Still buzzing a little from last week. I spent the first three days of June at the Gartner Security & Risk Summit in National Harbor, and I'm still thinking about half of it.
Packed rooms, sharp people everywhere. I sat in on as many sessions as I could and grabbed conversations in the hallways that were sometimes better than the talks themselves.
The more of those I sat through, the more one uncomfortable thing kept surfacing. What security teams actually do day to day is a long way behind what security vendors claim. The practitioner sessions made it impossible to ignore. So did the analyst briefings. That's where most of what stuck with me came from.
So before it all blurs together, here are the ones I keep coming back to.
Enterprises find vulnerabilities easily. The breakdown happens when they try to fix them.
Gartner's CTEM maturity research shows the same pattern. Most companies have solid scoping and discovery. The weakest phase is mobilization. That means taking a validated finding and getting the right teams to coordinate, remediate, and close it out. That hand-off is where programs stall, and it stalls almost everywhere.
An S&P Global VP and BISO shared a good example in one session. Their old vulnerability program ran on three steps. Scan, report, patch. They tracked how much work got done rather than whether risk went down, and they treated CVSS scores as the final word. Then, a tooling incident, a process failure with no attacker involved, rebooted a large part of their infrastructure. It forced them to rebuild the program around the business context.
The BISO called that incident the best thing that happened to the program. Hard to argue with the result.
Having data is cheap. Getting the right data to the right person with a clear path to action is the hard part.
One line from Gartner's exposure management roadmap research deserves way more airtime. No organization, whatever its size or industry, is out-patching threat actors. Nobody is winning that race.
The deeper issue is that prioritization built only on CVSS base severity misses business impact completely. A critical-severity bug sitting behind layers of compensating controls on some internal box carries far less real risk than a medium-severity misconfiguration that opens a clean lateral path to your payment infrastructure. Base scoring can't tell those two apart. It rates the vulnerability and shrugs at the context around it.
Gartner's steer is the right one. Ground prioritization in exploit prevalence, asset criticality, compensating controls, and whether the thing is actually exploitable in your environment. The catch is this needs something most programs don't run yet. A continuous validation loop that checks whether your top-ranked vulnerabilities can really be exploited in your own network.
Skip validation, and your priority list is just a confident guess.
Bluntest thing I heard all week, straight from a Gartner analyst. Technology is no longer the barrier for effective exposure management. Process is.
The CTEM adoption session walked through what Gartner calls the mobilization coordinator. A dedicated role sitting between security, GRC, and IT ops, whose entire job is shepherding validated findings into actual remediation. Their research suggests teams that stand up this role could cut critical exposure dwell time by a meaningful margin versus everyone still running the old workflow.
What got me wasn't the role. It was what the role quietly admits. Gartner is now recommending you hire a human whose whole purpose is bridging "we found it" and "we fixed it." Sit with that for a second. Security teams and infra teams still act like they work at different companies. Ownership is fuzzy. There's no shared language for handoffs. And the fix, pulling systems offline or forcing emergency patches, often hurts more than the original bug.
The framework Gartner laid out covers governance, ownership models, RACI, joint KPIs, and improvement loops. None of that ships in a box. It's org design, plain and simple.
AI agents are changing the enterprise attack surface. Companies deploy coding assistants, internal bots, and automated workflows. Very few of those deployments go through a security review.
Attackers target coding agents through multiple vectors.
A mid-2025 incident involved a malicious npm package weaponizing a local AI coding agent to steal sensitive files. The OWASP Top 10 for Agentic Applications describes these exact failures, including privilege abuse and rogue agents. None of these threat vectors map onto standard CVE databases.
You have to test these systems offensively. Gartner data shows only 28% of organizations have a full-time red teamer, even though 51% say red teaming is a major contributor to their security goals. That gap is unsustainable as AI keeps widening the attack surface.
The cyber-risk session, "From chaos to clarity," was the most human one I sat in. Two Gartner survey numbers are worth chewing on. Nearly half of CISOs see a board that doesn't understand security as the biggest limit on their influence. And for 35%, standing up AI governance has become a real source of burnout.
Boards now expect a CISO to be a business partner, take ownership of how the company adopts AI, and bring clear risk metrics to the table. Gartner had a clean phrase for the shift. From defensive gatekeeper to strategic value enabler. It's an executive function now, and what counts at that level is showing risk actually went down.
The path Gartner laid out is practical enough. Deliver cyber-risk updates straight to the board. Build clear RACI models with senior leaders. Report risk metrics instead of activity. None of it is complicated to describe. Doing it consistently is the hard part.
Quarterly reviews fail to keep up with daily infrastructure changes. Cloud workloads spin up and down constantly. Software teams deploy AI tools without central approval. Traditional compliance frameworks rely on static assessments and manual evidence collection. They operate too slowly.
Organizations have to move toward adaptive governance. That means automating evidence collection and embedding risk evaluation directly into active workflows.
Gartner outlines four core principles for adaptive governance.
Many enterprises remain stuck in the legacy model. The companies that switch to automated, continuous evaluation will gain a clear response advantage.
The thing that stuck with me most has nothing to do with any vendor, including mine. Everyone has the tools to find problems. Almost nobody has cracked the part where problems actually get fixed. That gap is organizational, not technical.
It's the exact gap me and my team at Strobes have spent the last few years trying to close, so hearing Gartner and a room full of practitioners describe it in their own words was equal parts validating and humbling. Validating because we bet right. Humbling because the problem is bigger and stickier than any one platform fixes. Building a real CTEM program is hard work, and no tool does it for you. The honest goal is just to make that work lighter.
So that's what I'm carrying home from Gartner SRM. Not a shopping list of threats, just a sharper sense of the one problem worth obsessing over. If you were in those rooms and saw it differently, I'd love to be talked out of it. Find me on LinkedIn, I'll bring the coffee.
