Six takeaways from the Gartner IT Symposium 2023

Last week I attended Gartner’s IT Symposium/Expo, October 16-19, 2023, in Orlando. According to Gartner, this annual tradition draws over 8,000 CIOs and senior IT leaders with 140 Gartner experts and 350 sessions. I focused my time on sessions and conversations related to cybersecurity trends. With so many options to choose from, it’s safe to say that no two attendees had the same experience. But across multiple sessions and speakers, I noticed some recurring themes worth sharing.

These were my six takeaways for security professionals.

1. Prepare for Growth

One recurring theme is that, despite recession and inflation, CEOs and Boards feel the pressure of sidelined capital. It’s time to make big bets for the future, whether that’s M&A, geographical expansion, or new ventures. Kristin Moyer and Mark Raskino, Distinguished VP Analysts, shared the results of their survey, showing that CEOs are cautiously optimistic about the economy. Growth is a higher priority than cost management. 57% of CEOs are asking for higher returns. 43% of CEOs are willing to tolerate longer time-horizons on investments. It’s not just “quick and dirty” projects right now. “Efficiency & productivity” is still on their top 10 list, but it’s at the bottom.

With investment in growth, IT teams will see an expanding attack surface. Budgets will be increasing for cloud platforms, BI/data analytics, and application modernization. As a result, 2024 will not just be about battening down the hatches but about enabling the business to move fast and safely. Perhaps the best news is that CIOs’ #1 area for increased investment is cyber/information security. In her session, Fadeen Davis, shared that 66% of CIOs are increasing cyber investments in 2023.

2. Prepare for AI

The big theme running across this year’s Symposium was AI. Everyone needs to get ready. The CEO survey, according to Moyer and Raskino, shows that CIOs need to frame the AI future for the executive team because the CEO and Board are already headed in that direction. In 2021, about 15% of CEOs were already citing AI as a top-impact technology. Only two years later, that number is an astounding 56%.

In the keynote session, distinguished VPs Mary Mesaglio and Don Scheibenreif mentioned that we are clearly at the peak of the hype cycle with AI, and said we can all expect the “trough of disillusionment” soon. However, that doesn’t diminish the urgency of taking action. “The dark side of AI is a problem, and sadly it’s your problem.” They emphasized the need for all IT teams to create lighthouse principles, create a policy on acceptable internal use of GenAI, and to implement AI-ready security. And if your company is cultivating any LLMs (large language models) or AI training data, your CIO needs to be thinking about how to secure access to that data.

Dr. Greg Heon, a Senior Director at Palo Alto Networks, brought home the point about AI policies in his session, The CIO’s guide to AI and Security. He asked the audience how many had tried ChatGPT, and 80% of hands went up. Then he asked how many of us work at companies with a policy about acceptable use of AI, and only about a dozen hands went up in a room of ~150. Given that disparity, security teams should be doing more to tell employees what is and is not allowed. Heon suggested that tools that generate text and check grammar carry some risk of data leakage.

From the attacker’s standpoint, it’s clear that generative AI is already a boon. As one example, Generative AI is accelerating phishing attacks. Heon showed an example that they tried internally, where GenAI created a phishing email that looked like a Docusign notification asking employees to sign the employee handbook. Heon said that a whopping 25% of employees fell for it. GenAI also automates the work of social engineering since it’s easier to impersonate with deepfakes for calls and videos. GenAI is also introducing new threat vectors with a whole new category of vulnerabilities. He pointed to the OWASP Top Ten LLM, a list of new risks, like prompt injection and training data poisoning.

On the defender’s side, the AI use cases are still emerging. Multiple speakers suggested that AI will supercharge security efficiency by enabling “defense at machine speed”. Tools will block sophisticated attacks without human intervention. In his session “The Top Predictions for Cybersecurity, 2023-2024”, Gartner’s Craig Porter shared a prediction that by 2027, generative AI will contribute to a 30% reduction in false positives for vulnerability assessment and threat detection. The Gartner team sees AI increasingly embedded in existing tools, and GenAI in particular will enrich security alerts with more context to help end-users make decisions and remediate.

3. Ransomware is Accelerating

With GenAI creating realistic messages for phishing attacks by scraping information off the web, expect increased volume of attacks and ransomware. This came from Gartner’s VP Analyst Paul Furtado, who emphasized that, though there are ways to fight back against ransomware, “it’s not a question of if but when.” Even if publicly-available GenAI tools have policies that restrict malicious use, there will soon be LLM models available on the DarkWeb. Furtado said that we currently see one ransomware incident every 11 seconds in the world, and Gartner predicts this to shorten to every 2 seconds by 2031. With generative AI and ransomware as a service (RaaS), it hardly costs anything to launch these attacks.

The clear takeaway about ransomware is that it’s costly. The average ransomware demand is 1-1.5% of revenue. The criminals are organized and they do their research. “They subscribe to the Wall Street Journal and Dun & Bradstreet. They read the investor relations section of your website.” The average payment for 2Q23 was $740k, but this pales in comparison to the resulting downtime, which Furtado said could cost 5-10X the ransom. The total average cost per attack is thus more like $4.5m. Though Gartner advises to not pay, 58% of orgs (like Colonial Pipeline) are choosing to pay. However, doing so makes you a bigger target for subsequent attack. 80% of those who pay will get hit again, typically within 6 months. Even those who pay and receive the decryption keys may find that the decryption process is so slow that it takes months to restore. On average, only 61% of data is recovered, and the typical disruption to the business lasts 25 days.

The most common path for ransomware infection is still email phishing (45% of attacks), followed by remote attacks on server, remote desktop protocol, third-party contractor working inside the organization, and misconfigured cloud instances. Insider threats are real, and Furtado showed a few examples of emails that bad actors sent to entice employees: “We’ll give you $10,000 to share your credentials, and we’ll do the rest.”

4. Build an Identity Fabric

Since security awareness isn’t able to prevent all phishing and insider threats, companies must adopt an Identity Fabric. In his session “Top Trends in Security”, Gartner VP Analyst John Watts shared the trend of safeguarding IAM assets with identity fabric immunity. In their research, said Watts, Gartner has found that “80% of organizations have had some sort of incident related to identity in the last 12 months.” This is a theme we talk about at Veza all the time. Before an attack, one needs good hygiene and security posture, including tight discipline on privileged admin accounts. As Watts said, companies must protect the IAM admin account or else “it’s pretty much game over.” OAUTH tokens can be stolen and replayed to access SaaS apps, and there’s no easy way to detect that this is happening. Watts alluded to emerging ITDR tools (identity threat detection & response) to help during attacks.

His prescription was to do the common-sense things we know are important but can’t always get to: remove dormant accounts, enforce least privilege, and enforce MFA. Watts shared a surprising statistic that only 35% of Azure AD tenants enforce MFA (multi-factor authentication). That should be an easy fix. Furthermore, since attackers are increasingly going after IAM infrastructure itself, companies should assess their identity tools for areas of fragility.

5. Invest in Security Outcomes

Whenever I got the chance to strike up a conversation with fellow attendees, I always asked my favorite question about security: how do you decide what to prioritize? No two answers were the same. One Head of IT swore their loyalty to the book How to Measure Anything in Cybersecurity Risk. Another CIO told me that she has everyone on her team pitch three ideas and then the team votes, after which she adds it all up to form a budget request.

A novel approach was put forth in the session “Think you’re safe? Results from the Cybersecurity Business Value Benchmark”. In this session, Paul Proctor, Gartner Distinguished VP Analyst, said that investing in outcomes should be the focus. Paul showed a matrix of 16 “business value benchmarks”, each of which is both a quantifiable measure of protection and is “directly investable”. That is to say, your team can choose how much to invest in various protection levels. Examples of value benchmarks include: MFA coverage, access removal time, privileged access management, and expired policy exceptions.

Proctor points out that a typical security dashboard might include metrics that aren’t directly actionable, like the count of monthly attacks. It’s more useful to have a business conversation about a metric like “access removal time”, where a company can choose how much to invest in shrinking this. Similarly, a company can make a deliberate choice about how many privileged accounts are allowed to persist for a given number of admin-type employees. Most companies cannot afford to be best-in-class on every business value metric, but the framework allows security leaders to lead a conversation about the “protection level agreement” that is most appropriate for the business.

At a time when boards are getting more involved in security, yet seeking measurable return on security investments, the Business Value framework makes a lot of sense.

6. Reduce the Friction of Security

Across several sessions, there was a recurring theme that employees don’t always follow the rules when it comes to security. Awareness training only goes so far, and it’s common for employees to violate policies, sometimes knowingly, because they need to get their tasks done and perceive the risks to be low.

“Dealing with human factors” may be the answer. Gartner’s Senior Principal Analyst Fadeen Davis said that only 15% of employees exercise high cyber judgment. In her session, “Leadership Vision for Security and Risk Management, 2023”, she reminded us that 74% of all data breaches involved a human element. Phishing is still top of the list, but there are plenty of other culprits like unsupervised 3rd party access, weak passwords, and system misconfigurations.

To promote cyber judgment (the ability to make cyber-risk decisions autonomously), sales & risk leaders should create a culture of security consciousness and root out the frictions that cause employees to circumvent policy. Talk to new employees to learn how they experience controls. Aim to co-design processes with partners in the business. Look at violations as opportunities to learn and remove friction. This is something we believe at Veza, as we lower the friction in access governance. Veza customers are less likely to have expired permissions or dormant accounts or unintended privileged access because we make it easy to see, fix, and prevent these violations.

A Time for Leaders

My overall conclusion from Gartner IT Symposium: it’s time to lead. Companies are transitioning back to growth mode, and this portends a larger attack surface for CIOs and CISOs. Meanwhile, attackers have more tools at their disposal, so they’ll be attacking at machine speed, and defenders will need to fight fire with fire. The good news is that companies are willing to invest more in cybersecurity. And boards are willing to approve big investments, as long as executives show measurable progress in return. Though attacks and incidents may be inevitable, downtime and damage are not. The best leaders will help their executive teams make deliberate and proactive decisions about the levels of protection needed to weather the storm.