To Succeed, CISOs Shift Strategies
Remote work is hugely popular with large swaths of the workforce. Many organizations find that this new arrangement results in higher productivity. According to research on remote workers from May 2020 through March 2021, nearly six out of 10 said they were more productive working remotely than they expected to be, and 40 percent said they were more productive than they were in the office. Large swaths of workers who said they could get their jobs done at home noted that they would like to continue to work remotely at least part time.
But remote work significantly impacted security measures. The perimeter spread from one campus to thousands of individual homes, intellectual property is now accessed via home Internet routers, and layers of carefully constructed security controls had to be bypassed to enable work to continue off-premises.
“That forced executives to say ‘Well, why did we have those in the first place,’” says Sam Olyaei, research director for Gartner’s Security and Risk Management Group. “‘How can we secure an environment when it’s no longer one office but it’s now 3,000 offices because 3,000 people work in different environments?’”
Like the COVID-19 pandemic accelerated digital transformation and remote work adoption, the past two years have heightened the need for security leaders—CSOs, CISOs, and risk managers overall—to shift their position within the company to add and communicate value.
“That forced the CISO role to change—it’s no longer about managing controls, it’s about facilitation,” Olyaei says. “It’s coming to the point where the role of the CISO is more of a governance role than a technology role.”
This shift requires a change in critical thinking and prioritization, both from the security leader and the organization at large.
“Security and risk management (SRM) leaders are being squeezed between an increasingly aggressive threat environment and the unrealistic expectation that the chief information security officer won’t ever interfere with business unit computing,” according to Gartner’s report Leadership Vision for 2022: Top 3 Strategic Priorities for Security and Risk Management Leaders. “Successful CISOs recognize these misconceptions and actively work to change them in 2022 and beyond.”
It’s no longer about managing controls, it’s about facilitation.
For example, the report said organizational leaders may believe that the CISO is onboard just to prevent breaches. Instead, the CISO should try to reframe that misconception—that the security leader is here to facilitate risk management.
“In general, you can certainly see a shift away from the tactical relationship that used to exist, where security would go to the business and talk about technology and projects,” Olyaei says. “We’re seeing that shift more towards it being a value conversation, where really the executives are less interested in the technology and the controls that the organization has and are more interested in the type of value that brings to the organization.”
Part of that shift is a matter of influencing perceptions, reframing security as a value generator and competitive advantage—not a cost center. The other part of it is more challenging, Olyaei says. The new perception of security requires the personality and skill set to match.
It would be challenging for someone who came up the ranks of the IT function to be tapped as a CISO by default, he says, because he or she may not have the business experience to succeed in the current environment.
“Every organization requires a certain type of CISO,” Olyaei continues. “That’s why you see a lot of CISOs struggle when they get a higher paying job in a different industry. If a CISO from a large bank moves to a healthcare organization, well, the requirements are completely different, and the cultures are completely different.”
Gartner conducted an in-depth analysis of 129 CISOs for its CISO Effectiveness Index in early 2020, measuring security leaders against four key areas: functional leadership, information security service delivery, scaled governance, and enterprise responsiveness. Only 12 percent of CISOs surveyed excelled in all four categories, with many allocating more resources and time toward tactical activities than they would like. The index noted that the emergence of COVID-19 only exacerbated the need for CISOs to focus on agility and strategy.
Researchers found that the top third of CISOs adopted five game-changing behaviors that differentiated high performers from the rest of the pack. The most effective CISOs initiated discussions on evolving norms to keep ahead of threats; prioritized keeping decision makers aware of current and emerging risks to the enterprise; proactively engaged in securing emerging technologies; formalized an actionable succession plan; and defined risk appetite through collaboration with senior business decision makers.
The last area—defined risk appetite with the appropriate stakeholders—requires significant soft skills and communication, Olyaei says. The security leader needs to be able to communicate the value of security at the board level, identifying emerging risks and explaining that it is okay to accept a certain level of risk—provided it is being monitored.
We can’t expect our CISO to really be a chief or a C-level executive if they’re still dealing with vendors and contracts.
But Gartner analysis in its Leadership Vision for 2022 report shows that nearly a quarter of directors are dissatisfied with the quality of current cyber risk information that management provides them. So, the appetite for frequent and thorough briefings is present from business units to the boardroom.
There are, however, some unrealistic expectations from stakeholders. The Leadership Vision for 2022 report noted that one in five workers consider themselves digital technology experts since the beginning of COVID-19, but their consumer IT experience may not translate to enterprise security practicalities. It is up to the security risk management leader to align culture, communications, and future talent recruitment initiatives to bridge those gaps in understanding at all levels of the organization.
Gartner set three levels of relationship priorities for security and risk managers: table stakes (working with the CIO, head of applications, head of infrastructure, and head of project management); value-building (connecting with the CEO, head of sales, communications leader, chief financial officer, and others); and differentiators. The latter category reaches primarily client-facing roles, including business unit leaders, chief marketing officers, and boards of directors.
“Building relationships with business unit heads, heads of sales, and heads of marketing is key as these are the exact areas where increased technology use is leading to a higher volume and variety of information risk decisions,” the report said.
“Even though the CISO may be the leader of the security organization, they are not the only ones making security decisions at the organization,” Olyaei adds.
HR directors are making purchasing decisions around remote work tools, product developers are building digital services and tools, and marketing teams leverage data analytics to gain insights on customer behavior. While the CISO may not control these decisions, he or she can influence stakeholders to consider security issues and benefits.
In addition, Olyaei says boards are more engaged and aware on cyber issues than ever. Olyaei adds that when he presents to the board, he prepares a 10- to 15-minute presentation to leave room for at least 40 minutes of questions and discussion. In years past, that ratio of presentation to discussion time was reversed. As a result of the increased attention, security leaders need to be prepared to field a variety of questions around strategy, emerging threats, and how security initiatives can empower the business.
All this cross-organizational interfacing takes time, however, and even effective security leaders do not spend as much time as they want on strategic planning and building relationships. According to Gartner’s research, CISOs overinvest an average of 1.5 hours per week on security operations, followed by 1.2 hours on low-level staff management tasks. By contrast, CISOs underinvest two hours per week on stakeholder relationship-building, and they lag even further behind on strategic planning.
To free up security leaders’ time, Olyaei suggests automating repetitive tasks like monitoring for alerts or log reviews to enable entry-level employees to take some tactical tasks off managers’ plates. CISOs can also tap task captains to take charge of certain activities, such as contract management.
“These types of things are not what’s going to create value for the organization, but rather it’s the strategy side—interpersonal relationship building, the political dynamics of the organization,” he adds. “We can’t expect our CISO to really be a chief or a C-level executive if they’re still dealing with vendors and contracts.”