Chief information security officers (CISOs) must focus on three areas to harness increased hype and scrutiny and turn disruption into opportunity, according to Gartner.
These three areas include being mission-aligned, innovation-ready and change-agile.
“Organisations are making aggressive technology investments to achieve their goals, especially in leading edge, ‘hyped’ areas like GenAI,” says Katell Thielemann, distinguished vice-president analyst at Gartner. “Leaders aren’t just placing bets on GenAI and other explorative technology; they’re also concerned about the cybersecurity risks associated with them.”
Leigh McMullen, distinguished vice-president analyst and Gartner Fellow, comments: “Cyber incidents associated with explorative technology are now hitting the bottom line, so executives are paying attention to cybersecurity.
“Becoming students of hype can really help CISOs further their own agendas under this scrutiny.”
Thielemann and McMullen outlined three key areas to help anticipate the future needs of CISOs and allow them meet the needs of today’s complex, fast and unpredictable reality.
Be Mission-Aligned
CISOs must prove that their cybersecurity efforts are aligned to their organisation’s mission by transparently showing how cyber investment decisions and exposure implications should work together.
“When change ambitions are at their peak, CISOs need to ground people in reality and data,” says Thielemann.
To achieve this, CISOs must start by identifying outcome-driven metrics (ODMs), or metrics that measure the current level of cybersecurity protection and exposure.
“ODMs allow CISOs to communicate transparently and agree on protection levels with the enterprise,” says McMullen. “They are a way to express current exposure levels and drive a conversation with stakeholders about their desired targets, whether it is the board, CEO, CIO or anyone else.”
Once the ODMs are set, CISOs must next explore protection level agreements (PLAs), which can be used to enable mission-aligned transparency. PLAs are a formal agreement on the amount of money the enterprise is willing to spend to deliver a desired level of cybersecurity protection.
“When CISOs communicate in terms of protection levels and buying down exposure levels, they are less likely to get caught up in someone else’s marketing hype,” says McMullen. “This eventually helps CISOs prove that their cybersecurity efforts are aligned to their organisation’s mission.”
Be Innovation-Ready
CISOs should be innovating with AI in cybersecurity, which ultimately will help an organisation’s overall longer-term AI ambitions.
“Cybersecurity should be the place where many enterprises start experimenting and finding real value from AI,” says McMullen.
CISOs should explore three steps to enable their organisation’s longer-term AI ambitions:
- Cultivate AI literacy for themselves and their teams.
- Experiment with AI in cybersecurity, from code analysis, to threat hunting and modeling, to user behavior analysis.
- Protect AI investments in their organizations by taking actions such as revising data retention policies to protect prompts, input, and output storage; implementing comprehensive risk assessments for custom-built GenAI; and carrying out regulatory compliance audits.
Being Change-Agile
CISOs uniquely know that AI brings more security risks and that AI-assisted insider threats and attack surface will increase.
“The combination of effects are dizzying, so it pays to be a student of hype when it comes to change,” says Thielemann. “Organisational change is both powered and limited by hype. If CISOs understand how hype flows, they can use its energy to our advantage.
“One way to harness the hype is by ‘Taking a Distanced View of Close Things’,” adds Thielemann. “As a CISO, you may see 1 000 conflicting initiatives piling up on your desk coming at you from everywhere out of corporate desperation. As a student of hype you can read the change energy and anticipate the ebbs and flows on your teams and business partners.”
In an era where employees are increasingly change resistant and even fearful of AI, CISOs must be on the lookout for burnout from their employees, whether that is through unexpected surprises, a feeling of lack of agency or via boring, repetitive tasks.
“CISOs must be able to empower their teams to be part of the solution and feel agency,” says McMullen. “If CISOs’ teams feel agency, they will want to focus on automating repetitive tasks and developing new skills to fuel your growth as well as theirs, which in turn will make them resilient agents of change no matter what that change is.”