Chief information security officers (CISOs) must focus on three areas to harness increased hype and scrutiny and turn disruption into opportunity, according to Gartner. These three areas include being mission-aligned, innovation-ready and change-agile.
“Organizations are making aggressive technology investments to achieve their goals, especially in leading edge, ‘hyped’ areas like GenAI,” said Katell Thielemann, Distinguished VP Analyst at Gartner. “Leaders aren’t just placing bets on GenAI and other explorative technology; they’re also concerned about the cybersecurity risks associated with them.”
“Cyber incidents associated with explorative technology are now hitting the bottom line, so executives are paying attention to cybersecurity,” said Leigh McMullen, Distinguished VP Analyst and Gartner Fellow. “Becoming students of hype can really help CISOs further their own agendas under this scrutiny.”
During the opening keynote of the Gartner Security & Risk Management Summit, Thielemann and McMullen outlined three key areas to help anticipate the future needs of CISOs and allow them meet the needs of today’s complex, fast and unpredictable reality.
1: Be Mission-Aligned
CISOs must prove that their cybersecurity efforts are aligned to their organization’s mission by transparently showing how cyber investment decisions and exposure implications should work together.
“When change ambitions are at their peak, CISOs need to ground people in reality and data,” said Thielemann.To achieve this, CISOs must start by identifying outcome-driven metrics (ODMs), or metrics that measure the current level of cybersecurity protection and exposure.
“ODMs allow CISOs to communicate transparently and agree on protection levels with the enterprise,” said McMullen. “They are a way to express current exposure levels and drive a conversation with stakeholders about their desired targets, whether it is the board, CEO, CIO or anyone else.”
Once the ODMs are set, CISOs must next explore protection level agreements (PLAs), which can be used to enable mission-aligned transparency. PLAs are a formal agreement on the amount of money the enterprise is willing to spend to deliver a desired level of cybersecurity protection.
“When CISOs communicate in terms of protection levels and buying down exposure levels, they are less likely to get caught up in someone else’s marketing hype,” said McMullen. “This eventually helps CISOs prove that their cybersecurity efforts are aligned to their organization’s mission.”
2: Be Innovation-Ready
CISOs should be innovating with AI in cybersecurity, which ultimately will help an organization’s overall longer-term AI ambitions.
“Cybersecurity should be the place where many enterprises start experimenting and finding real value from AI,” said McMullen.
CISOs should explore three steps to enable their organization’s longer-term AI ambitions:
Cultivate AI literacy for themselves and their teams.
Experiment with AI in cybersecurity, from code analysis, to threat hunting and modeling, to user behavior analysis.
Protect AI investments in their organizations by taking actions such as revising data retention policies to protect prompts, input, and output storage; implementing comprehensive risk assessments for custom-built GenAI; and carrying out regulatory compliance audits.
3: Being Change-Agile
CISOs uniquely know that AI brings more security risks and that AI-assisted insider threats and attack surface will increase.
“The combination of effects are dizzying, so it pays to be a student of hype when it comes to change,” said Thielemann. “Organizational change is both powered and limited by hype. If CISOs understand how hype flows, they can use its energy to our advantage.
“One way to harness the hype is by ‘Taking a Distanced View of Close Things,’” continued Thielemann. “As a CISO, you may see 1,000 conflicting initiatives piling up on your desk coming at you from everywhere out of corporate desperation. As a student of hype you can read the change energy and anticipate the ebbs and flows on your teams and business partners.”
In an era where employees are increasingly change resistant and even fearful of AI, CISOs must be on the lookout for burnout from their employees, whether that is through unexpected surprises, a feeling of lack of agency or via boring, repetitive tasks.
“CISOS must be able to empower their teams to be part of the solution and feel agency,” said McMullen. “If CISOs’ teams feel agency, they will want to focus on automating repetitive tasks and developing new skills to fuel your growth as well as theirs, which in turn will make them resilient agents of change no matter what that change is.”