Treating cybersecurity as a business function was a recurring theme throughout Gartner’s Security and Risk Management Summit this week.
Security leaders focusing on innovation, forward-looking strategy, and the role of security in supporting digital transformation efforts will be viewed as critical business partners supporting business value creation, said Tina Nunno, distinguished research vice president and Gartner Fellow. As security leaders establish closer working relationships with stakeholders across the enterprise, including executive leaders as well as line-of-business leaders, they will be viewed as partners and not treated as service providers within the organization.
“CISOs who find themselves frequently apologizing or explaining security incidents are likely taking a defensive stance, which often results in security being siloed into a service provider role,” Nunno said during the summit’s keynote.
The time is ripe for collaborating with senior executives and board members, as they focus more on cybersecurity. In the 2021 Gartner Global Security and Risk Management Governance Survey, 57% said the CIO, CEO, and other senior stakeholders have become better educated on the value of security and risk management. Separately, in the 2022 Gartner Board of Directors Survey, 88% of boards of directors said they viewed cybersecurity as a business risk, as opposed to a technology risk.
Shared Accountability is Key
Even with greater security awareness, accountability is still solidly in the hands of the organization’s security group. In the 2021 Gartner Global Security and Risk Management Governance Survey from earlier in the year, 85% of organizations said the CIO, CISO, and their equivalent was the top person held accountable for cybersecurity. That accountability needs to be rebalanced as business leaders make decisions every day that impact the organization’s security and those decisions are frequently made without consulting the CIO or CISO, says Paul Proctor, distinguished research vice-president at Gartner.
“The influx of ransomware and supply chain attacks seen throughout 2021, many of which targeted operation- and mission-critical environments, should be a wake-up call that security is a business issue, and not just another problem for IT to solve,” Proctor says.
Nunno echoed the sentiment that the responsibility for securing the enterprise should be shared between security leaders and executives outside of IT, noting that the work goes beyond just the security team.
Gartner estimates that by 2024, 60% of CISOs will establish critical partnerships with key market-facing executives in sales, finance and marketing, up from less than 20% today.
Getting Better at Talking About Risk
Security leaders should only identify individual risks when engaging with business stakeholders, and not those of the industry or competitors, said Jeffrey Wheatman, vice-president of advisory at Gartner. Security leaders should also avoid using too much technical jargon when identifying risks. “Technology-related risks” is an effective way to describe risks the organization faces as a result of technology and can be used when talking about intellectual property protection, regulatory compliance and resilience, Wheatman said.
It’s also important to not present risks as negatives, such as showing revenue loss or impact on customer experience if a risk is not addressed. Risk can also be a positive — as taking the risk and trying out new technologies can directly benefit the organization.
Another thing to remember is to adjust the communication to match the audience. Many business stakeholders know that cybersecurity is important for the business, but they don’t know why, or don’t know how to clearly explain why, Wheatman said. Detailed security plans may be too in-the-weeds to resonate with business leaders. Instead, align the details with business goals and priorities. If the organization is very reliant on the cloud, implementing controls that help move the business towards its goals is going to go over better with stakeholders, Wheatman said.
It is okay if the business goals are too "fluffy and abstract," Wheatman said, as that gives security leaders some flexibility. Security and risk executives may not be able to align specific security tasks to business goals — such as raising revenue by a certain percentage year over year — but they can talk about how their activities can improve the organization.
"But you can talk about being the best, you can talk about reputation," Wheatman said.