Business making decisions every day that impacts security

Contributed Article
September 12, 2022 12:39 pm
Paul Proctor, Distinguished VP Analyst, Gartner

The past two years have seen a drastic uptick in major cybersecurity events, from Colonial Pipeline and SolarWinds to the JBS meat production company. Given the high cost and high frequency of cyberbreaches, 88% of boards of directors now acknowledge that cybersecurity is a business risk and not just an IT problem — up from 58% just five years ago.

Yet organisations have not changed the culture of accountability to reflect these updated views. The CIO or CISO still carry primary responsibility for cybersecurity in 85% of organisations that responded to the Gartner View From the Board of Directors Survey 2022.

CIOs must rebalance accountability for cybersecurity so that it is shared with business and enterprise leaders. They are thought of as the ultimate decision maker and authority for protecting the enterprise’s security, but really, business leaders make decisions every day that impact the organisation’s security. They should share accountability.

To facilitate the shift toward a shared responsibility model for cybersecurity, be proactive and work with your board to establish governance models that share responsibility, and with business leaders to create a program of controls that balances protection with business needs.

Begin with a short-term exercise of assessing the current state of cybersecurity as a business issue, followed by a longer-term set of actions to define a new shared-accountability governance model.

Checklist to assess state of cybersecurity as a business issue

#1 Can the organisation make risk-informed decisions without facilitation from security personnel?

#2 Can IT explain the business value of each security control?

#3 What do the metrics related to the organisation’s security controls reflect?

#4 What proportion of time on security decision making is spent on fear, uncertainty, doubt compared with business goals?

# Is the security programme defensible with shareholders and regulators?

Action plan to involve business in security decision making

#1 Share cybersecurity decisions

Present the available options related to cybersecurity approaches and investments, and include the risks and costs associated with each. Providing information and involving business leaders in the decision makes them more likely to accept responsibility.

#2 Communicate optimal balance of risk, value, cost

Help prioritise cybersecurity investments by measuring the amount of value each business unit produces in relation to their readiness to address known risks, as well as the cost of doing so. Create a visual matrix to enable fast, cross-business-unit comparisons.

#3 Use credibility and reputation, not fear to motivate accountability

Focusing on shared goals will go far in fostering communication and collaboration with business side partners.

Key Takeaways

  • 88% board of directors acknowledge that cybersecurity is a business risk and not just an IT problem.
  • Business leaders make decisions every day that impact the organisation’s security and should share accountability.
  • Organisations have not changed the culture of accountability to reflect updated views.
  • CIO and CISO still carry primary responsibility for cybersecurity in 85% of organisations surveyed in 2022.

CIOs must rebalance accountability for cybersecurity so that it is shared with business and enterprise leaders.

Paul Proctor, Distinguished VP Analyst, Gartner
Paul Proctor, Distinguished VP Analyst, Gartner.

Tags: