I’ve been to 15 Gartner Summit Events. The 2019 Gartner Security & Risk Management Summit, however, will be my first time attending their security-focused conference. This is the 25th annual, with security and risk management summits having merged at some point in the past to form this conjoined gathering. Over 3,500 attendees and 200 solution providers will peruse over 300 sessions which feature 81 Gartner Analysts focused on the space.

As I have with past Summits, here I’ve outlined some of the major trends my team and I are seeing emerge from the agenda, analysts I am following at the Summit, and some thoughts on interesting sessions in which I’ll be taking copious notes!

Dissecting the agenda

I’m not speaking this year, though I have been a speaker at Summits in the past. Gartner sets forth a list of about 30 topic areas; each session can list up to three topics that apply to the content. This is true for both Gartner Track Sessions (there are five tracks) and vendor solution provider sessions.

Track A: Leadership & Strategy
Track B: Trends & Capabilities
Track C: Risk & Resilience
Track D: Architecture & Operations
Track E: Security Markets

When I examined the topics that will be of focus at the Summit, I then looked to see how many the number of sessions that will discuss each topic. Below is the top 10 list of topics based on the number of sessions that take them into consideration.


Gartner Topic Area

Number of Sessions


Cyber Security



Security Strategy and Vision



Risk Management



Cloud Security






Advanced Threat Protection



Data Security



Application Security



Identity & Access Management



Threat Intelligence


Setting aside the general topic areas like “Cyber Security” and “Leadership”, the top four that jump out at me from this list are Cloud, ATP, IAM, and Threat Intelligence. This indicates what the focus of the Summit will be this year.

Pro Tip: The online agenda and the Gartner Conference Navigator Mobile App have the pdf versions of Analyst presentations available right now. Gartner repeat attendees will often take notes during the sessions on their tablets or printed copies.

Key analysts I’m following this year

In no particular order:

I’m also excited to sit down with Peter Firstbrook, as well as Mario and Neil Wynne from the list above, in one-on-one meetings at the Summit.  Analyst One-on-Ones go fast, so anyone who plans to attend should have those schedules locked. (Pro Tip!) There’s a lot of last-minute horse-trading that goes on when vying for slots with Analysts whose schedules fill up fast.

All about cloud

In terms of the number of sessions at the Summit, cloud security is the highest-ranked substantial topic area. From Neil MacDonald’s “Security Patterns and Best Practices for Securing Cloud-Native Applications” to “Principles of Successful Network Segmentation Projects,” look for everything from email and networking to compliance and data loss to have a thread on how it relates to the increasingly cloud-centric infrastructure that attendees face.

Cloud migration has been on an unstoppable march, and security providers are adapting their solutions to these new demands. Many conventional solutions (CASBs, firewalls, proxies, web gateways, etc.) have done so unsuccessfully, because their technology was founded on the concept of perimeter defense.

The cloud has no perimeter. The cloud doesn’t work with point solutions, making layered security more important than ever. Security vendors who can consolidate different point solutions into one interface are at an advantage to those that only provide a single solution.

Are “mature” security markets dead?

Sid Deshpande, Senior Director Analyst, posits that key security market segments like SWG, SEG, SIEM, and EPP are “dead,” and no new vendors are likely to emerge in this space. At the same time, he suggests that these areas are still critical to security programs and require significant R&D investment from incumbent vendors to keep pace with attacker methods.

Email is the proverbial security front door

Email is the most mature security market in the cyber security space, though attackers are moving faster than the legacy technology. Perimeter-based security has had its day, and Gartner will likely compare CASBs to firewalls to prepare the market for the necessary and rapidly-approaching shift in security strategy.

A few days ago, Gartner introduced Cloud Email Security Supplements (CESS), which converge the features and functionality of the familiar SEG and CASB into a single solution, in the Market Guide for Email Security.

"CESSs focus on specific threats, often in the realm of hard-to-detect phishing, and can leverage full access to cloud-hosted inboxes via APIs for detection and remediation.."

(Gartner clients can read the full document here.) This enhanced visibility and control is especially advantageous for intra-domain phishing and account compromise.

Some sessions we’re excited about

I’m looking forward to hearing from analysts who are talking about the changing landscape — Patrick Hevesi and Neil Wynne, who I have spoken to in the past and find interesting and informative. Mario do Boer and Sid Deshpande are shaking things up with interesting (read: snarky title) sessions, as well. I also see some perennial Gartner favorites like Darryl Plummer, as well as interesting Guest Keynotes from Michael Chertoff (former Secretary of Homeland Security) and Patrick Lencioni (well-known author or “The Five Dysfunctions of a Team”) on the Summit Agenda.

Here’s some thoughts on a few key sessions:

1. The 1990s Are Calling: They Want Their Perimeter Back

Patrick Hevesi, Steve Riley, and David Mahdi will discuss the importance of identity, trust, and control when updating the vision of security to keep pace with the cloud tempo. Look for this and many other Analyst sessions to major on the CARTA framework.

At the RSA conference this year, there was a lot of talk about “Zero Trust.” Gartner takes this further with their framework, asserting “Zero Trust Is an Initial Step on the Roadmap to CARTA”. CARTA, or Continuous Adaptive Risk and Trust Assessment, is central to the way in which Gartner Analysts talk about security frameworks. The documentation around it is foundational research, and the Summit has been the showcase for it over the past several years.

2. Redefining Your Email Security Strategy for 2020 and Beyond

This appears to be a late add from Neil Wynne, as the session falls at the end of Wednesday’s presentations. It seems to roughly outline the recent Market Guide for Email Security he wrote with Peter Firstbrook. That document talks about the strategic shift in how to secure cloud communication, and how adopting CARTA will protect inboxes from exposure to increasingly sophisticated threats.

3. Constructing a layered cloud security architecture

Richard Bartley will give advice on how to build a cloud security architecture that balances business needs, evaluates potential solutions, and aligns with industry frameworks. Even though attacks have become increasingly sophisticated, the integrity of a layered security philosophy is still sound.

4. Gartner Opening Keynote: From Managing Risk and Security to Enabling Value Creation

Analysts David Madhi, Beth Schumaecker, and Katell Thielemann underscore the importance of strategic (rather than reactive) risk management. They’ll consider the relationship between humans and machines in this process, and suggest ways of preserving and creating value.

5. Office 365 Security 201: Advanced Security Features & Third-Party Options for Protecting Your Tenant

Microsoft Office 365 is the most popular target and vector for email phishing attacks. Patrick Hevesi will cover the must-have features in Advanced Threat Protection (ATP) for Office 365, then addresses where third-party protection is needed and why. A recent blog from Avanan CEO Gil Friedrich, 6 Things You Need to Know About Microsoft Security in Office 365, explores this topic in detail.

6. AI as a Target and Tool: An Attacker’s Perspective on Machine Learning

AI and machine learning has elevated security technology to new heights, increasing the scope and accuracy with which cloud-based threats can be neutralized. Evolving with this trend, hackers have adopted AI to make their campaigns more efficient and scalable. Mario de Boer will lead an interesting session on how hackers can leverage AI to “accelerate innovation in attacker techniques.”

7. Mitigating Phishes That Your Email Gateway Misses

No single security technology can catch every threat, no matter how sophisticated the AI. Knowing this, Mario de Boer will showcase other solutions beyond the secure email gateway that detect and respond to phishing attacks. He’ll also examine the phishing problem on an operational level to prepare your people and processes for the challenges that arise in a disrupted security market.

So basically, we’re excited

As usual, there will be more content than one person can consume at the Summit.

Avanan is a sponsor again this year. In addition to connecting with some Avanan clients and partners, I’m excited to see many of the ones whom I have not met face-to-face in one-on-ones, hear from them in sessions, and probably share a cocktail at the Gaylord National next week.

Attending as a team is a smart way to pick more of it up, so I’m glad several of my fellow executives and some of the relationship team will be along!


As you consider the agenda, make the time to connect with the Team, either by securing a personalized demonstration or dropping by Booth #619 in the Exhibit Showcase