By Paul Furtado, VP Analyst at Gartner
Measuring and articulating cyber and technology risk to senior leadership is critical.
CIOs are responsible for organizational security and must balance business growth while ensuring security and protection. They can do this by taking the following steps.
Develop a Defensible Security Program
CIOs must understand the characteristics of what “good” looks like and build a continuous security program that can be defended and ensures a balance between protection and business operations. Implementing a program to only meet a compliance requirement is not an effective approach. Time and effort must be put into developing effective governance and effective risk management.
For a security program to be considered defensible, it must:
- Have a clear mandate from executive leadership.
- Establish and enforce owner accountability.
- Invest in risk assessment capability.
- Follow accepted standards.
- Be clearly linked to the business context of the organization.
- Focus on continuous improvement.
- Be agile enough to respond fast to changing threats and scenarios.
- Support formal, repeatable security processes.
- Deliver accepted levels of infrastructure protection, application and data security.
- Focus on business continuity and resilience.
- Provide training and guidance to drive secure employee behavior.
Adopt Operating Models for IT Risk and Cybersecurity Management
Risk identification, implementation of adequate preventative measures and incident response are critical parts of building a strong security operation model. A good security operating model utilizes a risk-based approach to identify and prioritize security projects and investments. It is a collaborative process focused on continuous improvement.
Segregation of duties and oversight are a minimum requirement for any adopted model. Adopting a model like the three lines of defence (see Figure 1) provides the requisite segregation.
Figure 1: The Three Lines of Defense
Source: Gartner (June 2023)
CIOs responsible for security and risk will be actively involved in the first and second lines of defence, while internal audit provides the third and final line of defence, assuring that the controls are deployed and as effective as expected. Establishing strong working relationships with the stakeholders responsible for the second and third lines of defence will reduce friction, lead to better teamwork and make it easier to embed a culture of everyone in the organization making good risk and security decisions.
In addition to a risk governance model, CIOs need to align their cybersecurity program with a known cybersecurity framework. This helps provide defensibility for security actions.
How to Communicate Risk and Security Posture
Developing a strong security program contributes to the building of trust between the CIO and the senior leadership. Trust and resilience are embodied in security and business outcomes. These outcomes are addressed by a set of controls that are consistent, adequate, reasonable and effective.
To reflect on how well their organization is protected, not how it is protected, CIOs can use outcome-driven metrics (ODM) which guide security investment as well protection-level agreements (PLAs). PLAs identify how much risk business stakeholders are willing to accept within their areas of control.
Once the necessary metrics are in place, CIOs need to document, manage, and communicate cyber- and IT-related risks to business leaders on an ongoing basis. Using a risk register allows for ongoing risk evaluation and documentation of risk acceptance. The executive/board ultimately makes the risk acceptance decisions, and the CIO needs to work within the given parameters.
Additional cybersecurity topics will be discussed during Gartner IT Symposium/Xpo, the world’s most important conferences for CIOs and other IT executives. Gartner analysts and attendees will explore the technology, insights and trends shaping the future of IT and business, including accelerating business transformation, cybersecurity, AI, customer experience, data analytics, executive leadership and more. Follow news and updates from the conferences on Twitter using # GartnerSYM.
