Busting myths: Four key takeaways from Gartner’s Security and Risk Management Summit

The overall message from the conference was that it’s time for change – will the security industry take note?

The Gartner Security and Risk Management Summit rolled into town last week, and I took the opportunity to hear the latest from arguably the most influential analysts in the security space.

There were a few common themes to the agenda, but the clarion call from every session I attended was that the security industry needs to change its approach fundamentally, and fast.

Specialist sessions, such as the outlook for SecOps, espoused the urgent need to find new ways to approach security, especially around joining up internally and externally. The status quo is unsustainable, a more human-centric approach is needed.

The leadership vision for Security and Risk similarly emphasized the transformation needed in how organizations manage their security. It argued that we need to focus on people to reduce friction, increase effectiveness, and reflect that we all need to have security front-of-mind given that all transformation now inherently includes “digital”.

Cybersecurity myth busting

For me, the highlight was the keynote on day one, setting out to bust four big myths – or perhaps perceived wisdom ¬– in cybersecurity. If you have access, I’d strongly recommend finding the recording or slides, but for me the biggest takeaway was the need to shift from the idea of ‘minimum viable’ to ‘minimum effective’.

It’s a simple but impactful change, and one that goes across the four myths cited by the speakers. Here’s my potted summary:

1. More risk assessment = better protection? No. More assessment lulls you into thinking you’re protected. Instead we should measure meaningful outcomes in cybersecurity. Minimum effective insight is the sweet spot.

2. More tools = more protection? No. More tools leads to more stress on security teams, less value realized, and doesn’t deliver what you need.

Go for minimum effective toolset with a strategy in mind.

3. More security people = better protection? No, there simply aren’t enough trained professionals to meet the industry’s needs. This is a topic we investigated in our recent Optimizing Cybersecurity report, with more than a quarter of security leaders saying they are worried about low security team headcount and low overall security budget.

Instead, organizations need to find a new approach, and that’s involves improving cybersecurity judgement across their workforce, while building cybersecurity into day-to-day activities and empowering risk-based decision making. CEOs and leaders want more tech people in business teams, not bigger IT teams.

What does that mean for security? Minimum effective expertise – across an organization – is what to aim for.

4. More controls = better protection. No. People will work around them. According to stats referenced in the keynote:

• 69% of employees have deliberately bypassed controls.
• 93% of those that did said they knew it would increase risk to the enterprise, but did so in the name of speed, or felt the need outweighs the risk.

Minimum effective controls that deliver minimum effective friction makes a lot of sense.

Like all good observations, these are obvious once pointed out, but it takes someone pointing them out to bring about change. Now, will we as an industry accept that there’s better ways to do things and transform in the same way as most other work has transformed?

I hope so.