A Recap From My First Gartner Security Summit

“Seven things are more important than security”…And Other Key Takeaways


Brian Iverson (Gartner) Diana Kelly (IBM), and I

Two weeks out, and I’m still catching up at work after the 2014 Gartner Security and Privacy Summit hosted in the spacious Gaylord National Harbor in Washington, DC. from June 23-26.  The summit was a three-day gathering of many top security leaders of Fortune 500 and government organizations on one side, and the top Gartner security analysts on the other.  Like most shows, there were keynote speakers, track speakers and a tradeshow floor with vendor booths.

I’ve been to countless security conferences – too many perhaps.  The list of shows includes the likes of RSA Conference, Black Hat, SANS, OWASP AppSec, Security B-Sides and more off-the-beaten track security events.  Gartner was different from most of the security conferences I’ve attended in several notable ways, including:

  • Senior Attendees:  This was a sport jackets and slacks crowd, not a jeans and black t-shirt crowd.  As advertised, most attendees were definitely farther up the food chain than the typical attendees I’ve encountered at most other security conferences.  I suspect the CISO/CSO to regular security guy ratio was pretty high compared to other security conference as well.  I’m sure that’s by design; after all, this is Gartner.
  • Tone:  Not surprisingly, the tone and content of speakers used throughout was geared towards the level of security leadership in attendance.  No zero days here.  Absent too was the snarky tone that security researchers direct towards security leadership types in attendance at past Black Hat Executive Briefings.  I was more than OK with that… Much of what I heard was couched in terms of “business risk,” a term used more by business executives than security researchers.  CISOs like this because the folks they work for (CEOs and CFOs) not only use this language, but also think similarly about security – which perhaps is even more important for all of us to hear.
  • Perspective:  One thing made clear was that, if they do nothing else, Gartner analysts talk to a lot of people!  They speak to vendors, buyers, and each other – a lot.  As a result, they understand where gaps exist in the security marketplace, and they are many times blunt in their criticisms of certain vendors or sectors (incumbent anti-virus vendors were the clear “punching bag” for several analysts this year).  They are human and no doubt have their own biases, but they get paid to listen to much of the industry chatter.  In the lightning fast and hyper-competitive security industry we’re in, that’s valuable to vendors and buyers alike.

Brian Iverson and Steve Krapes during a track session on identify and access management.

Of course, everyone was there for the content and that didn’t disappoint.  I tried to sponge up as much info as I could, but invariably missed other great sessions.   Like most conferences though, there were probably two or three concurrent great track sessions I really wanted to attend.  I tried to attend the sessions most closely aligned to application security and secure development topics, but that didn’t always work out.   Of course, I would miss the two shout-outs for ThreadFix, our application vulnerability management product, but was able to find out about both shout-outs via Twitter, which actually was even cooler. As things turn out, Gartner subsequently released its “2014 Magic Quadrant for Application Security Testing” and gave another shout out to ThreadFix and Denim Group in that report (you can view if you are a Gartner client).

Speaking of Twitter…following the conference via its hashtag (#GartnerSEC) on Twitter allowed me to catch major research points in other tracks.  Despite all the security research that is released, you can only be in one place at one time!

Key Content Takeaways

Overall, it was really worth the time and effort to get there because there were some pretty interesting things that came up during the conference.  Some of the highlights for me were:

  • We’re #8!  According to the 2014 Gartner CIO Technology Priority report, security ranked at #8 in the CIO priority list.  While that was sobering info for many, it was a good way to start the conference.  Too much of what I see at most security conferences is security guys talking to other security guys about how the business doesn’t get it.  Perhaps “the business” does “get it” – they just think seven other things are more important – what a concept! That means that, as an industry, we have more work to do…
  • When, Not If: Throughout the conference, I consistently heard that CISOs should be prepared for an inevitable breach. They must change their mindset to continuous compromise, which means continuous response.  Such is life in an advanced-threat world.
  • Traditional Defenses Not Enough:  Another theme presented at the conference was the need to look at and prepare for the nature of security defenses in 2014.  Several Gartner analysts stated that security blocking and prevention remain important, but they are not nearly as important as predictive and detection for advanced threats.  As I mentioned earlier, I was starting to feel bad for the incumbent AV vendors because they were the targets for many of the potshots from the Gartner gallery.
  • Uh, You Have a Problem: According to Gartner’s Neil McDonald, 63% of targeted malware is discovered externally.  I’m not sure if that’s news, as it tracks with what other analysts and papers have reported.  But it’s good to hear this echoed from Gartner too. That has to be the worst call EVER to receive if you are a CISO.
  • General Alexander Looks Pretty Good in a Suit: In one of his first major addresses since retiring as the Director of the National Security Agency, “Mister” Keith Alexander was a keynote speaker at Gartner.  His stories about the creation of our nation’s Cyber Command and the problems of defending the civilian infrastructure he dealt with were well received by the security types, many of whom were Federal workers from the DC area.  My personal favorite was his story about how the prior General of the NSA’s social security number was blocked by the Federal Government, preventing him from buying his first post-retirement home; hilarious and sobering at the same time.

Looking Ahead to 2015

Flying out of DC with Gartner fresh on my mind, I had several thoughts about how to maximize my time at this particular conference next year.  If you plan to attend in 2015, you might consider jotting down one or two of these ideas:

  • Friends:  As much as I tried to reach out to friends and colleagues in the field before I left to anticipate who might be in attendance, there were simply too many industry friends present, and unfortunately, I missed a few key ones.  Next time, I’ll do a better job reaching out to my buddies before I leave, and of course, I’ll set aside more time for hanging out at the bar.
  • Getting from Point A to Point B: I’ll also plan not to leave my hotel room with just enough time to show up at sessions right before they close the doors.  Walking from point A to point B at the Gartner Summit took 50% more time than anticipated from the sheer number of colleagues I invariably bumped in to walking though the conference hall.
  • Homework:  Next year I plan to do a better job of knowing which analysts to follow and will read more of their research papers prior to arriving.  That will allow me to do a better job choosing which sessions to attend.  The Gartner iPad conference app was great. It helped me organize the sessions I wanted to attend in a straightforward fashion.  Of course, my iPad mini died on Day 1 of the conference, but I quickly discovered the old-fashioned print conference agenda worked just fine.
  • Twitter:  As mentioned before, Twitter helped me follow most of the major announcements and other activities that I couldn’t physically attend.  My sense is that the coat and slacks community is mostly not on Twitter.  They would certainly get more out of the conference if they broke down and started tweeting.
  • Use Your Gartner Contact:  If you are a Gartner client, leverage your account rep.  Ours was fantastic, guiding me through the registration process and explaining many of the nuances of a Gartner conference. Because of her invaluable help I had a couple of one-on-one sessions with application security analysts that were a particularly valuable parts of the conference for me.

Like most other conferences, I was tired after three days.  In a twist of irony, my wife pointed out that the host hotel had the word “Resort” and that it must be glorious to hang out with my security buddies at a resort.  Having said all that, Gartner was a different but very solid conference.  As someone on the vendor side of the house, I will undoubtedly take much of what I learned back to Denim Group to fold into our product and service strategy.

About John Dickson

John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd. He has nearly 20 years' hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. As a Denim Group Principal, he helps executives and Chief Security Officers (CSO's) of Fortune 500 companies, including major financial institutions, launch and expand their critical application security initiatives.
More Posts by John Dickson

4 Responses to “A Recap From My First Gartner Security Summit”

  1. Richard Greenberg

    Great report, John. Interesting perspective, starting with the observation about the attendees. I’ll look towards this event next year, and hang out at the bar with you.

  2. Brian Wrozek

    Thanks for sharing. The conference tips are good for just about any industry event.

    Quick Question:
    Do other execs agree with the “not if but when” mindset when it comes to a breach? I don’t hear physical security directors telling their execs that having an employee murdered in their cubicle is a matter of “when not if”. Selling this may be harder than it sounds.

  3. Anne Rogers

    Thanks for the great recap, John. I think I agree with “not if but when” since the electronic environment is much harder to define and defend than a physical cubicle location. (Especially with the way our former perimeters have evolved into porous, and somewhat ethereal areas these days ;-)

  4. Amos Auringer

    Great perspectives, always good to see feedback on what people are hearing and what they observe and share. Continuous compromise is a great way to describe the environment and translate to business impact.

Leave a Reply

Your email address will not be published. Required fields are marked *