Gartner Security & Risk Management Summit 2025, Sydney: Day 2 Highlights

We are bringing you news and highlights from the Gartner Security & Risk Management Summit, taking place this week in Sydney, Australia. Below is a collection of the key announcements and insights coming out of the conference. You can read the highlights from Day 1 here.

On Day 2 from the conference, we are highlighting sessions on how to measure and quantify the cost, risk and value of AI initiatives; the human factors in security; and how to manage insider risk.

• Gartner Forecasts Enterprise Security and Risk Management Spending in Australia to Grow 14.4% in 2025
• Gartner Unveils the Top Cybersecurity Trends for 2025

Presented by Luke Ellery, VP Analyst, Gartner

Cost is one of the greatest near-term threats to AI success. Calculating that cost represents a significant challenge for leaders. In this session, Luke Ellery, VP Analyst at Gartner, discussed how to identify the cost drivers for AI, as well as the ensuing risks that need to be estimated, managed and mitigated.

• “Effectively estimate cost, risk and value by categorizing opportunities into three initiative types - ‘defend’ for marginal gains and micro-innovations; ‘extend’ to grow market size, reach, revenue or profitability; and ‘upend’ to bring new products to market quickly.”
• “Build a cost estimate by focusing on the cost factors relevant to your initiative type. Get your assumptions correct, otherwise costs can blow out 5 to 10 times their estimates.”
• “Mitigate risk by allocating budget, resources, training and tools to ensure a safe, secure, ethical and reliable AI solution. Don’t under invest, as it could be detrimental to your organization’s brand and reputation.”
• “Predict your GenAI cost and cost risk by modeling several scenarios incorporating over 100 different cost line items.”
• “While productivity is the leading benefit most organizations expect from AI initiatives, maximize value realization by incorporating multiple benefit measures of GenAI.”

Journalists can receive additional information and/or request an interview with the Gartner expert by contacting Emma Keen at emma.keen@gartner.com.

Presented by Alex Michaels, Senior Principal Analyst, Gartner

Cybersecurity leaders often lament that users are the weakest link in the cybersecurity chain. But what if these unreasonable expectations about users are actually creating or exacerbating that weakness? In this session, Alex Michaels, Senior Principal Analyst at Gartner, outlined how security leaders can shape security controls to mitigate weaknesses and optimize resilience.

• “Beating the drum for security awareness is nothing more than a compliance requirement. For security behavior and cultural programs to succeed, security guidelines must be built around what humans want to do.” 
• “Continuously engage with people to design cybersecurity controls with minimum effective friction. Seek adaptive approaches to add friction only when risk demands it, and embrace inclusive design to maximize digital accessibility.”
• “Reduce complexity by focusing on a minimum effective skill set. Keep guidance simple and straightforward, focusing on core behaviors.”
• “Cultivate partnerships so employees share ownership for cybersecurity with their teams. Psychological ownership is cultivated when people learn, contribute and control.” 
• “Ensure policies are findable, understandable and actionable, making it easy for people to behave securely.”

Journalists can receive additional information and/or request an interview with the Gartner expert by contacting Emma Keen at emma.keen@gartner.com.

Presented by Paul Furtado, VP Analyst, Gartner

One of the biggest risks to an organization’s security comes from those who access its systems daily. In this session, Paul Furtado, VP Analyst at Gartner, provided guidance on how to build an effective insider risk management program. He discussed the tools, tactics and techniques to balance users' privacy with the needs of the business. 

• “Insider risk is driven by all connected employees, contractors and third parties that are innovating, collaborating and creating every day. Focus on protecting all data and users from everyday risks - no matter their intent.”
• “Insider threats, on the other hand, are less than 1% of employees with malicious intent. Focus on specific users committing isolated acts with such intent.”
• “Insider risk management is a methodology, not a product. These programs fail if an organization focuses on using a single technology; lacks awareness of where all confidential data exists; provides insufficient security awareness and training; among other factors.”
• “Implementing monitoring for risk indicators is proactive and can provide intelligence to mitigate data loss before an exfiltration event even takes place.”
• “An appropriate insider risk management response is to implement the CARE model: contain, assess, resolve and educate.”

Journalists can receive additional information and/or request an interview with the Gartner expert by contacting Emma Keen at emma.keen@gartner.com.