Authored by Paul Proctor, Distinguished VP Analyst, Gartner
Often the systemic and cultural issues between IT and non-IT executives, not technical competency or funding, that leave organizations exposed to cybersecurity attacks.
Many business leaders still believe cybersecurity is a problem that can be solved if they invest enough money and hire the right people with the right technical knowledge who will keep them out of the headlines.
These issues present opportunities for CIOs and CISOs to rethink how they engage senior non-IT executives to prioritize security. You can reduce the risk of cyberattacks by addressing these leading causes of failure within your organization.
Businesses make decisions every day that negatively impact their security readiness: for example, refusing to shut down a server for proper patching or choosing to keep working on old hardware and software to save budget. These unreported decisions lead to a false sense of security and increase the likelihood and severity of an incident.
Action: Recognize, report and discuss systemic risk as part of normal security governance.
Non-IT executives still see security as something that is “just there,” like air or water. This means it isn’t considered a part of business decisions. For example, a business leader requesting a new application is unlikely to include “security readiness” as a requirement.
Action: Put cybersecurity into a business context so executives can see the impact of their decisions.
You can’t buy your way out — no matter what you spend, you won’t be perfectly protected against cyberattacks. By trying to stop every risky activity, you will likely damage your organization’s ability to function.
Action: Avoid overinvestment in security that raises operational costs but damages the organization’s ability to achieve business outcomes.
If security officers are treated as (and act as) defenders of the organization, it creates a culture of no. For example, they might block the release of a critical application due to security concerns without considering the business outcomes the application supports.
Action: Position security as the function that balances the need to protect with the need to run the business.
Accountability should mean that a decision to accept risk is defensible to key stakeholders. If accountability means that someone will get fired if something goes wrong, no one will engage.
Action: Reward those who make decisions that best balance the need to protect with the need to run the business.
Organizations create generic high-level statements about their risk appetite that don’t support good decision making. Avoid promising to only engage in low-risk activities, as this can create invisible systemic risk.
Action: Create mechanisms that allow for the acceptance of risk within defined parameters.
When a headline-grabbing security incident happens, society just wants heads to roll. While this isn’t fair, it’s the result of decades of treating security as a black box. No one understands how it really works and as a result, when an incident does occur, the assumption is that someone must have made a mistake.
However, society is not going to change until organizations and IT departments start treating and talking about security differently.
Action: Be vocal about balancing the need to protect with the need to run the business rather than scapegoating.
Some boards and senior executives simply do not want to hear or acknowledge that security isn’t perfect. Board presentations are filled with good news about the progress that has been made in security, with little or no discussion about gaps and opportunities for improvement. We know of one company that even decided to move security under legal counsel so that discussions are privileged.
Action: To tackle the challenges, IT and non-IT executives must be willing to understand and talk about the realities and limitations of how security works
