Gartner: Why the cybersecurity leader’s role must evolve

The role of cybersecurity leader needs to evolve, as accountability for cyber risk shifts outside IT and an increasingly distributed ecosystem leads to a loss of direct decision-making control.

According to Gartner, security and risk management leaders now invest significantly more effort into evaluating and influencing the cyber health of external parties, while employees are making more decisions with cyber risk implications, and executive committees are being established outside the scope of the CISO.

And it is these factors, say Gartner analysts, that will ultimately lead to an environment where the cybersecurity leader will have less direct control over many of the decisions that would fall under their scope today.

“Cybersecurity leaders are burnt out, overworked and in ‘always-on; mode,” says Sam Olyaei, research director at Gartner. “This is a direct reflection of how elastic the role has become over the past decade due to the growing misalignment of expectations from stakeholders within their organisations.”

Accountability for cyber risks will expand beyond IT

According to a recent Gartner survey, 88% of boards regard cybersecurity as a business risk rather than solely a technical IT problem, and 13% have responded by instituting cybersecurity-specific board committees overseen by a dedicated director.

Gartner predicts that at least 50% of C-level executives will have performance requirements related to cybersecurity risk built into their employment contracts by 2026.

This impacts the timeliness and quality of information risk decisions, which are increasingly being made by stakeholders outside of IT or security’s line of sight. In response, Gartner expects to see an inevitable shift in formal accountability to business leaders who are responsible to the CEO for delivering strategic objectives, such as revenue and customer satisfaction.

As formal accountability for cyber risk shifts to the business, Gartner analysts said the role of the cybersecurity leader must therefore be reframed in order to succeed.

Comments are closed.