CISO Effectiveness – Busting Myths

Security misconceptions over quantum of data, implementation of additional technologies and having large teams to manage these are resulting in a counter-intuitive situation where in spite of their best efforts security officers are unable to deliver maximum impact. This was brought out during Gartner’s Security and Risk Management Summit. 

In the keynote session, Gartner’s senior director analyst Henrique Teixeira said several of these misconceptions were hindering the effectiveness of the security teams in spite of the best efforts put in by the chief information security officers or CISOs. The official also noted that these officials also faced the challenge of a burn-out. 

“Many CISOs are burnt out and feel they have little control over their stressors or work-life balance,” Teixeira said according to a report published by SDXCentral. This was often resulting in CISOs and their teams putting in the maximum effort without actually having maximum impact from the process. 

Coming to the misconceptions that were hindering the cybersecurity business that involves data, technology, controls and human resources, the Gartner official pointed to four key challenges around security that need to be addressed. In fact, these issues must be discussed at the boardrooms and not just between security teams. 

Higher the data, better the security is a myth

The first of these deals with the belief that the best way to action cybersecurity is to enhance the quantum of data and its analysis. Gartner argues that this isn’t a practical way to quantify risk nor create shared responsibility between security and enterprise-level decision makers. They quoted research to suggest that only a third of CISOs report driving action in this way. 

According to Teixeira, instead of pursuing more data and more analysis, CISOs must engage in minimum effective insight to determine the least amount of data required to draw a direct correlation between an enterprise’s cybersecurity funding and the amount of vulnerabilities that it is supposed to address. This can be achieved via outcome-based metrics that link security and risk operational numbers to business outcomes. 

Adding more technology doesn’t mean you’re secure

The second misconception relates to the belief that having more technology results in better protection of one’s data. Garner says global MIS and risk management spending would grow 12.7% to touch $189.8 billion in 2023, but none of this could give security leaders peace of mind as they would continue to perceive cybersecurity gaps in their organizations. 

Gartner says that instead of looking for something better at the next corner, CISOs should create a minimum effective toolset to observe, defend and respond to exposures. This way, the security team would own their architecture and reduce complexities created by lack of interoperability between different technology solutions. Such an approach allows CISOs to ensure that operational expenses on personnel remain less than the risk mitigation benefits. 

Bigger the team, better the security – not really!

A third myth around security is that having large teams ensures higher levels of protection, which according to the Gartner team can never happen, considering the huge shortfall in the supply of security professionals. The belief that only cybersecurity professionals can do serious cyber work needs to be dispelled, they added. 

In fact, a Gartner study indicated that business technologists with higher cyber judgment were 2.5 times more likely to consider security risks when developing analytics tools or expanding their team’s tech capabilities. The security team’s burden can be reduced by encouraging others acquiring and modifying tech to develop a minimum effective expertise on cybersecurity. 

More controls doesn’t result in better security

And last but not least, there is a myth that more controls results in better protection, which Teixeira says has backfired in the past when attempts were made to add more controls to control non-secure behavior among employees. Apart from generating additional friction that drove non-secure behavior, such controls were often worse than having none.

Once again, Gartner’s surveys proved this idea as 69% of respondents said they had bypassed security guidelines at work in the past year. Another 74% said they would be willing to do so if it helped them achieve a business objective. This is where minimum effective friction becomes critical, says Teixeira. 

The human edge to cybersecurity is the future

The Gartner analysts said at least half of all CISOs are likely to adopt human-centric designs for their security programs within the next three to four years in order to minimize operational friction and maximize control adoption. 

They felt that this approach results in prioritizing the individual’s need over that of technology. The analysts quoted another research to suggest that more than 90% of all employees admitted that they would voluntarily engage in unsecured action, in spite of being aware of the risks. In other words, it is about humanizing the and working with machines to make it happen. 

Looks like the CISO would be among the first to appreciate and accept Industry 5.0.