Maverick Research: CISOs Must Transform Their Role or Become Obsolete

19 June 2025 - ID G00826530 - 14 min read
By Will Candrick
Chief information security officers are now highly visible executive leaders in one of the fastest-growing risk domains — cybersecurity. But cyber incidents are now the norm, so what happens to CISOs when leadership no longer fears cyber incidents?

Overview


Specific Maverick Caution

Today, cyber risk is a top executive and board-level concern. This Maverick research challenges conventional wisdom that this trend will continue. This controversial research argues that C-suites and boards will reduce their fear-based spending on cybersecurity as incidents continue to normalize. As a result, the chief information security officer (CISO) role will decline, rather than grow in importance and influence. Maverick findings and advice should be treated with caution.

Maverick Findings

  • Organizations face far less cyber risk than executive leaders fear. Leaders miscalculate the classic equation: “risk = likelihood x impact.” Over the long term, the likelihood of a major incident approaches certainty, but historical trends show that the impact of incidents is far lower than leadership thinks.
  • Data breaches are the norm. The vast majority of valuable data — including personally identifiable information (PII) — has been (or will be) breached, many times over.1,2 Once most data is stolen, there’s not much more to lose. The expectation that sensitive data can ever be safe is eroding.
  • Increased cybersecurity transparency — driven by media coverage and regulatory disclosures — will continue to destigmatize breaches. The more incidents are reported and discussed, the less scary those incidents become.

Maverick Recommendations

  • Prepare for a near future when leadership values minimally effective — not exceptional — cybersecurity. Plan now to deliver cybersecurity at exceptional efficiency to make room for the priorities that executive leaders value more.
  • Redefine the CISO job description and mandate around cyber resilience — not protection. Pivot the CISO role to “chief cyber resilience officer” and away from the role’s legacy as “chief cyber protection officer.”
  • Expand the CISO remit to deliver value creation and support profit centers. These emerging opportunities include evangelizing the safe adoption of GenAI, modernizing business continuity, supporting sales cycles (automating third-party risk and compliance assessments, for example) and even boosting physical safety by securing cyber-physical systems.

Strategic Planning Assumption


By 2030, 75% of CISOs at large enterprises will expand their role to include cyber resilience and direct value creation.

Maverick Research


Gartner Maverick* research delivers breakthrough, disruptive and sometimes contradictory ideas that challenge conventional thinking. Formed in our research incubator, it is designed to explore alternative opportunities and risks that could influence your strategy.

Analysis


Introduction

The CISO role first emerged in 1995.3 Thirty years later, CISOs are now highly visible executive leaders in one of the fastest-growing risk domains — cybersecurity. This risk is a top priority across leadership agendas, including CIOs, CEOs and boards. Conventional wisdom suggests the threat landscape will further accelerate the ascension of CISOs.
As cyber incidents become normalized,4,5,6 C-suites and boards will reduce fear-based spending. Risk appetites will increase as organizations realize cyber risks are not the existential threats once assumed.
As a result, CISOs will face impending obsolescence. The role of “chief incident protection officer” will no longer be valued by leadership, and absorbing data breaches will merely be the cost of doing business.
So what happens to CISOs when leadership no longer fears data breaches?
To stay relevant, CISOs must transform their role. Take these three actions now to deliver what leadership will soon expect from their CISOs:
  1. Deliver minimally viable — not exceptional — cybersecurity that focuses on minimizing the impact of inevitable breaches.
  2. Redefine the CISO’s core mandate around cyber resilience — not protection.
  3. Expand the CISO’s remit to deliver value creation and support profit centers.

Deliver Minimally Viable — Not Exceptional — Cybersecurity

Cybersecurity is a frequent topic of discussion across C-suites and boardrooms. More than 80% of CISOs present to the board two or more times a year, and nearly 60% do so quarterly or more. Nearly 75% of CISOs also present to the C-suite quarterly or more.7
Yet, in reality, cyber risk is vastly overstated. Historically, business leaders have mentally miscalculated cyber risk. They assume effective CISOs can protect against incidents when given sufficient resources and support. This urgency has been driven by the assumption that the impact from cyber incidents is lasting and sufficient to cause existential risk.
But these assumptions do not reflect reality. Risk is conventionally defined as “risk = likelihood x impact.” In reality, the likelihood of suffering an incident becomes inevitable in the long run. Yet, the acute impacts of a cybercrisis causes fleeting harm that organizations typically fully recover from. Cyber risk is a nuisance, not an existential threat (see Figure 1).
Figure 1: Cyber Risk — Myth Versus Reality
TBD
When C-suites and boards inevitably recalibrate their cybersecurity assumptions, their expectations of the CISO will evolve. Fear-based cybersecurity spending will give way to a “sufficient security” mindset. CISOs will be expected to deliver minimally viable cybersecurity with exceptional efficiency, as opposed to exceptional cybersecurity at high cost.
Cyber incidents are now a normal occurrence. Fear-based cybersecurity spending will diminish, and C-suites will grow more comfortable simply “writing a check” when cyber incidents occur.
As a result, CISOs face a crossroads. They can either run cybersecurity as an arms race against threats that executive leaders no longer fear, or evolve to meet new leadership expectations.

Challenge: The Cybersecurity Arms Race Is Over

The cybersecurity arms race is over because executive leaders no longer fear cyber incidents. Such threats will no longer drive budget increases, increase personal visibility or elevate CISOs into the C-suite.
Multiple trends reinforce this new reality, including:
  • Breach disclosure laws increase transparency and normalize cyber incidents as a routine occurrence: These include the SEC cybersecurity disclosure rules, the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). As incident disclosures increase, they diminish from “black swan” events to just another periodic cost of doing business (see Note 1).
  • Maturing cybersecurity laws, regulations and frameworks establish acceptable baselines: Consider the Digital Operational Resilience Act (DORA), the NIS2 Direction and NIST CSF 2.0. Updated national and global standards provide prescriptive guidance on acceptable levels of cybersecurity, which gives executive leaders greater confidence to embrace a minimally viable cybersecurity mindset.
  • Past “mega breaches” show that cyber incidents are survivable: A multidecade history of data breaches shows that cyber risks are rarely existential. While the short-term impacts may be painful — and personally impactful — the mid- to long-term enterprise impacts are typically negligible.8 This established pattern reinforces that suffering a major cyber incident is simply a matter of “writing a check” and moving on.
Consider these notable historical examples:
  • Equifax (2017): The breach exposed over 150 million records, including names, social security numbers, birth dates, addresses and credit card numbers. Equifax’s settlements totaled $700 million, and media coverage of the breach was intense and prolonged.
  • Marriott (2018): Multiple breaches exposed personal information of over 350 million customers, including names, addresses, phone numbers, email addresses, birthdays, loyalty account information and over 5 million passport numbers. Marriott agreed to pay $52 million in settlements and committed to improving their cybersecurity practices.

CISO Opportunity: Rethink the Cybersecurity Function

CISOs must reshape their function — and their role — for this new reality, or face obsolescence. To get started, CISOs must first optimize their programs to deliver sufficient — but not exceptional — cybersecurity. These preparations include:
  • Advise the business to accept — not minimize — cyber risk: Historically, risk acceptance has been the last choice in cyber-risk treatment. Rather, risk mitigation, avoidance or transfer came first — and acceptance remained the option of last resort. CISOs must flip their advice toward informed risk acceptance first, and only pursue alternative measures where absolutely needed.
  • Optimize current spending, rather than seeking more funding: Growth in cybersecurity spending has exceeded revenue growth and IT budget growth over the past five years (see IT Key Metrics Data 2025: IT Security Measures — Analysis). This trend cannot continue indefinitely. CISOs must optimize how they spend and allocate their current resources — rather than seeking additional funding every year.
  • Adopt lean, federated organizational models: By 2027, 75% of employees will acquire, modify or create technology outside IT’s visibility — up from 41% in 2022 (see CISO Effectiveness: Security Operating Models Are Evolving). As a result, top-down, highly centralized cybersecurity operating models will fail. Instead, CISOs must restructure cybersecurity into a lean, centralized function that supports a broad, federated set of experts and fusion teams embedded across the enterprise. This scales cybersecurity across the edge of the enterprise, closer to where technology and risk decisions are made and implemented.

Redefine the CISO’s Core Mandate Around Resilience — Not Protection

Cyber incidents are now a normal — even mundane — occurrence. The initial shock-and-awe and salacious media coverage of massive breaches has evolved toward matter-of-fact reporting that moves on after a few news cycles. As a result, CISOs must prepare for what senior leadership will want (resilience) over what they once wanted (protection).

Cyber Incidents Aren’t News Anymore

Cyber incidents are now a mundane part of life. For example, consider these incident trends. In the United States alone, 61% of people have experienced a breach, and 44% have experienced multiple breaches.1 Globally, 3,158 publicly reported data breaches impacted more than 350 million people in 2024, nearly tying the all-time record of 3,205 records in 2023.9,10 From 2020 to 2024, over 9,000 breaches involving sensitive records were publicly reported.
People are desensitized to data breaches. Once your data is breached multiple times, the shock and fear of being breached — yet again — diminishes.
Cyber incidents are no longer feared as they once were. Executive leaders will no longer spend additional resources for the sole purpose of avoiding cyber incidents.

Cyber Resilience Is the New Cybersecurity

The CISO role is evolving from “chief cyber protection officer” to “chief cyber resilience officer.” As a result, CISOs must pivot their focus from traditional cybersecurity (a protection mindset) to cyber resilience.
Cyber resilience is the ability to anticipate, withstand, recover and adapt to cyberattacks to minimize business disruption from cyber incidents
Cyber resilience embraces a “when, not if” mentality, and seeks to minimize the harm of cyber incidents on the enterprise, rather than engage in dated notions of outright prevention. To achieve this, cyber resilience requires an expanded set of capabilities (see Figure 2).
Figure 2: Gartner Cyber Resilience Framework
TBD
CISOs must take these actions today to prepare for a future that prioritizes resilience:
  • Adopt a cyber resilience framework: Build upon existing frameworks — such as NIST CSF 2.0 — to add resilience components. These components must expand into capabilities that help minimize the impact of threats and realized incidents — such as the ability to absorb, adapt and even deter attacks.
  • Revise board and C-suite communication: CISOs must eliminate traditional cybersecurity language from all board and c-suite presentations and conversations — and replace this language with cyber resilience terminology and philosophies (see Table 1).

Examples of Cyber Resilience Language

Cybersecurity language
Cyber resilience language
“If we have a breach…”
“When we have a breach…”
“We’re reducing risk…”
“We’re maximizing resilience…”
“Our top cyber risks are…”
“Our cyber resilience strategy is…”
“We protect against this threat by…”
“When this threat occurs, we will react by…”
Source: Gartner

Bring More Resilience Capabilities Under the CISO

Cyber resilience requires close coordination across multiple capabilities, including:
  • Business continuity (BC)
  • Disaster recovery (DR)
  • Third-party (supply chain) risk management
  • Business impact analysis (BIA)
To be effective, CISOs must bring these capabilities within their functions or establish close co-management with peers, such as the CIO, chief operations officer, general counsel and procurement.

Expand the CISO’s Remit to Deliver Business Value

CISOs must proactively expand their remit beyond cybersecurity and embrace opportunities to deliver value creation and support profit centers or mission outcomes. Leaning into these opportunities pivots the CISO’s role from purely cyber risk management — an area of diminishing importance — closer to c-suite priorities, such as profit and mission outcomes.
This expansion is not a self-serving power play. CISOs — and their teams — have transferable skills that provide value across the enterprise, outside of core cybersecurity.
Examples of an expanded CISO remit to deliver value include:
  • Evangelize GenAI adoption: Extend beyond securing GenAI to proactively identify GenAI business cases, fast-track adoption and optimize business outcomes. Position the CISO as a GenAI evangelist who uniquely brings both technical expertise and business acumen to GenAI transformation.
  • Strengthen supply chains: Expand third-party risk management into a holistic supply chain management capability. CISOs have special insight into third-party cyber risks, technology interdependencies, business process reliance on suppliers, and the connection between business outcomes and technology stacks (including BIA).
  • Improve sales cycles: Cybersecurity and privacy compliance are increasingly important to procurement. CISOs are uniquely positioned to accelerate and improve how their sales teams navigate customer cybersecurity requirements in order to shorten — and strengthen — the sales cycle. Approaches include automating third-party risk assessments (and even using GenAI to draft responses) and co-building sales collateral to address buyer objections.
  • Manage digital brand protection: CISOs have unique access to threat intelligence, technical expertise and internal stakeholders (such as product management and marketing) to manage digital brand protection. This includes monitoring social media, threat actor channels and forums, and threat intelligence feeds — and automating domain takedowns and other actions to deter and mitigate brand spoofing and other brand-damaging behaviors.
  • Push business technology adoption: CISOs must expand their role from just securing technology to driving the fast, safe and innovative adoption of technology. This includes GenAI adoption and broader technology innovation, such as quantum computing and low-code/no-code solutions. CISOs must transform the C-suite’s view of cybersecurity from a roadblock to speed into a driver of technology innovation and adoption.
  • Navigate government policy changes: The current period of rapid government policy changes and growing global conflict exposes organizations to sudden operational and cost shocks. CISOs must step up to lead organizations through these challenges — including areas such as data sovereignty, data repatriation, supply chain changes, insider threats and cost optimization.

Evidence


7 2023 Gartner Evolution of the Cybersecurity Leader and their Function Survey: This survey was conducted to understand the evolution of the role and responsibilities of cybersecurity leaders or CISOs. The survey was conducted online from 31 July to 13 September 2023 among 318 respondents (n = 211 from a vendor panel and n = 107 from a list of conferences). The geographical representation came from North America (n = 112 in the U.S. and Canada), Latin America (n = 42 in Brazil, Argentina, Honduras, Mexico, Chile and Ecuador), Asia/Pacific (n = 62 in India, Australia, Singapore, Taiwan, Japan, Thailand, China, South Korea, Malaysia and Tajikistan) and EMEA (n = 102 in Germany, France, U.K., Portugal, Netherlands, Norway, Switzerland, Italy, Denmark, Spain, Belgium, Sweden, Austria, Israel, U.A.E., Kuwait, Serbia, Saudi Arabia and South Africa). Respondent organizations had $50 million or more in 2022 enterprisewide annual revenue, and 100 or more employees. Respondents were required to be team members and have some responsibility for their organization’s cybersecurity/risk function and were required to be up to two layers away from their CISO/head of cybersecurity.
Disclaimer: The results of this survey do not represent global findings or the market as a whole, but reflect the sentiments of the respondents and companies surveyed.
9 Identity Theft Resource Center: 2024 Data Breach Report, Identity Theft Resource Center (ITRC).
10 2023 Annual Data Breach Report, Identity Theft Resource Center (ITRC).

Note 1: Black Swan Events


The black swan theory is based on an ancient saying that confidently asserted that black swans did not exist — until they were discovered in Australia. It was popularized in the book, “The Black Swan: The Impact of the Highly Improbable,” by Nassim Nicholas Taleb.
More on This Topic

This is part of an in-depth collection of research. See the collection: