While many of my security industry colleagues headed west to the RSA Conference in San Francisco this past week, I headed east (from Michigan) to the 2022 Gartner Security & Risk Management Summit. While RSA attracted over 26,000 attendees, including more than 600 speakers, 400 exhibitors and over 400 members of the media, the Gartner conference chair told me that about 4,200 people attended the event held in National Harbor, Md.
But before I dive into some of my major takeaways, I want to provide some context and (a ton) of helpful resources and valuable links.
To start, I highly recommend going to the Gartner Newsroom here. You will find daily summaries from top sessions along with materials and insights that usually cost thousands of dollars to obtain.
“Nothing has lowered Cybereason’s expectations for growth. Rather, the continuing rise in ransomware attacks has forced its clients to bolster spending on security systems, putting the security software company ahead of schedule when it comes to revenue.
“But Cybereason is cutting costs anyway, confirming last week that it’s laying off 10 percent of its workforce, or about 100 employees. The reductions follow the dramatic swing in the economy this year and the beating that software stocks have taken on the public market.”
MY FAVORITE SESSION AT THE GARTNER SUMMIT
My favorite session at the conference this week was “The Top 10 Cybersecurity Value Metrics Every Organization Should Use.”
Paul Proctor started off by telling the audience that Gartner was wrong for many years when they told organizations that no one can tell you what metrics to use. They were also wrong when telling CISOs (and others) to never use operational metrics with executive decision-makers.
Now, Gartner says they can tell us exactly what metrics to use.
Historically, organizations have tended to report on the metrics they have, such as the number of threats or emails blocked. Also, few people knew what executives wanted to hear beyond “no breaches,” which is not practical.
Now, metrics need to be “outcome-driven,” which is a term we used in Michigan government back in the 1990s and is apparently coming back. Metrics need to inform priorities and investments, align to business outcomes, support differentiated investments across the organization and reflect cybersecurity outcomes.
I won’t walk through all the recommended metrics here, but here are a few:
Mean time to remediate incidents (MTTR)
Operating system (OS) patching cadence
Third-party risk decisions
Policy exceptions expired and unremedied
Recovery testing – core systems
Cloud security automation
Access – zero-trust multifactor authentication
Security awareness training for staff
Phishing training – click-through rates
To get the details and benchmarks recommended, you will need to talk with Gartner, but this list does provide a helpful guidepost to see what we should be measuring and benchmarking against peers to have a sense of “due diligence or due care.” This will become even more important moving forward as C-suite executives are graded on their preparation prior to cyber attacks like ransomware.
There were many other great sessions, including a keynote from CrowdStrike on the evolving 2022 cybersecurity threat landscape. They covered their recent report found here.
I also gained a better understanding of what cybersecurity mesh is all about, which will be the topic of another blog later this year. Cybersecurity mesh is one of the top trends for 2022.