Cybersecurity, once strictly a function of the information technology department, is turning into a business concept with societal implications. Investor interest, public pressure, employee demands and governmental regulations are strengthening the incentives for organizations to track and report cybersecurity goals and metrics as a business requirement.
As a result, the role of the cybersecurity leader has become increasingly elastic because of the growing misalignment of expectations from stakeholders within their organizations. This is causing burnout among security leaders, who are overworked from practicing in “always-on” mode. Furthermore, factors such as increased digital autonomy and the rising visibility of risk quantification at the board level are creating an environment where the cybersecurity leader has less direct control over many of the decisions that typically would fall under their scope.
It’s time for cybersecurity leaders to reframe their roles to regain control of enterprise risk and succeed in this new business environment. Here are three ways that cybersecurity leaders, including chief information security officers, can embrace future trends in the security landscape to reframe their role.
Gain visibility as a risk management facilitator
For many years, the cybersecurity team was seen as a last line of defense against cyberthreats. Security was a purely technical role, tasked with maintaining compliance, preventing breaches and often perceived as slowing down business decisions.
The good news is that this perception is shifting. Today, Gartner research shows that 88% of boards of directors now regard cybersecurity as a business risk rather than solely a technical IT problem. As cybersecurity is increasingly viewed as a business risk, accountability for managing it will shift from security leaders to senior business leaders. Gartner predicts that by 2026, at least 50% of C-level executives will have performance requirements related to cybersecurity risk built into their employment contracts.
Yet it is unfair to expect business executives to be accountable for something they’re not equipped to handle or have the knowledge to manage. As formal accountability for security risk shifts, cybersecurity leaders must evolve from being the “de facto’” accountable person for treating cyber risks to being responsible for ensuring business leaders have the capabilities and knowledge required to make informed, high-quality information risk decisions.
Managed effectively, this serves as a win-win situation. First, accountability for cybersecurity risk will increasingly rest on the right shoulders inside the organization. Second, the CISO now can shape and influence information risk decisions that may previously have been outside their line of sight, in turn helping to enhance the organization’s cybersecurity risk posture.
Forward-thinking cybersecurity leaders can begin this role shift by incentivizing business executives to regard cybersecurity as one of their strategic business goals. Define clear accountability by creating an enterprise security charter that is signed by the board and C-suite indicating their agreement not to expose the organization to unacceptable levels of cyber risk. Establish advisory services and processes that empower business leaders to make independent, high-quality information risk decisions in consultation with security leadership.
Lead the charge on cybersecurity ESG initiatives
Environmental, social and governance or ESG reporting has moved from a discretionary activity to a business requirement, given rising investor interest, employee and public pressure and governmental regulations. Expectations that organizations should be more transparent about their security risks have also increased, as progressively severe cyberattacks demonstrate cybersecurity is no longer just a business risk but a societal risk as well.
Although cybersecurity is rarely included in current ESG disclosures, Gartner predicts that by 2026, 30% of large organizations will have publicly shared ESG goals focused on cybersecurity. As a result, cybersecurity leaders will increasingly have to demonstrate an organizational commitment to reducing the social issues that may arise from cybersecurity incidents.
Cybersecurity leaders already have a key role to play in supporting other ESG metrics, such as increasing equity and inclusion within the cybersecurity function. However, security leaders can reframe their role for the future by leading the charge on developing goals and metrics to demonstrate their organizational commitment to reducing the social issues that may arise from cybersecurity incidents such as:
- Data breaches of customer personal information
- Potential safety concerns from use of cyber-physical systems
- The potential for misuse and abuse within the organization’s products
- Malicious cyberactivity (including ransomware) against critical infrastructure
Work with enterprise risk and sustainability leaders to proactively identify existing and emerging ESG reporting requirements and the short- and long-term implications for the cybersecurity strategy. Develop metrics to proactively assess the societal impact of cybersecurity incidents and increase transparency in the organization’s current performance and strategies. These metrics and strategies will form the basis of future cybersecurity ESG goals.
Foster an enterprisewide cyber risk-aware culture
Fostering a cyber risk-aware culture is a key enabler of an effective cybersecurity program. Enterprise technology users are constantly bombarded with information from all directions. Messages are often contradictory — for example, pressure to share information with clients versus demands for protecting data — resulting in dissonance and a lack of clarity around the “right thing to do.”
Traditional security awareness efforts are based on the flawed assumption that providing people with information about risk will change their behavior, but awareness does not automatically result in more secure behavior. The choices that people make are much more influenced by the norms and cues inherent in their environment.
Changing cyber risk culture requires a combination of active leadership intervention and techniques based on an understanding of how people behave. Cybersecurity leaders must increasingly look to psychology, sociology and behavioral economics to influence their organization’s security culture. Gartner predicts that by 2025, 40% of programs will deploy socio-behavioral principles to influence security culture across the organization, up from less than 5% in 2021. This includes techniques such as culture hacks and nudges, gamification and security program branding.
Cybersecurity leaders should shift the primary objective of the security awareness program away from mere awareness toward establishing and nurturing a cyber risk-aware culture. Appoint someone with a background in social science to apply sociology or behavioral economics to your organization’s security culture. Look for tools that effectively leverage social science techniques to influence cybersecurity behavior.
As the perception of cybersecurity evolves at an individual, organizational and societal level, it will be critical that cybersecurity leaders reframe their roles accordingly. By positioning themselves as the leaders for enterprisewide risk decisions, security leaders can regain control of business risk and become more effective in an evolving future security landscape.
Sam Olyaei is a research director at Gartner Inc., covering cybersecurity strategy, governance, staffing and talent management, policies, metrics, and executive and board reporting. He wrote this article for SiliconANGLE. Gartner analysts will present the latest research and advice for security and risk management leaders at the Gartner Security & Risk Management Summit 2022, taking place June 7-10 in National Harbor, Maryland.