Conference Updates

Sydney, March 29, 2023

Gartner Security & Risk Management Summit 2023, APAC: Day 2 Highlights

We are bringing you news and highlights from the Gartner Security & Risk Management Summit, taking place this week in Sydney, Australia. Below is a collection of the key announcements and insights coming out of the conference. You can read the highlights from Day 1 here.

On Day 2, we are highlighting sessions on how to get people to care about security and risk; privacy and ethics - how to prepare for digital society; and how to maximize the adoption, effectiveness and return on investment of security controls by taking a more human-centric approach.

Key Announcements

How to Get People to Care About Security and Risk

Presented by Mary Mesaglio, Managing Vice President, Gartner

It might not always feel this way, but being a CISO is a little like being a Hollywood celebrity. In fact, CISOs have a compelling story to tell about why people, from executives to frontline employees, should care about risk and security. In this session, Mary Mesaglio, Managing Vice President at Gartner, explored how to tell a great cyber story, including why it’s hard and why it matters right now.

Key Takeaways

  • “If you want someone to take ownership of something, don’t just make it easy … make it meaningful. Why should they do something and why is it important or meaningful to them? Simply keeping enterprise data safe is nice enough, but it’s abstract, generic, far away."
  • “If you’re concerned about secure user behavior, evaluate security through a psychological lens, rather than a technology or a business lens.”
  • “Explaining rational arguments for security doesn’t lead to secure behavior. Tap into real emotive messages to overcome that effect and increase their sense of ownership.”
  • “When employees see cybersecurity as their responsibility, their behavior becomes more secure. Just changing the perspective on who is responsible for security can have a dramatic impact on the likelihood that someone will do something we don’t want them to do.”
  • “Ensure employees feel psychologically safe admitting a mistake. Fear and shame hijack the brain and are immobilizing. They don’t help a person change behavior, but make them feel exposed and vulnerable, which more likely has a paralytic effect.”
  • “Laziness is built deep into our nature. Employees are part of the lazy economy, acting as consumers in their private lives and participating in hyper-convenient business models that deliver convenience. The bigger the gap between the level of convenience people experience in their private and professional lives, the worse your life as CISO will be.”
  • “Traditional security awareness training programs don’t work. If you want people to behave in a security conscious way, remove the friction employees experience from controls.”

Privacy and Ethics: Prepare for Digital Society

Presented by Bernard Woo, VP Analyst, Gartner

Society is digitalizing at unprecedented speed, and the nature of our interactions has changed fundamentally. What does this mean for privacy and corporate ethics? In this session, Bernard Woo, VP Analyst at Gartner, explained why privacy is contextual, how overzealous data harvesting may harm an organization's performance, why sometimes less is more, and areas to challenge colleagues to make life generally easier.

Key Takeaways

  • “Stop mistaking security for privacy. Privacy allows purpose, leading us to assess what we need, every time and provides data usage lifecycle insight. Whereas, security just keeps what you have safe and doesn’t determine how personal data can be used.”
  • “Purpose dictates what data should be processed, helped by context, and adds what can be expected and what can’t.”
  • “Expectations are what individuals have of their own, aided by how we guide them along the way - a privacy user experience. Expectations shouldn’t be what they have come to expect after a bad experience.”
  • “Take accountability for what you do with your customers’ data and take only what you need, anonymize where possible. If you can’t protect, don’t collect.”
  • “In emerging digital environments, taking responsibility over the use of digital technologies, even if legally not required, builds and improves trust.”
  • “Be empathetic by putting yourself in your customers’ shoes. Develop a sense of right and wrong that goes past just being afraid of punishment or hoping to generate a product sale whether legally or in terms of customer loyalty.”
  • “Display competence by building the capacity and expertise to be able to quickly and adequately address problems. Don't simply acknowledge the need to care and accept the responsibility; you also need to be able to follow through.”
  • “Promote trust. It is great to take responsibility, but if your stakeholders do not trust you to do so, your offer will not be accepted.”

So, You Want to Improve Security Control Adoption? Forget the Tech for a Second

Presented by Richard Addiscott, Senior Director Analyst, Gartner

CISOs often use technical security controls when they need to respond to emerging threats or digital capabilities the business wants to use. However, research tells us that the majority of data breaches still involve the human element and employees are aware of their behavior. In this session, Richard Addiscott, Senior Director Analyst at Gartner, discussed how to maximize the adoption, effectiveness and return on investment of security controls, by taking a more human-centric approach when designing and implementing them.

Key Takeaways

  • “Focusing too much on technology isn’t helping cybersecurity teams deliver the results stakeholders expect from their cybersecurity investments.”
  • “Adopting human-centric security design will drive better security outcomes, improve the return on security investments and help foster a more security-conscious corporate culture.”
  • “The humans being impacted by expected change — whether it’s good or potentially seen as less positive change — become the focus for security control design and not the technology, or the threat being protected against, as is usually the case.”
  • “Human-centric security design allows for a range of different contexts, as well as the needs of individuals or work groups as they go about their day-to-day work, such as where, when and how much they work, and what they need to do their work.”
  • “Recognize that cybersecurity-induced friction impacts employees’ willingness and ability to adopt security controls.”
  • “By considering where you can ease the burden for employees through more human-centric controls, you can redesign or even retire controls that add friction without meaningfully reducing risk.”
  • “Taking a human-centered security approach promotes a more flexible security experience for employees that is still risk appropriate and considerate of ethics.”

About Gartner

Gartner, Inc. (NYSE: IT) delivers actionable, objective insight to executives and their teams. Our expert guidance and tools enable faster, smarter decisions and stronger performance on an organization’s mission-critical priorities. To learn more, visit

Media Contacts

Latest Releases