Announcement posted by Gartner 25 Feb 2022
25 February 2022 — The role of cybersecurity leader needs to evolve, as accountability for cyber risk shifts outside IT and an increasingly distributed ecosystem leads to a loss of direct decision-making control, according to Gartner, Inc.
Security and risk management (SRM) leaders now invest significantly more effort into evaluating and influencing the cyberhealth of external parties. Employees are making more decisions with cyber risk implications, and executive committees being established outside the scope of the cybersecurity leader.
Gartner analysts said that these factors will lead to an environment where the cybersecurity leader will have less direct control over many of the decisions that would fall under their scope today.
“Cybersecurity leaders are burnt out, overworked and in “always-on” mode,” said Sam Olyaei, research director at Gartner. “This is a direct reflection of how elastic the role has become over the past decade due to the growing misalignment of expectations from stakeholders within their organisations.”
Accountability for cyber risks will expand beyond IT
Eighty-eight percent of boards regard cybersecurity as a business risk rather than solely a technical IT problem, according to a recent Gartner survey. Thirteen percent have responded by instituting cybersecurity-specific board committees overseen by a dedicated director.
Gartner predicts that at least 50% of C-level executives will have performance requirements related to cybersecurity risk built into their employment contracts by 2026.
This impacts the timeliness and quality of information risk decisions, which are increasingly being made by stakeholders outside of IT or security’s line of sight. In response, Gartner expects to see an inevitable shift in formal accountability to business leaders who are responsible to the CEO for delivering strategic objectives, such as revenue and customer satisfaction.
As formal accountability for cyber risk shifts to the business, Gartner analysts said the role of the cybersecurity leader must be reframed to succeed (see Figure 1).
Figure 1: The Role of the Cybersecurity Leader Needs to Be Reframed
Source: Gartner (February 2022)
“The CISO role must evolve from being the “de facto’” accountable person for treating cyber risks, to being responsible for ensuring business leaders have the capabilities and knowledge required to make informed, high-quality information risk decisions,” said Olyaei.
Cybersecurity will be included in ESG disclosures
Investor interest, public pressure, employee demands, and government regulations are strengthening the incentives for organisations to track and report cybersecurity goals and metrics within their environmental, social and governance (ESG) efforts as a business requirement.
As a result, Gartner predicts that 30% of large organisations will have publicly shared ESG goals focused on cybersecurity by 2026, up from less than 2% in 2021.
“Expectations that organisations should be more transparent about their security risks have increased, resulting in public demand for greater transparency within their ESG reporting,” said Claude Mandy, research director at Gartner. “Cybersecurity is no longer solely a risk to the organisation, but a societal risk.”
SRM leaders will increasingly have to demonstrate an organisational commitment to reducing the social issues that may arise from cybersecurity incidents, such as data breaches of customer personal information; potential safety concerns from use of cyber-physical systems; potential for misuse and abuse within their products; and malicious cyberactivity against critical infrastructure.
Gartner clients can read more in “Predicts 2022: Cybersecurity Leaders Are Losing Control in a Distributed Ecosystem”. Learn about the top priorities for security leaders in 2022 in the 2022 Leadership Vision for Security & Risk Management Leaders.
About Gartner Security & Risk Management Summit
Gartner analysts present the latest research and advice for security and risk management leaders at the Gartner Security & Risk Management Summits 2022, taking place February 14-15 in the Middle East, June 7-10 in National Harbor, MD, 21-22 June in Sydney, 25-27 July in Tokyo and September 12 - 14 in London. Follow news and updates from the conferences on Twitter using #GartnerSEC.
About Gartner for Information Technology Executives
Gartner for Information Technology Executives provides actionable, objective insight to CIOs and IT leaders to help them drive their organisations through digital transformation and lead business growth. Additional information is available at www.gartner.com/en/information-technology.
Gartner, Inc. (NYSE: IT) delivers actionable, objective insight to executives and their teams. Our expert guidance and tools enable faster, smarter decisions and stronger performance on an organisation’s mission critical priorities. To learn more, visit gartner.com.