Alright, let’s talk Gartner SRM Sydney 2026. You wade through the conference haze, past the lukewarm coffee and aggressively optimistic marketing decks, and you start to hear it. Not the usual fear-mongering, but something… different. Something that might actually make sense to someone holding a real budget. Apparently, the tired old chestnut of ‘invest in security or get breached’ has finally run its course.
Think about it. For years, security leaders have been going into boardrooms with this almost blackmail-like proposition: pay us more, or we’ll get hacked. It’s a lose-lose. The company only ‘wins’ if something bad happens, proving the CISO was right all along – a terrible business case, frankly. Now, according to Rapid7’s CISO Brian Castagna and industry peer Nigel Hedges at the summit, the script has flipped. It’s all about resilience now.
Why Resilience Wins Boards Over
This isn’t some abstract academic exercise. The real money is in keeping the lights on. Operational disruption. Downtime. That’s where the revenue stops flowing, where reputations crumble, and where regulators start making phone calls. CISOs who can translate their security metrics into concrete business availability and financial risk statements? They’re the ones getting heard. They’re not just asking for money to prevent bad things; they’re asking for investment to ensure the business keeps running, no matter what.
And this shift means what gets measured and how security teams talk to the C-suite changes. Sure, threat intelligence and kill chains still matter in the trenches, deep inside the Security Operations Center (SOC). But up high? It’s about risk narratives. Clear, concise, business-focused risk narratives. It’s a leadership requirement, plain and simple.
Platform Consolidation: The Pragmatic Dance
Remember the endless ‘platform vs. best-of-breed’ wars? They’re still happening, but the vibe is decidedly less ideological and a lot more… practical. Turns out, the real answer is a bit of both. Consolidate where it makes sense – where you get better efficiency, better visibility, fewer vendors to manage. But don’t ditch those niche, rock-solid point solutions that actually nail a specific, high-priority risk. Budget pressure is the great equalizer here, forcing companies to make defensible choices.
The talk now is about ‘control planes’ – endpoint, gateway, network – and how integrated telemetry acts as the glue. It’s about creating a global security program for a massive organization across dozens of countries on a modest $3 million budget. This isn’t theory; it’s a real-world constraint driving strategy. The guiding principle? Simple: Does this investment reduce risk? More importantly, does it protect a crucial business outcome?
People: Still the Hardest Part
Technology can be built. Processes can be engineered. But people? That’s the rub. This was a recurring, and frankly, relatable, theme. It’s not just about finding folks with the right certifications. It’s about building teams with that elusive mix of sharp technical skills, diverse ways of thinking, genuine motivation, and the sheer stamina to keep going. A common blind spot in SOCs is this: teams might be technical wizards, but can they actually articulate risk to non-technical executives? Increasingly, the answer is no, and that’s where the perceived value of SecOps falters.
And then there’s burnout. It’s not a bug; it’s a feature of the current landscape. When experienced analysts pack their bags, they take institutional knowledge with them. You can’t buy that back. So, for security leaders, the ‘people strategy’ isn’t a side project; it’s central to the entire security strategy.
AI in SecOps: Moving Beyond the Hype
Finally, AI. After years of breathless pronouncements, the conversation is landing. The practical uses in SecOps are becoming clear: managing sheer volume, cutting through the noise, and speeding up investigations with better context. Think alert triage assistance, asking log data questions in plain English, summarizing incidents, drafting executive comms. The best framing? AI as a ‘sidekick’ – a force multiplier for seasoned pros, not a replacement. Human judgment is still king.
But for teams stretched thin, trying to scale operations and retain that critical institutional knowledge that walks out the door with departing analysts, AI is becoming an indispensable tool. It’s about making the existing team more effective, not about replacing them entirely.
Governing Agentic AI: What You Already Know
And agentic AI? The stuff that’s starting to act more autonomously? The consensus seems to be that while it introduces new governance headaches, many of the solutions are already baked into mature security programs. Segmentation, least privilege, strong access controls, and well-defined architectural boundaries. These aren’t new concepts; they’re the bedrock. The problem isn’t a lack of tools or principles; it’s ensuring they’re consistently applied, especially as AI systems start calling their own shots.
Why Did the ‘Breach or Else’ Pitch Fail?
It failed because it framed security as a purely reactive cost center. Boards eventually tire of hearing that their only value is in preventing something bad from happening, rather than actively contributing to business growth and stability. It’s a narrative that only proves itself in failure.
How is Platform Consolidation Defined Now?
It’s no longer an all-or-nothing proposition. Consolidation is seen as strategic: adopt platform solutions for improved efficiency and visibility where it makes sense, but retain specialized, high-performing point solutions for critical risks that require best-in-class capabilities. The goal is an integrated, efficient, and cost-effective security posture.
What’s the Biggest Challenge in SecOps According to Experts?
People. Specifically, building teams with the right blend of technical acumen, communication skills, cognitive diversity, and resilience. Burnout is a significant factor, leading to loss of institutional knowledge, which no technology can replace. Effective communication of risk to executives is also a critical, often unmet, need.
Is AI Replacing Security Analysts?
No, not yet, and not entirely. The current practical application of AI in SecOps is as an assistive tool or ‘sidekick.’ It helps manage high volumes of alerts, speeds up investigations, and provides context. The emphasis is on augmenting human judgment and improving the efficiency of experienced practitioners, especially for understaffed teams.
What Foundation is Needed for Governing Agentic AI?
Mature security programs already possess the foundational elements. These include strong principles of network segmentation, least privilege access, strong identity and access management, and clearly defined architectural boundaries. These existing controls are the starting point for governing more autonomous AI systems.
