June 22, 2022
It’s common for most CISOs to lead off a security conversation by comparing what other companies in the industry are spending on cybersecurity and simply matching that. After all, regardless of the results, the CISO can always tell the board of directors they’re following industry guidelines around security budgets. The problem is security outcomes are bad regardless of budgets. It’s not what you spend. It’s the results you get that matter.
This shift from spending to outcomes was a constant theme at Gartner’s Security & Risk Summit, finally back in person in National Harbor, Washington DC. The event highlighted some major trends for security and risk leaders, including the loss of control and boards demanding value from their security investments.
Despite years of reigning in users with draconian policies and getting creative to scale teams, CISOs face three major challenges to their effectiveness. The first is the acceleration of citizen computing. If you haven’t noticed, the pandemic forced many workers into roles as their own IT and security teams, to the point where 20% of workers consider themselves technology experts. Experts don’t need meddling from pesky CISOs trying to manage risk, making reining in these users all but impossible. They’re going to do what they want, even if that means clicking on a suspicious link or giving out a few passwords.
Next up is the number of third parties in use. From conversations with Cribl customers, the average corporate security team interacts with two dozen third parties and suppliers. Continuously monitoring these entities is a full-time job for multiple people, which is why only 17% of CISOs claim to do it in real-time. There’s too much complexity and too much data, leaving them little choice but to forgo monitoring entirely. A number of people stopped by the Cribl booth after learning how their peers use Cribl Stream to manage security data for compliance and software supply chain oversight.
Lastly, everyone wants to tell security and risk leaders how to do their jobs. Half of CISOs must cope with unrealistic expectations after board members read one too many articles on preventing ransomware attacks or managing effective patching strategies. The apparent simplicity in preventing attacks makes CISOs look ineffective when a breach does occur, eroding trust in security and risk management programs.
A frequent statistic repeated at the event is that 88% of boards consider security a business risk rather than a technology risk. They’re getting serious about it: one in ten organizations are creating board-level security committees. Companies are also increasing educational efforts on the importance of security.
This sudden interest in security isn’t holistic. Boards didn’t wake up one day with the realization of, “Gee, all that data we use for product development, marketing, and customer intimacy might be a risk.” The federal government is responding to the rapid rise in breaches with new policies and directives. The SEC has proposed new rules around disclosing security breaches, as well as accounting for the security expertise of board members and risk strategies.
The event highlighted the changing nature of the CISO’s role, including bringing customers to the forefront of security efforts, engaging and building relationships with business and marketing leaders, as well as building a range of competencies instead of focusing on skills.
To be successful, CISOs must:
While no single technology can deliver a successful security and risk program, each of these topics was conversations we had with prospects and customers at the Gartner Summit. Dealing with security data volumes, connecting disparate systems, and ensuring compliance is fundamental to successful outcomes.
It was common at the Gartner Summit to hear, “I’d never heard of you guys, but my buddy over at XYZ said I had to come talk to you.” Every conversation driver was related to the outcomes we deliver for our customers across security and risk teams. If you want to learn more about how we help security teams, check out our solution brief.