Conference Updates

Sydney, June 22, 2022

Gartner Security & Risk Management Summit 2022, APAC: Day 2 Highlights

We are bringing you news and highlights from the Gartner Security & Risk Management Summit, taking place this week in Sydney, Australia. Below is a collection of the key announcements and insights coming out of the conference. You can read the highlights from Day 1 here.

On Day 2 from the conference, we are highlighting the top trends in security and risk management, and sessions on why third-party threats should be a key imperative for CISOs; what security metrics to report to the C-suite; and how to communicate about security and risk to the board.

Key Announcements

Top Trends in Security and Risk Management

Presented by Richard Addiscott, Senior Director Analyst, Gartner

There are numerous business, market and technology dynamics that security and risk management leaders cannot afford to ignore. In this presentation, Richard Addiscott, Senior Director Analyst at Gartner, highlighted the top trends which have the potential to transform the security ecosystem over the next one to three years.

Key Takeaways

  • Attack Surface Expansion. A dramatic increase in attack surface is emerging from changes in the use of digital systems, including new hybrid work, accelerating use of public cloud, more tightly interconnected supply chains, expansion of public-facing digital assets, and greater use of operational technology.
  • Identity Threat Detection and Response (ITDR). ITDR describes the collection of tools and best practices to successfully defend identity systems from endemic levels of attacks.
  • Digital Supply Chain Risk. As widespread vulnerabilities such as URGENT/11 and Log4j spread throughout the supply chain via reuse across all types of technology stacks, more attacks will emerge.
  • Vendor Consolidation. Security technology convergence is accelerating, driven by the need to reduce complexity, leverage commonalities, reduce administration overhead and provide more effective security. 
  • Cybersecurity Mesh. Cybersecurity mesh creates and leverages interoperable connections between security tools to promote a consistent security posture, allowing tools to share and leverage security intelligence and apply a dynamic policy model. 
  • Distributing Decisions. By 2025, a single, centralized CISO will no longer be sufficient to manage the cybersecurity needs of a digital organization.
  • Beyond Awareness. Human errors continue to feature in the majority of data breaches, a clear signal that traditional approaches to security awareness training are no longer effective. 

It’s not too late to join the conference!

Cyber Security Leaders Can No Longer Ignore Third-Party Threats

Presented by Luke Ellery, VP Analyst, Gartner

Even security and risk management leaders may be unaware of the threats posed by third parties with control of their organization’s most sensitive data, systems and relationships. In this session, Luke Ellery, VP Analyst at Gartner, explored how these leaders can help stakeholders manage third-party threats; as well as how they can assess threats and develop predefined actions to address critical vulnerabilities.

Key Takeaways

  • “As a CISO, it’s impossible to address third-party cyber risk by yourself – you must engage stakeholders to help identify threats in third-party engagements. First explain the fundamentals of cyber risk and then set policies that uphold cybersecurity expectations commensurate with risks.” 
  • “Adopt a triage approach to apply the appropriate level of analysis by identifying the scope of third-party services and the data in their custody. This will help determine whether further action is required.”
  • “Despite significant investment in third-party cyber risk, the majority of assessments result in no action. Help the business make decisions, don’t just tell them about the weaknesses. Do this using their language, communicating on matters they care about and highlighting the value at stake.”
  • “Have a set of predefined actions to mitigate the most common risks that third parties present.”
  • “Be more assertive around the expectations of different types of third-parties, including the minimum standards or controls to protect your organization from unacceptable risks.” 
  • “Breaches still occur despite best intentions, so assign resources that are empowered to respond. By implementing a plan for monitoring and communicating third-party cyber risks, these resources can manage the cyber risk register, respond to changing factors and events, and report to relevant stakeholders.”

Stop Reporting Operational Metrics to the C-Suite, Really … Stop

Presented by Rob McMillan, Managing Vice President, Gartner

CISOs keep generating detailed charts, dump them into 50-page slide decks and throw them at other executives, hoping they understand them ... or even care. In this session, Rob McMillan, Managing Vice President at Gartner, explored the messages that resonate best when reporting to executives; the most effective way to structure these metrics; and how operational metrics can be made more palatable if they must be used.

Key Takeaways

  • “Having a good cybersecurity program and strategy that is linked to the organization’s goals and objectives assists in building out your metrics program. It lays the foundation for reporting to your C-Suite in terms they are most familiar with … business terms.”
  • “Add context so your audience understands what the data represents. If metrics need to be explained every time you present them or your audience inherently has the question “so what?’ in their heads, they haven’t been properly structured or contextualized.” 
  • “Executives don’t intuitively see the connection between technical security data points and the business outcomes that leadership is responsible for achieving. Providing them with multiple technical data points isn’t effective at driving decision making.”
  • “Identify and communicate business relevant metrics that will enable you to demonstrate the value of the activities and show improvements over time.”
  • “Metrics must be measurable in a cost-effective manner. The higher the effort or cost it requires to identify, track and report these metrics, the less likely they are to become a part of the governance and decision-making framework in the organization.”
  • “Make sure your metrics drive action. Define a clear way forward and next steps or recommendations for your audience. A report that doesn’t help make these decisions isn’t useful.”
  • “Change the narrative by ensuring metrics clearly connect to business outcomes, tailoring a story to your specific audience and engaging your audience in actively managing its information risk.”

Five Security and Risk Narratives That You Can Use to Communicate With Your Board

Presented by Deepti Gopal, Director Analyst, Gartner

Boards of directors now require periodic reporting on the state of security and risk management in their organization. How do you develop effective messages that balance the need to protect with the need to run your business? In this session, Deepti Gopal, Director Analyst at Gartner, provided five actionable narratives that security and risk leaders can use for communicating with the board.

Key Takeaways

  • “Before developing a presentation for your board, get to know them as individuals. What is their background? What role do they serve? Do they have cybersecurity expertise? What are their biases and passions?”
  • “When communicating with your board, keep it on message. Think BOARD: Be brief, open, accurate, relevant and diplomatic.”
  • Narrative no. 1: What are our top cybersecurity risks? “Make a connection between the enterprise’s top cyber risks and the business opportunities that can be achieved if these risks are effectively managed. Emphasize the upside of effective cyber risk management, not only avoiding bad outcomes.”
  • Narrative no. 2: How does cybersecurity relate to our risk appetite? “Help the board understand that there is no such thing as perfect protection, just a continuum of cost and risk. Your goal is to build a sustainable program that balances the need to protect against the needs to run the business.”
  • Narrative no. 3: Who is managing our cybersecurity risks? “Security leaders must acknowledge that board directors' views of cybersecurity, risk and investment can vary, and your organization’s plan should reflect this.”
  • Narrative no. 4: Do we have a documented, auditable cybersecurity plan? “Where possible, adopt a recognised framework. Compliance to regulation is never enough. In court you will be expected to not just meet the regulation but have met the reasonable person test.”
  • Narrative no. 5: Can we turn our cybersecurity stance into a market differentiator? “Be careful here, as “adequate” security is not a differentiator. Instead, find a way to demonstrate how security contributes to overall business performance, for example, by using a balanced scorecard approach illustrated with a simple ‘traffic light’ mechanism.”

About Gartner

Gartner, Inc. (NYSE: IT) delivers actionable, objective insight to executives and their teams. Our expert guidance and tools enable faster, smarter decisions and stronger performance on an organization’s mission-critical priorities. To learn more, visit

Media Contacts

It's not too late to join the conference

Latest Releases