With risks moving beyond IT, cybersecurity leaders must ensure that businesses have the resources to make quality decisions to protect information.
O Gartner, Inc., a world leader in enterprise research and advice, warns that the role of the cybersecurity leader needs to evolve as responsibilities around cyber risks move from IT to an increasingly distributed ecosystem within enterprises.
According to the most recent analysis, the Security and Risk Management (SRM) leaders are investing significantly more effort in evaluating and influencing “cyberhealth” for third parties. Employees are making more decisions with cyber risk implications, and yet more executive committees are being established with demands beyond the scope of the cybersecurity leader.
Gartner analysts estimate that this scenario, with the migration of protection responsibilities to groups and teams outside of IT, will lead to an environment where the cybersecurity leader will have less direct control over many of the decisions that would be within their scope today.
“Cybersecurity leaders are burnt out, overworked and in 'always on' mode,” says Sam Olyaei, Research Director at Gartner. “This is a direct reflection of how elastic the role of this specialist has become over the last decade, due to the growing misalignment of expectations among stakeholders within their organizations.”
Responsibility for cyber risks will expand beyond IT – Eighty-eight percent of boards view cybersecurity as a business risk rather than just a technical IT issue, a recent Gartner survey indicates. Thirteen percent responded by instituting specific cybersecurity committees overseen by a dedicated director.
Gartner predicts that at least 50% of C-level executives will have performance requirements related to cybersecurity risk and management built into their employment contracts by 2026.
This affects the timeliness and quality of information risk decisions, which are increasingly being made by stakeholders and outside the IT or security line of sight. In response, Gartner expects to see an inevitable shift in formal accountability to business leaders who are accountable to the CEO for delivering strategic objectives such as revenue and customer satisfaction.
As formal responsibility for cyber risk shifts to the business, Gartner analysts highlight that the role of the cybersecurity leader must be reshaped to succeed.
"O role of the CISO must evolve from being the 'de facto' responsible person for handling cyber risks, to being responsible for ensuring that business leaders have the skills and knowledge needed to make high-quality, informed decisions about information risks,” says Olyaei.
Cybersecurity will be included in ESG disclosures – Investor interest, public pressure, employee demands and government regulations are strengthening incentives for organizations to track and report cybersecurity goals and metrics within their environmental, social and governance (ESG) efforts as a business requirement.
As a result, Gartner predicts that 30% of large organizations will have publicly shared ESG goals focused on cybersecurity by 2026, up from less than 2% in 2021.
“Expectations that organizations should be more transparent about their security risks have increased, resulting in public demand for greater transparency in their ESG reporting,” he notes. Claude Mandy, Research Director at Gartner. “Cybersecurity is no longer just a risk to the organization, but a social risk.”
As a consequence, SRM leaders will increasingly have to demonstrate an organizational commitment to reducing the social issues that can arise from cybersecurity incidents such as data breaches of customer personal information; potential security concerns from the use of cyber-physical systems; potential for misuse and abuse in its products; and malicious cyberactivity against critical infrastructure.
