Skip to main content
close search
site logo

Security disconnect: Why the CISO role is evolving

CISOs are too focused on security operations, writing policies or vendor management. Their time is better spent shaping business strategy.

Published Nov. 22, 2021
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Shot of a young businessman experiencing stress during late night at work.
PeopleImages via Getty Images

Non-security business leaders perceive cybersecurity as a technical issue that does not drive business outcomes, said Sam Olyaei, director analyst at Gartner, while speaking during the virtual Gartner Security & Risk Management Summit Thursday. But security discussions are an opportunity for collaboration. 

CISOs tell Gartner they don't trust their business counterparts with making decisions. A finance CISO told the advisory firm, "my board of directors just want to sign off on a piece of paper that says they talked to me." Other CISOs believe their value to the business is only viewed through regulatory compliance. 

"We also know that this is not just a one-sided challenge," Olyaei said.

CISOs are operating under unfortunate status quos, with an "always on" mindset, poor time allocation, misaligned expectations, and difficulty keeping pace with the speed of the business, Gartner found. "These are some of the status quos that we really need to begin to change in order to evolve as leaders," Olyaei said. 

The disconnect between non-technical and security leaders has existed for years. In the last four years, companies have addressed the disconnect, albeit slowly. As CISOs evolve and make their contributions to overall business goals clear, companies will understand the CISO is not a catch-all for all security-related areas. The evolution of the CISO is as empowering for the individual as it is for the business. 

"The challenges of remaining in this cultural disconnect or an environment with cultural disconnect means that you're going to be encouraging some of the status quos," Olyaei said. Misaligned expectations can damage a CISO, especially as blame can fall on security in the event of an incident.

Provided in Gartner feedback, one insurance business unit said as much as they engage with security, "I don't feel like they really understand my business." 

Another multifirm board member told Gartner "we know we should care about cybersecurity, but when the CISO leaves the board meeting, I don't feel like I know anything new. I don't feel it." 

What evolution will do

Miscommunication exists because CISOs are currently over-investing their time and resources, which can hurt the true purpose of the role. CISOs are too focused on security operations, writing policies or vendor management, and less involved in business strategy, where their time is better spent. 

The pandemic has contributed to the evolution of the CISO and security leader. "The executive shift has been it's not about investment, it's not about protection levels, it's not about technology. It's about value, what is the value that you bring," Olyaei said. 

"You need to be the right type of leader for the organization that you work in," he said. If a CISO were to transfer from financial services to manufacturing, "they would really need to act more like a controls manager or risk-decision owner rather than a trusted facilitator or value creator." 

"It is up to the leader to be able to pull out these cards and be able to showcase these profiles," Olyaei said, as they transition from an organization or industry. "We cannot force different profiles of leaders on different types of organizations — this is where we see a lot of issues sort of fire back and come back and haunt people."  

Half of CISOs expect their responsibilities to increase compared to today, Gartner found. And Gartner warns that if a CISO does not embrace changes to their role, their company is more likely to have security incidents. 

"That'll add to the perception that cybersecurity is a roadblock to the organization," and perpetuate the perception security doesn't facilitate agility, Olyaei said. For "stagnant" CISOs in operations, security alerts will become fatiguing — another outcome Gartner has witnessed in "ineffective CISOs."  

Four in 10 CISOs expect their control to expand outside of information security, but existing CISOs face a similar dilemma: being responsible for tasks that don't belong anywhere else, including IT mismanagement, business continuity or privacy. 

"Today, the role of the CIO is becoming sort of more of a title for everything," Olyaei said. 

Nearly one-third of security programs began adding at least two additional roles to help with some of this this year. Digital or technology risk officer, CSO, cybersecurity-proficient board members, and product security officer are among the roles alleviating CISOs of some of their odd-job security responsibilities.

"We think that many organizations already have a variety of cybersecurity roles," Olyaei said. "Continue to evolve based on your organizational needs and cultural requirements." 

Recommended Reading

Filed Under: Leadership & Careers

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Editors' picks
Latest in Leadership & Careers
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell