Gartner Security & Risk Management Summit 2022: Top Must-know Highlights

The London leg of Gartner’s Security & Risk Management Summit concluded on September 14. The event featured a number of great sessions – right from addressing critical strategic imperatives such as developing an agile security strategy, cultivating a human-centric security-conscious culture, to devolving risk responsibility, and establishing a new streamlined cybersecurity mesh architecture. Here are the main highlights from the three-day security conference.

Organizations’ risk profiles are changing dramatically as they rapidly embrace digitalized and agile operations. Gartner’s London eventOpens a new window , which ended on September 14, emphasized building a new security environment that businesses must adopt by 2023. The three-day security and risk management seminar had an impressive expert lineup that stressed rethinking the current security and risk assessment mindset, simplifying procedures and security safeguards at the organizational level, and building a security-conscious culture.

Spiceworks News & Insights has compiled a host of major announcements and insights from the event, which centered on rewiring the fundamentals of cyber and risk management, cloud security perspective, coping with threat environments, security forecast, and more.

See More: Gartner Data & Analytics Summit 2022: Five Highlights From the Top D&A Conference

Key Highlights From Gartner’s Security & Risk Management Summit 2022

Ten cyber and IT risk basics to understand

Security and risk management (SRM) executives are struggling to advance their cyber and IT risk management processes beyond risk assessments. Jie Zhang, VP analyst at Gartner, discussed ten core risk management practices that SRM professionals must use to handle their company’s cyber and IT risks.

SRM executives may use the following ten core risk management procedures to assure the success of their company’s IT risk management goals:

• Identify control requirements
• Conduct business impact analysis
• Define risk parameters and risk management strategy
• Conduct risk assessment and evaluate controls
• document risks in a risk register and continual communication
• Embed risk assessment, security testing and governance in project lifecycle
• Invest in technical debt reduction
• Identify scope
• Monitor loss exposures and other indicators
• Embed an organizational wide attitude to risk treatment

Cloud security purview

Cloud security is a critical responsibility. However, public cloud service providers pose a number of unique threats. In this session, Charlie Winckless, senior director analyst at Gartner, highlighted the issues and suggested techniques and new product types handle the primary security difficulties of infrastructure-as-a-service (IaaS) and software-as-a-service (SaaS).

Key takeaway

• During the early stages of cloud adoption, several enterprises began employing traditional security technologies in the cloud. This strategy may be effective in the near term, but when application and DevOps teams adopt cloud-native services, traditional security technologies may not serve these use cases.
• Resource protection, cloud configuration, artifact scanning, and DevSecOps enablement must all be addressed in cloud-native security.
• Cloud-born firms and their security investments can provide insight into the future status of security.
• Align security with the underlying architecture and the importance of the business. There is no such thing as one size fits all.
• As cloud security capabilities are likely to be newer and more adaptable, incorporate them into your on-premises systems when appropriate.
• Thinking more on the cloud security vision, future technologies and trends may involve cloud providers becoming security providers, security or policy as code, data and cloud sovereignty, secret computing, and others.

How to effectively prepare for and react to the shifting threat environment

The threat environment evolves as attackers adjust their methods and plans to how companies develop. During her session, Jeremy D’Hoinne, VP Analyst at Gartner, presented essential advice for security and risk management executives to battle top, advanced, and emerging threats.

Security and risk managers should consider three types of risks: recognized and common threats, high-momentum threats, and emerging, unique, and unpredictable dangers.

• Top threats: Companies are acutely aware of threats that continue to be relevant year after year due to underlying developments.
• High-momentum threats: Threats that are rising but whose awareness is not yet comparable to that of top threats.
• Emerging threats: Threats that are rarer and less apparent yet serious enough to warrant the attention of security and risk management executives.

Key takeaway

• When fighting well-known top threats, keep an eye out for micro trends that create expanding weaknesses in your protection. You may ensure executive support for continuous investment in security control upgrades by properly communicating about microtrends for well-known dangers.
• Set up systems inside their security operations department to analyze the effect of new and high-momentum threats. Begin with API, supply chain, and cyber-physical systems (CPS) risks, concentrating on risk awareness, exposure management, posture validation, and basic security hygiene.
• For emerging and future threats, concentrate on cyber resilience and connect security with organizational leaders to foresee the growth of the attack surface as a result of business transformation.

Projection of security operations in 2022

Security operations are changing dramatically regarding how and when security is planned and provided. Pete Shoard, VP analyst at Gartner, outlined during the webinar which technology, procedures, and services will influence how security operations are provided in 2022.

In order to develop their security operations strategy in 2022, organizations must focus on three aspects: 

• How to optimize the value of threat intelligence and threat hunting
• Where to focus visibility efforts to maximum exposure reduction, and 
• If automation and AI make sense for your security operations

Key takeaway

• Measuring threat intelligence sounds intimidating, and it can be. However, you may apply metrics to feeds to assess how many actionable indications they produce, as well as measure the usefulness of intelligence applied to true positive vs. false positive events and occurrences.
• Utilize threat intelligence to help with hunting as a starting point or to fill in gaps. Formalize hunting as a fundamental function of your SecOps program, and schedule time on your calendar to accomplish it.
• The attack surface, vulnerability, and validation are the three pillars of exposure control.
• Multiple techniques for exposure management are used to enhance diagnostics’ breadth, automation, and accuracy.
• Before investing in automation or AI solutions, you must first design a process and something to monitor to assess your efforts’ value.

See More: The Worsening Cyber Insurance Landscape: Top Survival Tips for Businesses

Forecasting the privacy perspective for 2022-2023

Privacy significantly influences digital transformation initiatives and is at the heart of how firms develop new customer engagement models and team-member relationships. In his session, Nader Henein, VP analyst at Gartner, reviewed the legal and technological evolutions developing in the privacy landscape in 2022 and beyond.

Key takeaway

• The legal privacy landscape is becoming increasingly complex, and in the face of such constraints, enterprises cannot afford to chase compliance using checklists merely. You must adapt and become more efficient and successful.
• With an average budget of $2.2 million, the privacy office is unlikely to be able to spend much on its own. Therefore privacy directors must be reasonable and seek the assistance of other business units.
• Determine the key individuals who help push your privacy program ahead, then determine important goals for these stakeholders over the next two to three years and see if you can locate one or more capabilities that correspond with those efforts.
• Privacy controls are data-centric tools that draw insights and enable management at the data level, such as automatic data finding and mapping tools, similar to a timer or fitness tracker.
• Often referred to as privacy platforms or privacy management systems, they are designed to serve as the primary repository for your compliance-related paperwork. These technologies can aid in risk assessments, the documentation of processing operations, and the creation of privacy program reports.
• The privacy user experience consists of features that show and manage notifications and policy statements, record consumer consent and preferences, and handle subject rights requests.

Did you find the coverage informative? Let us know on LinkedInOpens a new window , Facebook,Opens a new window and TwitterOpens a new window . We would love to hear from you!

MORE ON CYBERSECURITY

• Will President Biden’s Cybersecurity Bills Stand the Test of Time?
• Top-Down: Mitigating Cybersecurity Risks Starts with the Board
• Four Essential Cybersecurity Services Every SMB Should Know
• Recovering From a Cybersecurity Earthquake: 4 Lessons Companies Must Learn