Digital security executives can maximize their company's security effectiveness
Four myths are clouding the full value of cybersecurity to the enterprise and inhibiting the effectiveness of security programs digital, according to the Gartner. The executives who take care of digital security, known as CISOs (Chief Information Security Officer) must adopt a 'minimum effectiveness' mindset to maximize the business impact of cybersecurity.
"Many CISOs are sold out and feel they have little control over their stressors or their work-life balance,” he says. Henrique Teixeira, Analyst and Senior Director at Gartner. “Cybersecurity leaders and their teams are trying their best, but they are not having the best impact.”
Leigh McMullen, Vice President and Analyst at Gartner
“An effective minimum mindset (Minimum Effective mindset) is a deliberate, return-on-investment (ROI) approach to leading cybersecurity into the future,” said Leigh McMullen, vice president and analyst at Gartner. “While the idea of a minimum may seem uncomfortable, it refers to inputs, not outputs. This approach will enable cybersecurity functions to move beyond just 'defending the strong' to unlocking their true potential to create tangible value for their organizations.”
According to Gartner, the four myths that are clouding the full value of cybersecurity to the enterprise and inhibiting effectiveness of security programs digital are:
Myth #1: More data means better protection – It is believed that the best way to drive action by executive decision makers on security initiatives is through Data Analysis sophisticated way to calculate the probability of occurrence of a cybernetic event. However, it is not practical to quantify risk in this way. Furthermore, this approach does not offer shared responsibility between cybersecurity and enterprise decision makers to significantly reduce business risk. Gartner research found that only a third of CISOs report successful actions by quantifying cyber risk.
“Instead of continuing to pursue more data and more analytics, savvy CISOs engage in an effective minimal insights approach (Minimum Effective Insight approach),” says Teixeira. "Gartner recommends determining the smallest amount of information needed to draw a straight line between a company's cybersecurity funding and the amount of vulnerability the funding addresses."
The analyst warns that CISOs should use a results-oriented metrics (ODM, outcome-driven metrics, in English) to put into action the achievement of insights minimum that are effective. The MDGs link operational security and risk metrics to the business outcomes they support, explaining the levels of protection currently in place and the additional protection that can be gained based on new spending.
Myth #2: More technology equals better protection – Worldwide spending on information security and risk management products and services is expected to grow by 12.7% to reach US$ 189.8 billion in 2023. However, even at organizations that spend the most on cybersecurity tools and technologies, leaders security officers still feel that they are not adequately protected.
“Cybersecurity often gets stuck in a hardware procurement mindset, believing that just around the corner there must be something better,” says McMullen. “Instead, CISOs should adopt a minimum set of effective tools (Minimum Effective Toolset) – the fewest technologies needed to observe, defend, and respond to exposures. This will allow cybersecurity to own its architecture, reducing the complexity and the lack of interoperability that makes it so difficult to generate value from investments in technology.”
Organizations can begin the journey to a minimal toolset that is effective by taking a human cost view, keeping the cyber professionals who manage cybersecurity tools less than the benefit of the tool in mitigating risk. In parallel, they can take an architectural view to measure whether a given tool is additive or subtractive in its ability to protect the enterprise. Cybersecurity Fabric Architecture (CSMA) principles can also support security in design for simplicity, composability, and interoperability.
Myth #3: More cybersecurity professionals means better protection – “The demand for cybersecurity talent has outstripped supply to the point where CISOs can't catch up,” says McMullen. “Security is a huge bottleneck to digital transformation, and much of that is due to the myth that only cybersecurity professionals can do a serious job of protecting. Democratizing the cybersecurity expertise, rather than trying to hire talent, is the solution,” he says.
Gartner predicts that by 2027, 75% of employees will acquire, modify or build technology outside of IT's visibility, well above the 41% that were recorded in 2022. CISOs can reduce the burden on their teams, helping these business technologists to develop effective experiences and cyber judgment. A recent Gartner survey found that business technologists, with high cyber judgment, are 2.5 times more likely to consider cybersecurity risks when developing technology analytics or resources.
Myth #4: More controls means better protection – A recent Gartner survey found that 69% of employees ignored their organization's cybersecurity guidance in the last 12 months and 74% of employees would be willing to ignore cybersecurity guidance if it would help them or support their teams to achieve a goal of business. “Cybersecurity organizations are well aware of widespread unsafe workforce behavior, but the typical response of adding more controls backfires,” adds Teixeira. “Employees report an enormous amount of friction involved with safe behavior leading to risky practices. Bypassed controls are worse than no controls at all.”
Minimal Effective Friction rebalances the cybersecurity assessment of the performance of security controls to prioritize user experience rather than technical functionality alone. Gartner predicts that, by 2027, 50% of large enterprise CISOs will have adopted human-centered security design (Minimum Effective Expertise), to minimize cybersecurity-induced attrition and maximize adoption of control.
Gartner for Cybersecurity Leaders equips security leaders with the tools to help reshape roles, align security strategy with business objectives, and create programs to balance protection with the organization's needs. More information is available in Gartner's free e-book: Four Facets of Effective CISO Leadership.
