London, U.K., September 27, 2023

Gartner Security & Risk Management Summit 2023 London: Day 2 Highlights

We are bringing you news and highlights from the Gartner Security & Risk Management Summit, taking place this week in London. Below is a collection of the key announcements and insights coming out of the conference. You can read the highlights from Day 1 here.

On Day 2 from the conference, we are exploring how organizations can best assess and monitor third-party security threats and reduce risk exposure, examining the five dimensions of application programming interface (API) security and sharing key principles to identify and manage third-party cyber risks more effectively. Be sure to check this page throughout the day for updates.

Key Announcements

How to Both Assess and Monitor Third-Party Cybersecurity Threats While You Are Sleeping

Presented by Joanne Spencer, VP Analyst, Gartner

CISOs lose enough sleep worrying over their internal cybersecurity defenses, let alone the third-parties beyond their control. In this session, Joanne Spencer, VP Analyst at Gartner, reviewed the tools and best practices that organizations are using to assess and monitor their third parties and reduce risk exposure.

Key Takeaways

“It is very difficult from an outside view to determine which third party has strong cyber controls and which ones are already, or likely to be, compromised.”
“A standard risk assessment process includes a questionnaire that organizations send to all third parties. For cybersecurity, this is a broken, flawed approach that usually leads to risk awareness or acceptance.”
“Rather than just categorizing vendors as high or low risk, focus on the nature of the relationship. Do they control sensitive data or have access to critical systems?”
“Determine your third-party cyber non-negotiables.Get executive endorsement and institutionalize them into RFP templates, supplier codes of conduct and external-facing sites for third parties.”
“You can’t just throw tools at this. You need to establish the right architecture by analyzing existing people, processes and technology to identify opportunities to improve your third party cyber risk program.”
“Managing third parties is difficult on a spreadsheet, so most organizations have a third party risk management tool to help automate the process.”
“If third-party controls are insufficient, implement your own mitigations such as data backup solutions, encryption and multifactor authentication.”

It’s not too late to join the conference!

The 5 Dimensions of API Security

Presented by William Dupre, Senior Director Analyst, Gartner

Organizations must not only apply technical solutions to application programming interface (API) security, they must change processes and culture. In this session, William Dupre, Sr Director Analyst at Gartner, explained how to protect APIs using the five dimensions organizations must consider.

Key Takeaways

“Organizations must put in place security controls to protect against the evolving API threat landscape.”
“API security programs must mature over several dimensions to address the growing threat landscape.”
“The first dimension is Threat Protection, which focuses on runtime or perimeter security.”
“The next dimension is Visibility. The capabilities in this dimension will span development and production.”
“Access Control forms the third dimension. Chief information security officers (CISOs) must put in place strong access control to protect APIs. This includes authN & authZ using modern access control solutions.”
“CISOs also need to look at Process to get a complete view of API security.”
“The 5th dimension is Culture. Establish a culture enabling API strategy which includes security and awareness.”

4 Third-Party Cyber Risk Principles That You Must Adopt

Presented by Christopher Mixter, VP Analyst, Gartner

With cyber risk becoming an increasingly important business risk, chief information security officers (CISOs) have an opportunity to better identify which third parties present a material risk and what actions should be taken. In this session, Christopher Mixter, VP Analyst at Gartner, discussed four principles that will help CISOs be more effective in identifying and managing third-party cyber risks.

Key Takeaways

“79% of organizations expect the number of third-parties to increase over the next three years.”
“Define a policy for third-party cybersecurity risk by engaging relevant stakeholders to set appropriate scope and risk parameters that uphold cybersecurity standards and expectations commensurate with the risks.”
“Adopt a triage approach to apply the appropriate level of analysis by identifying the scope of third-party services and the data in their custody.”
“Develop targeted cyber-risk mitigations so that cyber-risk assessment results in predefined actions to address identified cyber risks.”
“Implement a plan for monitoring and communicating third-party cyber risks by allocating resources to manage the cyber-risk register, respond to changing risk factors or events, and report third-party cyber risks to relevant stakeholders.”
“Above all, use all available sources to monitor the pulse of third-party cyber risks.”

Tune back in tomorrow for more updates from the conference.

View coverage from Day 1

View coverage from Day 3

About Gartner

Gartner, Inc. (NYSE: IT) delivers actionable, objective insight that drives smarter decisions and stronger performance on an organization’s mission-critical priorities. To learn more, visit gartner.com.