Whose job is it to manage cybersecurity?

Paul Proctor, Distinguished VP Analyst at Gartner

Paul Proctor, Distinguished VP Analyst at Gartner explains that one should stop pointing at the CIO when it come to manage cybersecurity it should be a shared responsibility especially when every day decisions made by business leaders impact the security of an organization directly

Shared responsibility for cybersecurity and its impacts will come about when CIOs and CISOs equip the business to actively participate in decision making.

The past two years have seen a drastic uptick in major cybersecurity events, from Colonial Pipeline and SolarWinds to the JBS meat production company. Given the high cost and high frequency of cyberbreaches, 88% of boards of directors now acknowledge that cybersecurity is a business risk and not just an IT problem — up from 58% just five years ago.

Yet organizations have not changed the culture of accountability to reflect these updated views. The CIO or CISO still carry primary responsibility for cybersecurity in 85% of organizations that responded to the Gartner View From the Board of Directors Survey 2022.

“CIOs must rebalance accountability for cybersecurity so that it is shared with business and enterprise leaders,” says Paul. “They are thought of as the ultimate decision maker and authority for protecting the enterprise’s security, but really, business leaders make decisions every day that impact the organization’s security. They should share accountability.”

To facilitate the shift toward a shared responsibility model for cybersecurity, be proactive and work with your board to establish governance models that share responsibility, and with business leaders to create a program of controls that balances protection with business needs. Begin with a short-term exercise of assessing the current state of cybersecurity as a business issue, followed by a longer-term set of actions to define a new shared-accountability governance model.

5 questions to assess the current state of cybersecurity as a business issue
These questions can give you an initial sense of how prepared the business is to share responsibility with IT for cybersecurity:

  1. Can the organization make risk-informed decisions without facilitation from security personnel?
  2. Can IT explain the business value of each security control?
  3. What do the metrics related to the organization’s security controls reflect: the levels of protection (technology perspective) or the operational functions (business perspective)?
  4. What proportion of time on security decision making is spent on fear, uncertainty and doubt compared with business goals?
  5. Is the security program defensible with customers, shareholders and regulators?

Shifting toward shared accountability
With clarity about how ready your organization is to share cybersecurity accountability, you can take steps to involve other business leaders in decisions and trade-offs. For example:

  1. Share cybersecurity decisions. Present the available options related to cybersecurity approaches and investments, and include the risks and costs associated with each. Providing information and involving business leaders in the decision makes them more likely to accept responsibility.
  2. Communicate the optimal balance of risk, value and cost. Help prioritize cybersecurity investments by measuring the amount of value each business unit produces in relation to their readiness to address known risks, as well as the cost of doing so. Create a visual matrix to enable fast, cross-business-unit comparisons.
  3. Use credibility and reputation — not fear — to motivate accountability. Focusing on shared goals will go far in fostering communication and collaboration with business side partners.