Security Risk Management

Takeaways from the 2017 Gartner Security & Risk Management Summit

Joel Alcon | June 23, 2017

This year marked another great Gartner Security & Risk Management Summit with over 3,000 attendees, bringing together CEOs, CIOs, CISOs, IT Directors, Risk Managers, and other risk and security professionals to National Harbor, MD from June 12-15. An underlying theme emerged from the numerous sessions I attended and the various conversations I had: all roads lead back to business value. Whether it’s a new vendor that a company is looking to onboard, or a cloud technology the organization is implementing, everything should tie back to a business decision.

Cybersecurity Should be a Critical Part of the Business

Security teams do not want to be blockers to business progress. There is a need for them to be part of business discussions rather than in their own silos viewed as shooting down ideas from the business. Although CISOs and CIOs meet regularly with their Board of Directors, there is a lack of understanding between business needs and security requirements. Paul Proctor, for example, highlighted that there is no such thing as "perfect protection." Companies take either higher risk with lower costs, or take less risk but at a much higher cost. As their business needs change, the company moves along that spectrum, and security must be an important part of that dialogue. This process highlights the need for executive reports that measure the link between where the business is going and how risk management, including vendor risk management, fits into that narrative.


Growing Concern: Complexities of the Third Party Ecosystem

Jay Heiser delivered a great presentation where he discussed security ratings and how they fit into a company’s vendor risk management strategy. The message is clear: continuous information outweighs a single point-in-time snapshot. In fact, organizations today are beginning to understand that continuous assessment processes are more reliable than rigorous assessments conducted once. Gartner estimates that by 2021, 50% of data will be outside of the physical control of enterprise IT, up from 10% today. As companies migrate their systems to the cloud, the need to scale their vendor risk management program and focus on cloud security will continue to grow.

The Need for Agility and Scalability in Risk Management

Security teams are being asked to be agile and adapt to the growing demands of the business. One of the themes that came up multiple times at the Gartner Summit is how organizations can do more with their existing resources. There is a need for organizations to scale their vendor risk management programs, adjust their approach with the speed of the business, and collaborate with internal and external stakeholders -- all with limited resources.

To be agile, companies don’t necessarily need additional headcount. In fact, there was an interesting anecdote in one of the sessions. Jeffrey Wheatman talked about a CISO who would frequently report to the board and ask for additional security budget. Each time, he failed to connect the need for more budget to the needs of the business, and he was unable to use metrics to demonstrate improvements with the budget that he had already been given. Eventually, that CISO was “demoted,” and was forced to report to the CIO instead of the board of directors. This highlights the need for CISOs to be more agile with the resources they have and measure and clearly communicate the success of their security initiatives. A security ratings platform can help measure their security posture and the aggregate risk of their vendor ecosystem.

The Evolving Regulatory Landscape: GDPR and China’s New Cybersecurity Law

There were discussions at the Gartner Summit on GDPR and China’s new cybersecurity law. Gartner estimates that by 2019, 30 percent of organizations will face significant financial exposure from regulatory bodies due to their failure to comply with GDPR requirements to protect personal data on mobile devices.

Organizations appear to be focused on the concept of breach notification and data protection, and how these new guidelines potentially impact them as third parties to companies abroad. There is quite a bit of buzz around GDPR and China’s new cybersecurity law as organizations try to figure out how to approach the new guidelines. BitSight Security Ratings have provided a way for organizations to continuously monitor the security posture of their vendors and demonstrate their efforts to mitigate the risk from these third parties. The solution also enables those same service providers to monitor their own security posture and measure improvements over time.

Concluding Thoughts

This year’s Gartner Summit brought together a diverse set of c-level executives, risk managers, industry analysts, and technology providers. There were many innovative ideas shared during the sessions and keynotes, at lunch tables and networking events, and throughout the exhibit floor. The underlying theme is that the interconnected digital world of today is driving organizations to adjust their stance on security and risk management to better align with the needs of the business. One area in particular that is rapidly evolving is third party risk management. As organizations expand their supply chain ecosystem, it will become increasingly important to assess the varying levels of risk with each new vendor.

BitSight is at the forefront of that evolution, with nearly 100 Fortune 500 companies using security ratings to quickly scale their approach to third party risk management.

Get Your Rating

Suggested Posts

Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...


3 Ways to Ensure Best-in-Class Third Party Cyber Risk Management

An effective third party cyber risk management program both identifies potential threats and finds ways to mitigate them. Organizations should aspire to the highest possible standards when it comes to their security posture. To do so, they...


Cyber Risk Should Be A Growing Concern to the Municipal Bond Market

Following an increase in ransomware cyber attacks, most notably May 2017’s WannaCry attack, U.S. public sector entities are starting to see the effects of these attacks on the almost $4 trillion municipal debt market. As a result, issuers...


Subscribe to get security news and updates in your inbox.