Key Takeaways

• Through 2023, government regulations requiring organizations to provide consumer privacy rights will cover 5 billion citizens and more than 70% of global GDP: “Security and risk management leaders should enforce a comprehensive privacy standard in line with the GDPR. This will allow their businesses to differentiate themselves in an increasingly competitive market and grow unhindered.”
• By 2025, 80% of enterprises will adopt a strategy to unify web, cloud services and private application access from a single vendor’s SSE platform: “Create a dedicated team of security and networking experts with a shared responsibility for secure access engineering spanning on-premises, remote workers, branch offices and edge locations.”
• 60% of organizations will embrace Zero Trust as a starting point for security by 2025. Over half will fail to realize benefits: “Communicate business relevance of ZT by aligning resilience and agility.”
• By 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements: “Leverage risk-based evaluations that highlight transparency and reward participants.” 

Learn more from the Gartner Opening Keynote in the associated Gartner press release.

Key Takeaways

• Organizations should focus on three areas to drive their security operations strategy in 2022: 1) how to get value from threat intel and threat hunting, 2) focus visibility efforts to maximize exposure reduction, and 3) determine if automation and AI make sense for your security operations.
• “Measuring threat intel sounds daunting, and it can be. But you can apply metrics to feeds to see how many actionable indicators they provide, and also measure the efficacy of intelligence applied to events and incidents that were true positive vs false positive.”
• “Use threat intelligence to support hunting, either as the starting point or to fill in missing pieces. Formalize hunting as a core process of your SecOps program and set aside time on calendars to actually do it.”
• “There are three pillars of exposure management - attack surface, vulnerability, and validation.”
• Exposure management combines multiple approaches to optimize scope, automation and accuracy of the diagnostics. 
• “Before buying into automation or AI solutions, you must have a process defined and something to measure to see value in your investments.”

Key Takeaways

• “CISOs operate in a silo, and thus they are often overworked, met with unrealistic expectations and serve as a scapegoat. At the end of the day there is rarely anyone at the organization that shares the same accountability as the CISO does.”
  
• “Gartner considers four key factors when evaluating CISO effectiveness: functional leadership, information security service delivery, enterprise responsiveness and scaled governance.”
  
• “Few CISOs excel in every category, and in fact only 12% of CISOs that Gartner surveyed excel in all four categories of effectiveness.”
  
• “Effective CISOs are far less likely to report business-disrupting security incidents or project delays due to information security, and on the personal side, fewer effective CISOs feel overwhelmed by security alerts or by stress at work.”
  
• “There are 14 controllable differentiators of CISO effectiveness, which we’ve nested under four categories. An effective CISO is an executive influencer, a future-risk manager, a workforce architect and a stress navigator.” 
  
• “We are seeing a great deal of experimentation as organizations realize that old org charts no longer fit new digital ecosystems.”
  

Learn more about how to be an effective chief security officer in the complimentary Gartner ebook Four Factors of Effective CISO Leadership.

Key Takeaways

• “Organizations are hard to change as they have ingrained cultures. To fix that you can't just appeal to the top of the organization, you have to change it all the way through, and that's where storytelling comes in.”
  
• “Data stories help people to better engage with data. It is a simple formula for getting people to look and listen with an open mind. We are raised to consume narrative from childhood, so this is an intuitive approach for most people.”
  
• Start by investigating how you can apply narrative techniques to cybersecurity data to help communicate cyber risk to decision makers in your organization.
  
• Evaluate and experiment with the data storytelling capabilities of modern business intelligence platforms and cyber security performance management platforms. 
  
• Prepare programs to develop and instill narrative skills within the cybersecurity team, including a virtual team of certified data storytellers. 
  
• “Look for people who can tell a story rather than those who just take data out of security tools. It's about communication skills and being able to communicate to others.”
  
• “Is your current reporting changing the hearts and minds of those in your organization? Just throwing statistics at them doesn't resonate. What’s in it for them? Think about what the audience cares about and use emotional triggers.”