The role of the cyber security leader needs to evolve says Gartner, as accountability for cyber risk moves outside IT and an increasingly distributed ecosystem leads to a loss of direct decision-making control.
Gartner analysts say that the following factors will lead to an environment where the cyber security leader will have less direct control over many of the decisions that would fall under their scope today:
- Security and risk management (SRM) leaders now invest significantly more effort into evaluating and influencing the cyberhealth of external parties.
- Employees are making more decisions with cyber risk implications, and executive committees being established outside the scope of the cybersecurity leader.
88 percent of boards regard cyber security as a business risk rather than solely a technical IT problem, according to a recent Gartner survey; and 13 percent have responded by instituting cyber security-specific board committees overseen by a dedicated director.
Gartner predicts that at least 50 percent of C-level executives will have performance requirements related to cyber security risk built into their employment contracts by 2026.
The above will impact the timeliness and quality of information risk decisions, which are increasingly being made by stakeholders outside of IT or security’s line of sight. In response, Gartner expects to see an inevitable shift in formal accountability to business leaders who are responsible to the CEO for delivering strategic objectives, such as revenue and customer satisfaction.
As formal accountability for cyber risk shifts to the business, Gartner analysts say that the role of the cybersecurity leader must be reframed to succeed (see figure one, below).
Figure one: The Role of the Cybersecurity Leader Needs to Be Reframed, Source: Gartner (February 2022)
“The CISO role must evolve from being the de facto accountable person for treating cyber risks, to being responsible for ensuring business leaders have the capabilities and knowledge required to make informed, high-quality information risk decisions,” said Sam Olyaei, research director at Gartner.
Cyber security will be included in ESG disclosures
Investor interest, public pressure, employee demands, and government regulations are strengthening the incentives for organizations to track and report cyber security goals and metrics within their environmental, social and governance (ESG) efforts as a business requirement.
As a result, Gartner predicts that 30 percent of large organizations will have publicly shared ESG goals focused on cyber security by 2026, up from less than 2 percent in 2021.
“Expectations that organizations should be more transparent about their security risks have increased, resulting in public demand for greater transparency within their ESG reporting,” said Claude Mandy, research director at Gartner. “Cyber security is no longer solely a risk to the organization, but a societal risk.”
SRM leaders will increasingly have to demonstrate an organizational commitment to reducing the social issues that may arise from cyber security incidents, such as data breaches of customer personal information; potential safety concerns from use of cyber-physical systems; potential for misuse and abuse within their products; and malicious cyberactivity against critical infrastructure.
Gartner clients can read more in “Predicts 2022: Cybersecurity Leaders Are Losing Control in a Distributed Ecosystem”. Learn about the top priorities for security leaders in 2022 in the 2022 Leadership Vision for Security & Risk Management Leaders.