The pressures on security leaders have ramped up in recent years, driven by trends like the shift to remote working, the war in Ukraine and the economic instability.
It is therefore vital that CISOs continuously evaluate the way both they and their department operates, seeking to become more efficient with the resources they have in place.
During the Gartner Security & Risk Management Summit in London, Gartner analysts set out a range of strategies for CISOs to boost effectiveness and efficiency.
1. Minimum Effort for Maximum Gain
Security leaders should adopt a “minimum effective mindset” in every aspect of their role according to VP Analysts at Gartner, Christopher Mixter and Jie Zhang.
They noted that CISOs are typically overworked, with Gartner finding that 73% experienced burnout in the past 12 months. Mixter and Zhang emphasized that there are ways to work more efficiently that can reduce the pressure on CISOs, however they also cautioned against some methods that are popular today.
The current emphasis on quantifying cyber risk has been seen many security leaders as necessary to demonstrate return on investment (ROI) to the board. However, the effort that goes into this analysis doesn’t justify the outcomes, according to Mixter and Zhang.
For example, there are no metrics that can accurately predict the likelihood of an attack and its impact. “You don’t need more sophisticated analysis of cyber risk,” commented Zhang.
Instead, CISOs should work out the minimum amount of information required to show cyber risk, highlighting easy to establish outcome-driven metrics in areas like third party risk engagement.
Additionally, Mixter and Zhang said there is a misguided belief in organizations that more security tools will equal better protection, something known as ‘gear acquisition syndrome.’
This often isn’t the case and integrating lots of different tools also causes more work for security teams. “Even with the spending on tools, most organizations still don’t feel protected,” noted Zhang.
As a result, security leaders should “capture the human cost” of bringing in new tools, enabling a cost-benefit analysis when deciding upon such investments.
2. Use the Workforce to Boost Security
Many employees now work in technology roles and their skills can be utilized to boost organizations’ cybersecurity, Mixter and Zhang. This is especially important amid the cyber skills shortage.
Pharma giant Johnson & Johnson uses a citizen development portal to enable tech employees to make cyber-risk-informed decisions autonomously via its citizen development portal, they explained.
This helped technologists to develop minimum effective expertise, commented Mixter.
Tom Scholtz, distinguished VP analyst at Gartner, later outlined that while 82% of data breaches involve the human element, putting in more controls and awareness training is not the answer.
He highlighted Gartner stats showing that 93% of employees who engaged in insecure behaviors were aware that these actions would increase risk to the enterprise, with their main motivations for doing so being speed and functionality.
Therefore, security leaders need to ensure they “reduce friction resulting from the controls we implement.”
3. Be an Executive Influencer
Scholtz said CISOs should recognize that their executive relationship is core to them becoming an effective leader.
He cited research showing that just 12% of CISOs believe they are exceeding C-suite expectations in their role. It is clear security leaders need to get better at executive engagement to ensure there is greater understanding and coordination with business priorities.
Additionally, Gartner research shows that business leaders are keen to invest in new technologies to boost productivity. It is vital that CISOs regularly engage with these business leaders so they understand the risks and implications involved, ensuring security is in mind when making such decisions.
Scholtz also noted that executive buy-in is essential to developing a cybersecurity culture throughout the business. Here, CISOs should regularly talk to management about the importance of culture during conversations about security, rather than speaking directly about it.
4. Reduce Personal Stress Levels
Another area CISOs must focus on is reducing pressures on themselves, stated Scholtz. This includes finding ways to ease day-to-day stress, such as mindfulness exercises and yoga.
Additionally, he advocated pushing the case to the board for a deputy CISO position – someone who can take on the more technical duties while the CISO focuses on leadership. This should be a trusted individual “who can shoulder the challenges” of leadership to deputize when the CISO is on vacation.
Scholtz also advised taking on an outside mentor to allow CISOs to think about the broader career path amid the hectic nature of their everyday job.