Article
Cloud & Cybersecurity

Gartner: The four myths obscuring cybersecurity’s full value

By Marcus Law
June 07, 2023
undefined mins
Gartner research explores four of the myths faced by Chief Information Security Officers
Gartner research explores four of the myths faced by Chief Information Security Officers
Analysts to discuss how CISOs can maximise security effectiveness at the Gartner Security & Risk Management Summit in September

CISOs must embrace a “Minimum Effective” mindset to maximise cybersecurity’s impact on the business, according to Gartner research which highlights four of the myths obscuring the full value of cybersecurity.

“Many CISOs are burnt out and feel they have little control over their stressors or work-life balance,” said Henrique Teixeira, Senior Director Analyst at Gartner. “Cybersecurity leaders and their teams are putting in the maximum effort, but it’s not having maximum impact.” 

“A Minimum Effective mindset is a deliberate, ROI-driven approach to leading cybersecurity into the future,” added Leigh McMullen, Distinguished VP Analyst at Gartner. “While the idea of ‘minimum’ may seem uncomfortable, it refers to the inputs, not the outcomes. This approach will enable cybersecurity functions to go beyond merely ‘defending the fort’ to unlocking their true potential to create tangible value.”

Myth #1: More data equals better protection

It’s commonly believed that the best way to drive action from executive decision makers on cybersecurity initiatives is through sophisticated data analysis, such as calculating the likelihood of a cyber event occurring. However, as Gartner found, it is not practical to quantify risk in this way. Further, this approach does not deliver shared accountability between cybersecurity and enterprise decision makers necessary for materially reducing business risk. Gartner research has found that just one-third of CISOs report success driving action through cyber risk quantification. 

“Rather than continuing to pursue more data and more analysis, savvy CISOs engage in a Minimum Effective Insight approach,” said Teixeira. “Determine the least amount of information needed to draw a straight line between the enterprise’s cybersecurity funding and the amount of vulnerability that funding addresses.” 

Myth #2: More technology equals better protection

Worldwide spending on information security and risk management products and services is forecast to grow 12.7% to reach US$189.8bn in 2023. Yet even as organisations spend more on cybersecurity tools and technologies, security leaders still feel they are not properly protected. 

“Cybersecurity often gets stuck in a gear acquisition mindset, believing that around the corner there must be something better,” said McMullen. “Instead, CISOs must embrace a Minimum Effective Toolset – the fewest technologies required to observe, defend and respond to exposures. This will enable cybersecurity to own their architecture, reducing the complexity and lack of interoperability that makes it so difficult to generate value from technology investments.” 

Myth #3: More cybersecurity professionals equals better protection

“Demand for cybersecurity talent has outstripped supply to the point that CISOs are unable to catch up,” said McMullen. “Security is a massive bottleneck to digital transformation, and a lot of that is because of a myth that only cybersecurity professionals can do serious cyber work. Democratising cybersecurity expertise, rather than trying to hire out of the talent gap, is the solution.” 

Gartner predicts that by 2027, 75% of employees will acquire, modify or create technology outside IT’s visibility, up from 41% in 2022. CISOs can reduce the burden on their teams by helping these business technologists build Minimum Effective Expertise, or cyber judgment. A recent Gartner survey found that business technologists with high cyber judgment are 2.5 times more likely to consider cybersecurity risks when developing analytics or technology capabilities. 

Myth #4: More controls equals better protection

A recent Gartner survey found that 69% of employees have bypassed their organisation’s cybersecurity guidance in the past 12 months, and 74% of employees would be willing to bypass cybersecurity guidance if it helped them or their team achieve a business objective. 

“Cybersecurity organisations are well-aware of the pervasive non-secure behaviour of the workforce, but the typical response of adding more controls is backfiring,” said Teixeira. “Employees report a huge amount of friction involved with secure behaviour, which is driving unsecure behaviour. Controls that are circumvented are worse than no controls at all.”

Minimum Effective Friction rebalances cybersecurity’s assessment of the performance of security controls to prioritise user experience rather than technical functionality alone. Gartner predicts that by 2027, 50% of large enterprise CISOs will have adopted human-centric security design practices to minimise cybersecurity-induced friction and maximise control adoption.

Gartner analysts will present the latest research and advice for security and risk management leaders at the Gartner Security & Risk Management Summit, taking place 26-28 September in London.

Share
Share
Author
Marcus Law

Featured Articles

Dell at 40: A Long-Standing Commitment to Digital Innovation

From a university dorm room, to a multinational technology conglomerate, Dell Technologies has always been a brave and bold digital transformation venture

Globant to Drive Formula 1’s Digital Transformation

Globant has announced it has become an official partner of Formula 1, with the deal set to focus on digitising the pit wall and boosting the fan experience

HPE: Businesses Must Tackle Blind Spots in AI Strategies

As businesses rush to embrace AI, HPE research finds many are falling into an overconfidence trap by overlooking critical gaps in their strategies

Google’s Becky Power joins Tech & AI LIVE London

Digital Transformation

Join Belden for a Free Webinar on Connected Plant Floor Data

Digital Transformation

Microsoft Invests $1.7bn in Indonesia's Cloud and AI Future

Cloud & Cybersecurity