self-deception locks us into obsolete principles and practices that prevent us from truly aligning with our executive partners and enabling our organizations." This keynote unpacked the biggest lies we must defeat, highlighting the decisions and practical steps cybersecurity leaders must take to deliver the success they deserve.
For us, the top keynote was delivered by Mary Mesaglio, Managing Vice President at Gartner, who absolutely rocked the house. Much of her presentation was focused on how to motivate employees who are feeling crisis fatigue, how to turn values into action, and what it takes for humans to really transform. She is clearly on a mission to help large enterprises harness behavioral science to lead teams and change behaviors; it was a fascinating topic and presentation. The three takeaways she left us with were:
- For employees to take ownership, make your message meaningful.
- To overcome shame and fear, make reporting the least risky action.
- For people to behave in a security-conscious way, remove the friction.
As for the multitude of more specific topical sessions offered up by Gartner through the course of the week, the award for Most Frequently Used Buzzwords goes to… no shock to anyone… "AI" and "ChatGPT". As quickly as mass media coverage of the topic exploded over the last few months, Gartner and vendors came at us from every possible angle to illustrate AI's impact on security. The good, the bad, and the ugly. Attendees were offered countless opportunities to ramp up on a variety of topics including generative AI, machine learning, expert systems, rule-based reasoning, fuzzy logic, and many others.
That said, one of the best sessions we attended had little focus on AI at all. But rather on Cloud Security. Patrick Hevesi (Gartner Vice President Analyst) and Charlie Winckless (Sr Director Analyst) delivered a 30-minute work of art titled "Cloud Security 201: A Cloud Security Cookbook". This session was the perfect mix of strategy, technology, and… humor.
The slides were high quality. And, most importantly, practical. Weaving together culinary and cloud security concepts throughout the presentation, the speakers bantered back and forth seamlessly, keeping it entertaining while at the same time providing extremely practical advice.
They opened with a helpful list of "Cloud Cooking Ingredients" which was basically a glossary of acronyms that would be referenced in subsequent slides: SMP, KSPM, CIEM, etc. They then proceeded to systematically educate and break down recommended approaches.
They opened with strategy and the fundamental elements required for a cloud operating model and a Cloud Center of Excellence.
Next, they prescriptively walked the audience through approaches and tooling for securing the SaaS estate (a booming space), detailing CASB architecture and explaining why and when you need to cook with solutions such as Security Services Edge and SaaS Management Platforms. Then, they provided the same guidance for securing IaaS and PaaS, dissecting built-in native CSP controls (in each of the 3 major CSPs) and CNAPPs. For the finale, they pulled it all together into a single visual, summarizing all of these concepts in what they called the "menu".
Kudos to these two gentlemen for the level of preparation required to fill just about every one of their 30 minutes with useful takeaways! And for making typically tedious concepts fun. Not an easy trick.
Other key topics presented at the conference gave us insight into areas that we are already investing in and potentially expanding into. Those areas include Zero Trust, Data Security, Organizational Resilience, Microsoft security, updates with NIST security guidance, an approach to briefing security to the board, and Top Trends in 2023.
Data Security: Focusing on the data regarding just-in-time access. This requires a path of simplicity which essentially is a strategy around data initiated with the streamlining of data repositories. This approach emphasizes avoiding and eliminating duplication of data, thereby creating centralized control and management based on identification and authorization. Also, the use of metadata was a key aspect of the strategy, applying proper classification and overall management.
Zero Trust: Organizations need to think about zero trust, but it may not necessarily be a new idea. Most have already implemented some aspect of zero trust by applying the basic rule of limit and need to know. In this regard, the message was zero trust should be considered as an architecture that is a series of concepts and principles overlaying the technology environment. An additional message is thinking about how multiple attributes are embedded but still focusing on the change in the environment that needs to happen. Lastly, NIST 1800-35 is an architecture consideration being recommended without any consideration or emphasis on products.
Organizational Resilience: Not to be confused with cyber resilience, this emphasizes the importance of thinking around businesses and processes prior to architecture and technical implementation. Understanding your business process in the full spectrum including upward and downward and horizontally is the starting point. Taking your business and aligning it in a way that maps dependencies is an essential picture that must be defined prior to any plan.
NIST: This security guidance continues to be the leading authority of standards for a number of high and important security domains. The presentation gave a series of overviews around several topics including Identity Access Management, Zero Trust, Cryptography, Risk Management, and Incident Management and Response. These and other materials have been updated and are available through the NIST online resource.
Microsoft Security: This continues to be a major topic of interest and possibly frustration given the new license format. But more importantly, security capabilities are being introduced as part of the implementation. The presenter gave an excellent overview of the minimum recommended security implementation of the new Microsoft security framework. They provided insight into things to watch and avoid in terms of the granularity of the security features. In the end, the conclusion is to use the Microsoft security feature smartly, but always consider how additional security products can be or should be integrated.
Briefing the Board: The discussion on how to present security to the board was interesting in terms of providing new thinking or perhaps an improved approach to convey the proper message. The presenter gave an overview of past approaches and how to change the message by using specific topics of high interest. One example is in the past a board presentation discussed the type of data on KPI; it should instead be business KRI. Another was transferring the topic from a technology audience to a board executive audience. Lastly, think about today's drivers of regulation and decision-making as opposed to investment in the transformation of technology and security.
Top Trends: Finally, the topic on security trends and challenges for 2023 presented Gartner's view, based on input from the community of CISOs and IT leadership. The top 5 challenges are:
- Growing data privacy compliance regulation
- Lack of visibility and governance of data
- The move to the cloud
- Securing the data analytics pipeline
- Avoiding accidental or intentional disclosure of sensitive information
Within each of these areas, Gartner's presentation discussed the recommended action plan and post-process of measuring outcomes to ensure these challenges are being addressed.
By adopting a business-aligned and risk-focused approach, organizations aim to optimize their risk management practices, protect their assets, enhance decision-making, and ultimately improve their ability to achieve their strategic objectives while minimizing potential disruptions or negative impacts. This is so critical in today's ever-evolving threat landscape; it was refreshing to see.