Lessons from the Gartner Security & Risk Management Summit

What are the important trends regarding business risk and all things cybersecurity? Here are my top takeaways from the Gartner conference I attended this week.  

June 12, 2022 • 

Dan Lohrmann

AWS Builder Community Hub


While many of my security industry colleagues headed west to the RSA Conference in San Francisco this past week, I headed east (from Michigan) to the 2022 Gartner Security & Risk Management Summit. While RSA attracted over 26,000 attendees, including more than 600 speakers, 400 exhibitors and over 400 members of the media, the Gartner conference chair told me that about 4,200 people attended the event held in National Harbor, Md.

But before I dive into some of my major takeaways, I want to provide some context and (a ton) of helpful resources and valuable links.
To start, I highly recommend going to the Gartner Newsroom here. You will find daily summaries from top sessions along with materials and insights that usually cost thousands of dollars to obtain.

Here are a few key takeaways worth reviewing:

Day 1 Highlights

  • Opening Keynote: Cybersecurity 2032: Accelerating the Evolution of Cybersecurity
  • Outlook for Cloud Security
  • What Security Needs to Know and Do About the New AI Attack Surface

Day 2 Highlights

  • Top Trends in Security and Risk Management
  • The Key Drivers for CISO Effectiveness
  • The Top Cybersecurity Predictions for 2022-2023

Day 3 Highlights

  • The Multigenerational Workforce in Security
  • Outlook for Privacy, 2022-2023
  • Security Strategy Planning Best Practices

Cyber Budgets Trends

  • Gartner Survey Reveals Marketing Budgets Have Increased to 9.5% of Overall Company Revenue in 2022
  • Budgets Build Back, But Lag Pre-COVID-19 Levels
  • CMOs Confident On Brand Capabilities, But 58% Lack In-House Resources
Interestingly enough, Friday’s stock market selloff also featured in this article on CNBC which talks about job cuts in cybersecurity — especially among startups. Here’s an excerpt:
“Nothing has lowered Cybereason’s expectations for growth. Rather, the continuing rise in ransomware attacks has forced its clients to bolster spending on security systems, putting the security software company ahead of schedule when it comes to revenue.
“But Cybereason is cutting costs anyway, confirming last week that it’s laying off 10 percent of its workforce, or about 100 employees. The reductions follow the dramatic swing in the economy this year and the beating that software stocks have taken on the public market.”


My favorite session at the conference this week was “The Top 10 Cybersecurity Value Metrics Every Organization Should Use.”
Paul Proctor started off by telling the audience that Gartner was wrong for many years when they told organizations that no one can tell you what metrics to use. They were also wrong when telling CISOs (and others) to never use operational metrics with executive decision-makers.
Now, Gartner says they can tell us exactly what metrics to use.
Historically, organizations have tended to report on the metrics they have, such as the number of threats or emails blocked. Also, few people knew what executives wanted to hear beyond “no breaches,” which is not practical.
Now, metrics need to be “outcome-driven,” which is a term we used in Michigan government back in the 1990s and is apparently coming back. Metrics need to inform priorities and investments, align to business outcomes, support differentiated investments across the organization and reflect cybersecurity outcomes.
I won’t walk through all the recommended metrics here, but here are a few:

  1. Mean time to remediate incidents (MTTR)
  2. Operating system (OS) patching cadence
  3. Third-party risk decisions
  4. Policy exceptions expired and unremedied
  5. Endpoint protection
  6. Recovery testing – core systems
  7. Cloud security automation
  8. Access – zero-trust multifactor authentication
  9. Security awareness training for staff
  10. Phishing training – click-through rates
To get the details and benchmarks recommended, you will need to talk with Gartner, but this list does provide a helpful guidepost to see what we should be measuring and benchmarking against peers to have a sense of “due diligence or due care.” This will become even more important moving forward as C-suite executives are graded on their preparation prior to cyber attacks like ransomware.


There were many other great sessions, including a keynote from CrowdStrike on the evolving 2022 cybersecurity threat landscape. They covered their recent report found here.
I also gained a better understanding of what cybersecurity mesh is all about, which will be the topic of another blog later this year. Cybersecurity mesh is one of the top trends for 2022.

Dan Lohrmann

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.

See More Stories by Dan Lohrmann

*** This is a Security Bloggers Network syndicated blog from Lohrmann on Cybersecurity authored by Lohrmann on Cybersecurity. Read the original post at: