Gartner 2022 security trend #4: Distributing decisions

Print Friendly, PDF & Email

Welcome to the fourth in our ongoing series of articles about the seven key trends identified in Gartner’s report “Top Trends in Cybersecurity 2022,” released to its clients in March. Today we discuss the fourth trend: distributing decisions.

This trend fits squarely into the overarching theme of Gartner’s report: The ways in which the role and function of the CISO is undergoing fundamental change — and the need for organizations to embrace this change if they hope to effectively manage cyber risk going forward.

The traditional role of CISO

It may sound odd to talk about the “traditional” role of an executive title that first came into existence around 1994 or 1995 (when Citicorp appointed Steve Katz to the position — for you business historians out there). But in that relatively short time, the CISO’s role has already undergone a number of evolutionary changes in response to changing business and technological conditions.

Nonetheless, throughout its existence, the CISO has almost universally been regarded as a subject-matter expert in a specialized subset of IT. As such, the CISO has almost always reported to the CIO.

In addition to using a comprehensive understanding of the cyberthreat landscape to establish company-wide cybersecurity policies and practices, responsibilities have traditionally included championing cybersecurity as one interest in competition with others; negotiating with leaders in development, operations, product management, etc. to establish a correct balance of cybersecurity against other, competing interests within the organization.

Shifting ground

According to Gartner’s analysis, “By 2025, a single, centralized cybersecurity function will not be agile enough to meet the needs of a digital organization.”

This is partly due to the exposure of new attack vectors such as digital supply chains, increasing threats, new and updated regulatory requirements, and evolving, cross-functional business processes. In addition, the expansion of the digital workspace means that stakeholders across the organization have a growing need for more frequent security decisions and policies, which the centralized CISO function is increasingly unable to fulfill.

In order to deliver security decisions with the speed and agility required, and within digital organizations of increasing scale and complexity, the decision-making function needs to be shifted to individual business units.

From IT to risk management

Gartner foresees a trending reconceptualization of the role of the CISO from specialized IT expert to specialized executive risk manager — reporting to the CEO rather than the CIO and supporting a broadly distributed decision-making function with information, tools, and policies.

To embrace this trend, CISOs should strive to work with other stakeholders to:

  • Make fewer risk decisions, while empowering others throughout the enterprise to make their own decisions
  • Invest in self-serve and educational tools that teach decision-makers throughout the company to employ better judgment regarding cybersecurity
  • Define clearly the responsibilities of the “office of the CISO” as opposed to those of the CISO him/herself
  • Educate and empower the Board of Directors, CEO, and other business leaders to make cyber risk decisions
  • Work to build a company-wide culture of considering cyber risk and making cyber risk decisions as part of every business operation and process

Subscribe to Journey Notes

Scroll to top