By Sam Olyaei, Research Director at Gartner
Cybersecurity leaders now invest significantly more effort into evaluating and influencing the cyberhealth of external parties. Employees are making more decisions with cyber risk implications, and executive committees are being established outside the scope of the cybersecurity leader.
These factors are leading to an environment where the cybersecurity leader will have less direct control over many of the decisions that would have previously fallen under their scope.
As a result, the role of the cybersecurity leader has become increasingly elastic due to the growing misalignment of expectations from stakeholders within their organizations. This is causing burnout among security leaders, who are overworked from practicing in “always-on” mode. Furthermore, factors such as increased digital autonomy and the rising visibility of risk quantification at the board level are creating an environment where the cybersecurity leader has less direct control over many of the decisions that typically would fall under their scope.
It’s time for cybersecurity leaders to reframe their roles to regain control of enterprise risk and succeed in this new business environment. Here are three ways that cybersecurity leaders, including CISOs, can embrace future trends in the security landscape to reframe their role.
Gain visibility as a risk management facilitator
For many years, the cybersecurity team was seen as a last line of defense against cyberthreats. Security was a purely technical role, tasked with maintaining compliance, preventing breaches and often perceived as slowing down business decisions.
The good news is that this perception is shifting. Today, Gartner research shows that 88% of Boards of Directors now regard cybersecurity as a business risk rather than solely a technical IT problem. As cybersecurity is increasingly viewed as a business risk, accountability for managing it will shift from security leaders to senior business leaders. Gartner predicts that by 2026, at least 50% of C-Level executives will have performance requirements related to cybersecurity risk built into their employment contracts.
Yet, it is unfair to expect business executives to be accountable for something they’re not equipped to handle or have the knowledge to manage. As formal accountability for security risk shifts, cybersecurity leaders must evolve from being the “de facto’” accountable person for treating cyber risks, to being responsible for ensuring business leaders have the capabilities and knowledge required to make informed, high-quality information risk decisions.
Managed effectively, this serves as a win-win situation. First, accountability for cybersecurity risk will increasingly rest on the “right” shoulders inside the organization. Second, the CISO now can shape and influence information risk decisions that may previously have been outside their line of sight, in turn helping to enhance the organization’s cybersecurity risk posture.
Forward-thinking cybersecurity leaders can begin this role shift by incentivizing business executives to regard cybersecurity as one of their strategic business goals. Define clear accountability by creating an enterprise security charter that is signed by the Board and C-suite indicating their agreement to not expose the organization to unacceptable levels of cyber risk. Establish advisory services and processes that empower business leaders to make independent, high-quality information risk decisions in consultation with security leadership.
Lead the charge on cybersecurity ESG initiatives
Environmental, social and governance (ESG) reporting has moved from a discretionary activity to a business requirement, given rising investor interest, employee and public pressure and governmental regulations. Expectations that organizations should be more transparent about their security risks have also increased, as progressively severe cyberattacks demonstrate cybersecurity is no longer just a business risk, but a societal risk as well.
Although cybersecurity is rarely included in current ESG disclosures, Gartner predicts that by 2026, 30% of large organizations will have publicly shared ESG goals focused on cybersecurity.
Cybersecurity leaders already have a key role to play in supporting other ESG metrics, such as increasing equity and inclusion within the cybersecurity function. However, security leaders can reframe their role for the future by leading the charge on developing goals and metrics to demonstrate their organizational commitment to reducing the social issues that may arise from cybersecurity incidents such as:
• Data breaches of customer personal information
• Potential safety concerns from use of cyber-physical systems
• The potential for misuse and abuse within the organization’s products
• Malicious cyberactivity (including ransomware) against critical infrastructure
Work with enterprise risk and sustainability leaders to proactively identify existing and emerging ESG reporting requirements and the short- and long-term implications for the cybersecurity strategy. Develop metrics to proactively assess the societal impact of cybersecurity incidents and increase transparency in the organization’s current performance and strategies. These metrics and strategies will form the basis of future cybersecurity ESG goals.
Foster an enterprise-wide cyber risk-aware culture
Fostering a cyber risk-aware culture is a key enabler of an effective cybersecurity program. Enterprise technology users are constantly bombarded with information from all directions. Messages are often contradictory — for example, pressure to share information with clients versus demands for protecting data — resulting in dissonance and a lack of clarity around the “right thing to do.”
Traditional security awareness efforts are based on the flawed assumption that providing people with information about risk will change their behavior, but awareness does not automatically result in more secure behavior. The choices that people make are much more influenced by the norms and cues inherent in their environment.
Changing cyber risk culture requires a combination of active leadership intervention and techniques based on an understanding of how people behave. Cybersecurity leaders should shift the primary objective of the security awareness program away from mere awareness toward establishing and nurturing a cyber risk-aware culture. Appoint someone with a background in social science to apply sociology or behavioral economics to your organization’s security culture. Look for tools that effectively leverage social science techniques to influence cybersecurity behavior.
As the perception of cybersecurity evolves at an individual, organizational and societal level, it will be critical that cybersecurity leaders reframe their roles accordingly. By positioning themselves as the leaders for enterprise-wide risk decisions, security leaders can regain control of business risk and become more effective in an evolving future security landscape.
Gartner analysts will present their latest research and advice for security and risk management leaders at the Gartner Security & Risk Management Summit 2023, taking place February 13-14 in Mumbai, India.