We are bringing you news and highlights from the Gartner Security & Risk Management Summit, taking place this week virtually in the Americas. Below is a collection of the key announcements and insights coming out of the conference. You can also read the highlights here from Day 1 and Day 2.
On Day 3 from the conference, we are highlighting how to treat cybersecurity as a business decision, the impact of diversity on the security function and the evolution of the CISO role.
Presented by Paul Proctor, Distinguished VP Analyst, Gartner
Many current approaches to cybersecurity are falling short of their promise to deliver. In this session, Paul Proctor, Distinguished VP Analyst at Gartner, explained how treating cybersecurity as a business decision helps engage decision makers and balance accountability for cyber risk among IT and business leadership.
“Cybersecurity investment is broken, and we need to go beyond current thinking to fix it.”
“88% of Boards of Directors now report that cybersecurity is viewed as a business risk.”
“The purpose of a security program is not to ensure we don’t get hacked; that’s an impossible goal. The purpose of a security program is to balance the needs to protect with the needs to run the business.”
“Most cybersecurity investment is based on the existence of a tool or a capability, but very little of it is based on the protection delivered.”
“Emerging laws aim to hold Board members personally accountable for cybersecurity failures, and the effect is that it’s become unacceptable to point out risks in a Board presentation. This lack of transparency is the antithesis of treating cybersecurity as a business decision.”
“Business information security officers are only as good as the business context of their underlying governance model.”
“Stop advocating for cybersecurity and offer the business choices.”
Learn more in the Gartner press release “Gartner Survey Finds 88% of Boards of Directors View Cybersecurity as a Business Risk.”
Presented by Tricia Phillips, Sr Director Analyst, Gartner
STEM careers are starving for diversity, equity and inclusion (DE&I) and it’s up to the C-suite to take greater notice and be the greatest change agents. In her session, Tricia Phillips, Sr Director Analyst at Gartner, provided actionable guidance for CISOs and CIOs to uncover blatant gaps in DE&I initiatives within their workforce and foster change that will benefit enterprises in the long-run.
“It's no secret: DE&I initiatives in the security workforce are dismal. This is already proving detrimental to many organizations.”
“Over 3.5 million cybersecurity jobs are unfilled, so there’s no room to lose good talent or miss out on future leaders who may be overlooked unintentionally.”
“Diverse and inclusive teams don’t just look good on paper. They are shown to make better decisions, innovate, perform better and intend to stay.”
“DE&I often feels too big and too intangible but can be tackled by checking our own biases, instilling DE&I in security operations and redesigning the hiring process to be more inclusive.”
“Biases are inevitable but they are avoidable. The 5 ways to combat bias include 1) educating yourself 2) actively listening 3) interrupting bias and discrimation 4) advocating for underrepresented groups and 5) committing to awareness.”
“To create a more resilient security team, focus on the needs of people by identifying stretch opportunities and building advancement opportunities.”
Presented by Sam Olyaei, Director Analyst, Gartner
In a world of change and uncertainty, the CISO role continues to evolve, with some taking on more business responsibilities, while others stay focused on IT-oriented and operational tasks. In this session, Sam Olyaei, Director Analyst at Gartner, explored the different types of CISOs and what the future looks like for the role.
“A lot of business leaders believe that cybersecurity is a technical problem, and that it is not there to facilitate business outcomes.”
“There’s a cultural disconnect between what the business is looking for and what the cybersecurity leader is thinking about.”
“Many CISOs start as a controls manager, there to manage security operations, secure the perimeter, protect infrastructure and implement controls. It’s a tactical and technology-focused role.”
“Today, most of us are ‘chief information scapegoat officers’ — leaders that have evolved away from tactical aspects and have now incorporated a lot of the risk management disciplines into cybersecurity.”
“The next evolution is a trusted facilitator, where the leader and the function shifts its focus away from the technology-oriented discipline to a pure risk management focus. The goal of the cybersecurity leader in this role is to provide assurance.”
“The final evolution of this role is the idea of becoming a valued leader. At this level, the leader is responsible for enabling business decisions.”
Gartner, Inc. (NYSE: IT) delivers actionable, objective insight to executives and their teams. Our expert guidance and tools enable faster, smarter decisions and stronger performance on an organization’s mission-critical priorities. To learn more, visit gartner.com.
Meghan Rimol
Gartner
Meghan.Rimol@Gartner.com
