Non-security business leaders perceive cybersecurity as a technical issue that does not drive business outcomes, said Sam Olyaei, director analyst at Gartner, while speaking during the virtual Gartner Security & Risk Management Summit Thursday. But security discussions are an opportunity for collaboration.
CISOs tell Gartner they don't trust their business counterparts with making decisions. A finance CISO told the advisory firm, "my board of directors just want to sign off on a piece of paper that says they talked to me." Other CISOs believe their value to the business is only viewed through regulatory compliance.
"We also know that this is not just a one-sided challenge," Olyaei said.
CISOs are operating under unfortunate status quos, with an "always on" mindset, poor time allocation, misaligned expectations, and difficulty keeping pace with the speed of the business, Gartner found. "These are some of the status quos that we really need to begin to change in order to evolve as leaders," Olyaei said.
The disconnect between non-technical and security leaders has existed for years. In the last four years, companies have addressed the disconnect, albeit slowly. As CISOs evolve and make their contributions to overall business goals clear, companies will understand the CISO is not a catch-all for all security-related areas. The evolution of the CISO is as empowering for the individual as it is for the business.
"The challenges of remaining in this cultural disconnect or an environment with cultural disconnect means that you're going to be encouraging some of the status quos," Olyaei said. Misaligned expectations can damage a CISO, especially as blame can fall on security in the event of an incident.
Provided in Gartner feedback, one insurance business unit said as much as they engage with security, "I don't feel like they really understand my business."
Another multifirm board member told Gartner "we know we should care about cybersecurity, but when the CISO leaves the board meeting, I don't feel like I know anything new. I don't feel it."
What evolution will do
Miscommunication exists because CISOs are currently over-investing their time and resources, which can hurt the true purpose of the role. CISOs are too focused on security operations, writing policies or vendor management, and less involved in business strategy, where their time is better spent.
The pandemic has contributed to the evolution of the CISO and security leader. "The executive shift has been it's not about investment, it's not about protection levels, it's not about technology. It's about value, what is the value that you bring," Olyaei said.
"You need to be the right type of leader for the organization that you work in," he said. If a CISO were to transfer from financial services to manufacturing, "they would really need to act more like a controls manager or risk-decision owner rather than a trusted facilitator or value creator."
"It is up to the leader to be able to pull out these cards and be able to showcase these profiles," Olyaei said, as they transition from an organization or industry. "We cannot force different profiles of leaders on different types of organizations — this is where we see a lot of issues sort of fire back and come back and haunt people."
Half of CISOs expect their responsibilities to increase compared to today, Gartner found. And Gartner warns that if a CISO does not embrace changes to their role, their company is more likely to have security incidents.
"That'll add to the perception that cybersecurity is a roadblock to the organization," and perpetuate the perception security doesn't facilitate agility, Olyaei said. For "stagnant" CISOs in operations, security alerts will become fatiguing — another outcome Gartner has witnessed in "ineffective CISOs."
Four in 10 CISOs expect their control to expand outside of information security, but existing CISOs face a similar dilemma: being responsible for tasks that don't belong anywhere else, including IT mismanagement, business continuity or privacy.
"Today, the role of the CIO is becoming sort of more of a title for everything," Olyaei said.
Nearly one-third of security programs began adding at least two additional roles to help with some of this this year. Digital or technology risk officer, CSO, cybersecurity-proficient board members, and product security officer are among the roles alleviating CISOs of some of their odd-job security responsibilities.
"We think that many organizations already have a variety of cybersecurity roles," Olyaei said. "Continue to evolve based on your organizational needs and cultural requirements."