GARTNER SECURITY & RISK MANAGEMENT SUMMIT — Washington, DC — Hype can be a detriment or an opportunity to improve one’s security posture, according to the opening keynote at Gartner’s Security & Risk Management Summit today.
The keynote, entitled “Harness the Hype: Turning Disruption Into Cybersecurity Opportunity,” was hosted by Gartner distinguished vice president analysts Leigh McMullen and Katell Thielemann. The talk concerned the waves of hype that can take over the cyber industry, either through optimism for emerging technologies like AI or preoccupation with certain threats and risks.
McMullen referenced major changes to the public sector in the past six months, involving executive orders, budget cuts, major shifts in policy, tariffs, and more. As he said, “Even if you’re not in public service, then the government is still probably one of your biggest customers.” Sea change and uncertainty can lead organizations to look for new solutions, where hype also plays a role.
And hype is, without a doubt, on display at Gartner’s Security & Risk Management Summit this week. For example, AI continues to be a major focus on the conference circuit; agentic AI is the focus of many sessions at the show — some of which run concurrently with each other.
McMullen and Thielemann, through the keynote, aimed to explain how organizations can utilize hype to bolster their security programs while preventing it from derailing objectives.
Utilizing Hype for Cybersecurity Good
The presenters offered a number of stats to elaborate on how hype plays into the security ecosystem today.
Thielemann pointed out how 74% of CEOs believe generative AI (GenAI) is the technology that will most significantly impact their industries over the next three years, while 84% plan to increase their AI investments this year. Meanwhile, 85% of CEOs think cybersecurity is critical to growth, and 87% of tech leaders are increasing their cybersecurity funding.
“Across the C-suite and the board, I think our surveys are all pointing in the same direction: cyber incidents are now hitting the bottom line,” McMullen said.
He added that, while executives are paying more attention to cybersecurity, hype can also lead to hasty decisions where folks are investing too much, too fast on unproven technology. “New tech is coming, whether we’re ready for it or not,” he said.
Thielemann described a situation where a CEO calls the security team in because a competitor got hit by ransomware and is still disrupted weeks later. The CEO wants to know if something like that can happen at her company.
“You have her undivided attention, but you also have a couple of choices. You could go in a direction of fear, uncertainty, and doubt. Start slipping her brochures on new ransomware protection tools hoping to get more budget, but ultimately that destroys your credibility as a trusted adviser [if the tools fail],” Thielemann said. “Or, you could show [the CEO] how your cybersecurity team has already made targeted investments that not only support the enterprise today but also future-proof for new product lines and automation.”
Getting Ahead of the Hype Cycle
To avoid hype pitfalls, such as those that might be created following a competitor’s ransomware attack, McMullen and Thielemann advocated for “mission-aligned transparency” using protection level agreements (PLAs), which are formal commitments between security teams and executives defining the amount of money an enterprise is willing to spend to achieve a desired level of cybersecurity protection.
The presenters also recommended using what they dubbed “outcome-driven metrics” (ODMs), which define the organization’s current level of security protection or exposure, as part of this process. ODMs are used to express your current protection level and start a conversation regarding whether to invest more in a specific kind of protection or accept more risk to save money.
For instance, ODFs could be used to express that, say, only 20% of critical physical systems that impact production have effective procedures to remain operational in case of a ransomware attack, and less than half had gone through a ransomware simulation. That would start a conversation about the level of exposure organizational leadership is comfortable with, and what level of protection they would be willing to fund.
“You can walk through the options and say, if you want to increase the 20% of critical systems with ransomware recovery procedures to 70%, that will cost $1 million. If you want to increase to 80%, that will cost $1.5 million,” Thielemann said. “This has just become a fact-based conversation rather than a fear-fueled debate.”
The AI Security Hype Machine
The keynote focused substantially on fervor surrounding generative and agentic AI, pointing out that security teams can’t ignore AI even if they’re tired and jaded by it, as every industry and sector is racing toward using it. Organizations are using LLM-powered AI for everything from bank detection fraud and medical imaging analysis to customer service automation and product development and beyond.
In order to, as McMullen put it, “enable these ambitions safely and securely,” security teams must cultivate AI literacy for themselves and their teams, experiment with AI in cybersecurity, and protect ongoing applications of the technology at the organization.
“We must play with AI ourselves to become AI literate so that we can understand exactly how LLMs work and what happens when a user asks a question and discover the many ways and places that the prompt or answer can be tampered with to better understand how to protect our organizations’ AI investments,” McMullen said. “We can also learn when to use which AI techniques and when to not be using AI at all.”
Security vendors currently use LLMs in a number of ways, such as for automated threat hunting and vulnerability remediation.
On the security and compliance side, McMullen and Thielemann expressed that because many employees likely have the technology embedded in their work already, it’s important to take this opportunity to track what each tool is being used for, whether the tool is critical and irreplaceable, the number of users, and the data risks. Rather than stamping out all tools that utilize the technology, teams can offer policy flexibility to allow the organization to take “intelligent risks” while working to ensure the proper channels are followed in the future.
In cases where the organization is developing new AI tools themselves, security teams will need to adapt their incident response procedures for new types of alerts involving content inaccuracies and intellectual property risks.
McMullen also spoke to chief information security officers (CISOs) directly, saying, “Unlike any other role, you have to protect the enterprise’s investment in AI while protecting the organization from AI, which you are not going to be able to do without AI.”
