The role of the cybersecurity leader needs to be reframed, as accountability for risk and security shifts, according to Gartner research.
When it comes to cyber threats to business, accountability is shifting as employees and leaders make more decisions that have cyber risk implications. These may lead to the CISO having less control over the scope of cyber security threats.
According to Sam Olyaei, research director at Gartner, “The CISO role must evolve from being the “de facto’” accountable person for treating cyber risks, to being responsible for ensuring business leaders have the capabilities and knowledge required to make informed, high-quality information risk decisions.”
At least 50 percent of c-suite executives are expected to have cybersecurity risk in their remits by 2026, leading to an inevitable shift that cyber risk decisions will be made without the CISOs line of view. This broadened responsibility for cybersecurity across the business has also expanded the obligations of security and risk management (SRM) leaders.
“Cybersecurity leaders are burnt out, overworked and in “always-on” mode,” said Olyaei.
“This is a direct reflection of how elastic the role has become over the past decade due to the growing misalignment of expectations from stakeholders within their organisations.”
Some misconceptions of the role include that the CISO is only responsible for preventing breaches, that cyber risk is a security problem rather than a business problem, and that security slows down progress.
Gartner reframes the role of the cyber security leader to highlight that CISOs facilitate risk management, security is a business and organisational risk, and that security enables agility in the business.
Cybersecurity is also expected to be included in ESG disclosures, with Gartner predicting that by 2026, 30 percent of large organisations will have publicly shared their cybersecurity goals — a figure that was less than 2 percent in 2021.
According to Claude Mandy, research director at Gartner, “Expectations that organisations should be more transparent about their security risks have increased, resulting in public demand for greater transparency within their ESG reporting.”
Gloss