Gartner Security & Risk Management Summit 2024 London: Day 3 Highlights

We are bringing you news and highlights from the Gartner Security & Risk Management Summit, taking place this week in London. Below is a collection of the key announcements and insights coming out of the conference. You can read the highlights from Day 1 and Day 2 here.

On Day 3 from the conference, we are discussing the top security risks of GenAI, what the software supply chain is and how to protect it, and detailed five things CISOs must do to prepare and enable their organization for GenAI. Be sure to check this page throughout the day for updates.

• Gartner Predicts At Least 500 Million Smartphone Users Will Be Using a Digital Identity Wallet by 2026

Presented by Dennis Xu, Senior Director Analyst, Gartner

Is that SaaS-delivered generative AI (GenAI) app secure to use? Are you building GenAI apps securely using cloud-hosted large language models (LLMs)? In this session, Dennis Xu, Senior Director Analyst at Gartner, discussed the top security risks of GenAI and what security and risk leaders should do to mitigate these risks to ensure a safe and secure GenAI adoption journey.

• “All security threats and risks can result in one of three impact types - data loss, hallucination and toxic output. It’s important to determine what type of impact is of higher criticality to your business, and treat those first.”

• “Keep your GenAI applications loosely coupled from LLMs with an orchestrator to minimize the effort of switching models.”

• “If you don’t red-team your external-facing GenAI apps to identify and assess vulnerabilities by simulating potential real-world threats, others will do that for you.”

• “Establish a solid foundation in cloud security, data security and application security first, then implement GenAI-specific controls after.”

• “Secure custom GenAI apps with native, open-source or third-party GenAI security controls.”

Presented by Dionisio Zumerle, VP Analyst, Gartner

Protecting software development infrastructure is an essential but often overlooked software supply chain security element. In this session, Dioniso Zumerle, VP Analyst at Gartner, explained what the software supply chain is and offered steps to protect it.

• “The software supply chain consists of the components, dependencies and development environment involved in software delivery.”

• “Security of the software supply chain is now as critical as the security of the software itself.”

• There are three steps to protect the software supply chain:

  • Protect the artifacts: Perform continuous software composition analysis.

  • Protect the pipeline: Identify secrets in source code and establish multifactor authentication for the software engineering environment.

  • Add advanced measures as you mature your application security program. For example, implement secrets management and put in place pipeline component integrity checks.

• By 2027, Gartner predicts that 80% of organizations will have adopted specialized processes and tools across the enterprise to mitigate software supply chain security risks, up from about 50% in 2023.

Presented by Craig Porter, Director Analyst, Gartner

With increasing focus on generative AI (GenAI) within organizations, CISOs need to focus on breaking down the hype, knowing best practices, and establishing guardrails around the technology. In this session, Craig Porter, Director Analyst at Gartner, detailed five things CISOs must do to prepare and enable their organizations for GenAI.

• “Set clear expectations for GenAI use by defining goals and principles using a collaborative approach. This involves identifying and managing the risks, establishing clear use cases and measuring progress.”

• “Establish GenAI governance by defining strategies, ground rules and acceptable use policies to inform users of their obligations. It also provides actionable guidance and transparency to help them decide on proper use and sanctions for misuse.” 

• “Value traceability to track and explain GenAI processes, including the data it uses and the decisions it makes, to ensure transparency, accountability and trustworthiness.”

• “Manage the skills and talents in your team. Reset your expectations on the workforce impact of GenA - it augments and supports your staff, but it doesn’t replace them.”

• “Measure the success and expected productivity improvements of your security investments in GenAI by using outcome-driven metrics - such as business value, risk posture and cost.”