Whose Job Is It to Manage Cybersecurity? Hint: Stop Pointing at the CIO

November 30, 2021

Contributor: Kasey Panetta

Shared responsibility for cybersecurity and its impacts will come about when CIOs and CISOs equip the business to actively participate in decision making.

Security eBook: 2022 Leadership Vision

The past two years have seen a drastic uptick in major cybersecurity events, from Colonial Pipeline and SolarWinds to the JBS meat production company. Given the high cost and high frequency of cyberbreaches, 88% of boards of directors now acknowledge that cybersecurity is a business risk and not just an IT problem — up from 58% just five years ago.

Yet organizations have not changed the culture of accountability to reflect these updated views. The CIO or CISO still carry primary responsibility for cybersecurity in 85% of organizations that responded to the Gartner View From the Board of Directors Survey 2022.

Download now: 3 Steps to Stop Employees From Taking Cyberbait 

“CIOs must rebalance accountability for cybersecurity so that it is shared with business and enterprise leaders,” says Paul Proctor, Distinguished VP Analyst at Gartner. “They are thought of as the ultimate decision maker and authority for protecting the enterprise’s security, but really, business leaders make decisions every day that impact the organization’s security. They should share accountability.”

To facilitate the shift toward a shared responsibility model for cybersecurity, be proactive and work with your board to establish governance models that share responsibility, and with business leaders to create a program of controls that balances protection with business needs. Begin with a short-term exercise of assessing the current state of cybersecurity as a business issue, followed by a longer-term set of actions to define a new shared-accountability governance model.

Cybersecurity accountability still falls mostly within IT

Guide: Everything You Need to Know About Cybersecurity

5 questions to assess the current state of cybersecurity as a business issue

These questions can give you an initial sense of how prepared the business is to share responsibility with IT for cybersecurity:

  1. Can the organization make risk-informed decisions without facilitation from security personnel?
  2. Can IT explain the business value of each security control?
  3. What do the metrics related to the organization’s security controls reflect: the levels of protection (technology perspective) or the operational functions (business perspective)?
  4. What proportion of time on security decision making is spent on fear, uncertainty and doubt compared with business goals?
  5. Is the security program defensible with customers, shareholders and regulators?

Read more: 4 Metrics That Prove Your Cybersecurity Program Works

Shifting toward shared accountability

With clarity about how ready your organization is to share cybersecurity accountability, you can take steps to involve other business leaders in decisions and trade-offs. For example:

  1. Share cybersecurity decisions. Present the available options related to cybersecurity approaches and investments, and include the risks and costs associated with each. Providing information and involving business leaders in the decision makes them more likely to accept responsibility.
  2. Communicate the optimal balance of risk, value and cost. Help prioritize cybersecurity investments by measuring the amount of value each business unit produces in relation to their readiness to address known risks, as well as the cost of doing so. Create a visual matrix to enable fast, cross-business-unit comparisons.
  3. Use credibility and reputation — not fear — to motivate accountability. Focusing on shared goals will go far in fostering communication and collaboration with business side partners.

Experience Information Technology conferences

Join your peers for the unveiling of the latest insights at Gartner conferences.