Link Cybersecurity to Business Outcomes

CIOs need to work with executives to address cybersecurity and risk through a business lens.

Cybersecurity is no longer just an IT problem.

As digital business evolves to include ecosystems and the open digital world, cybersecurity needs to evolve from a back-office “IT” problem to an enterprisewide business consideration. These digital business needs will be supported by technologies, and the CIO will be responsible for implementing those technologies, as well as communicating to the executive team that security must be treated just like any other risk-based discipline in the business. After all, actions like securing externally owned infrastructure and establishing digital trust with customers is tied to both cybersecurity and corporate performance.

“Business value is the best lens for CIOs to appropriately manage technology risk and cybersecurity,” says Paul E. Proctor, vice president and distinguished analyst. “CIOs engaging their peer executives to better understand the business value of IT will have more rigor and defensibility when their business case is tied to corporate performance dependencies on technology.”

Build a Solid Cloud Strategy
Gartner IT Infrastructure, Operations Management & Data Center Conference 2017
Learn More

There is no such thing as perfect protection

IT professionals know there is no risk-free security. Unfortunately, executives think that with enough money and staff, IT can create a risk-free security setup. In the inevitable event of a hack or data breach, the blame falls squarely on the IT professionals. CIOs need to share the narrative that appropriate levels of security balance the need to protect with the need to run the business. This will enable more manageable expectations, and turns risk and security into a business function.

Failure to assess the risks of a specific technology are parallel to business risk failures, such as a failure to complete due diligence during a merger.

In the day-to-day of business, executives often make risk-based decisions. CIOs need to get executives to expand their understanding and appetite for risk to include technologies that now support business endeavors. CIOs should frame the risk in the context of how it affects the business outcome. Once business outcomes dependent on technology are considered at risk, business and IT leaders can decide if the risk is acceptable or if another option is needed.

People are a security problem and can be a solution

It’s well-known that people are the biggest security risk, but they can actually also be a security asset. In the digital world, there has been a huge influx of technology and employee access to options such as mobile devices with company email. Old security techniques, including centralized control with mouse pads and posters with security catchphrases, are no longer efficient or sufficient means of managing security. The new approach must be designed to directly impact behavior. People are just as vital to success and failure in security as they are in risk and failure for the business. CIOs need to create a people-centric approach to security that shapes behavior.

Act on security, don’t just talk

Most risk-assessment programs are very good at appraising risks, writing reports and surveying executives, but these reports rarely influence actual decisions and, as such, have little impact on risk. Failure to assess the risks of a specific technology are parallel to business risk failures, such as a failure to complete due diligence during a merger.

Ensure that these risk assessments are simple and to the point, and deliver just enough information and defensibility to support specific decision making on a particular project. Develop a dashboard of leading technology indicators linked to business outcomes. By mapping business outcomes to technology dependencies, CIOs will be able to identify the five to nine metrics to demonstrate both the business value of IT and the appropriate status of risk and security to executives and the board of directors. These metrics will link effective technology metrics to business outcomes to improve corporate performance.

 

PaulProctor

Gartner clients can read more in “CIOs Should Manage Technology Risk and Cybersecurity Through the Lens of Business Value,” by Paul E. Proctor.

Risk and security are a critical part of digital business. Learn how new challenges and external ecosystem are causing more risk, where people, process and cultural changes fit into cybersecurity priorities and how cybersecurity should be addressed at the new edge.

 

Get Smarter

Top 10 Strategic Technology Trends for 2018

The intelligent digital mesh is a foundation for future digital business and its ecosystems. To create competitive advantage, enterprise...

Read Free Research

Building Better Backup

More than half a century after the invention of the tape drive, backup seems to be getting more complex and more costly. Learn how to...

Start Watching

Follow #GartnerSEC

Learn more at the global Gartner Security & Risk Management Summits.

Explore Gartner Events