Accountability for cybersecurity risk is shifting outside of IT, and the role of the cybersecurity leader needs to evolve, Gartner says in a new report.
According to Gartner, security and risk managers are investing more effort into evaluating and influencing the cyberhealth of external parties, employees are making more decisions with cyber risk implications and executive-level committees are being established outside the scope of the cybersecurity leader.
The firm’s analysts say those factors will lead to an environment where cybersecurity leaders will have less direct control over many decisions that would normally fall under their scope today.
Due to the growing misalignment of expectations from stakeholders, cybersecurity leaders are becoming burnt out and overworked, says Sam Olyaei, research director at Gartner, in a statement.
“The CISO role must evolve from being the ‘de facto’ accountable person for treating cyber risks, to being responsible for ensuring business leaders have the capabilities and knowledge required to make informed, high-quality information risk decisions,” said Olyaei.
According to Gartner, 80% of boards review cybersecurity as a business risk rather than just an IT issue, and 13% of organizations now have a cybersecurity-specific board overseen by a dedicated director.
Now, at least 50% of C-level executives will have performance requirements related to cybersecurity risk by 2026, which impacts the timeliness and quality of information risk decisions, which are being made outside of IT’s line of sight.
As a result, Gartner expects to see a shift in accountability to business leaders who are responsible to the CEO, the firm says.
With pressure from investors, the public, employees and regulations strengthening incentives for tracking cybersecurity metrics within environmental, social and governance (ESG) efforts, Gartner predicts that 30% of large organizations will share ESG goals focused on cybersecurity by 2026, up from less than 2% last year.
“Expectations that organizations should be more transparent about their security risks have increased, resulting in public demand for greater transparency within their ESG reporting,” said Claude Mandy, research director at Gartner. “Cybersecurity is no longer solely a risk to the organization, but a societal risk.”
Leave a Reply