CISOs Have an Opportunity to Shine as Regulations Enforce Change, Gartner Says

Once a paltry segment of enterprise IT, security has become a crucial factor in the success of an organization. This paradigm shift, driven by growing legions of bad actors and new regulations, have cast the spotlight on IT security leaders like never before. This, Gartner analysts calculate, creates an unprecedented opportunity for CIOs and CISOs to prove their value and – why not? – forge new career paths.

The research group acknowledges that data breaches have become the norm, with the critical ones now making headlines regularly. The 143 million records lost to hackers by Equifax, and Maersk losing an estimated $300 million after getting hit by the infamous WannaCry ransomware contagion, are just two recent examples.

As far as the Equifax incident went, when the magnitude of the breach was assessed, three top executives immediately lost their jobs. The company’s stock plummeted and its image was severely tarnished. The main reason? The organization’s security heads left a known vulnerability unpatched. It was those heads that rolled, followed by the CEO soon after, when Equifax reported the breach publicly.

This rise in data breach incidents is pressuring enterprises to comply with an increasingly complex regulatory environment, Gartner analysts note. This includes the European Union’s General Data Protection Regulation (GDPR), which promises to deal stinging fines left and right for noncompliance.

“Leading organizations are focused on how a compliance program can act as a business enabler,” according to Peter Firstbrook, research vice president at Gartner. “The message SRM [security & risk management] leaders must communicate to CEOs is that data protection has both costs and risk but can also be used as a business differentiator.”

During the research firm’s Security and Risk Management Summit 2018, Firstbrook told the audience that an oft-overlooked impediment to conveying security matters to senior execs is the language barrier.

“Speak the language of the business and don’t lose yourself in technical terms when you deal with the C-suite,” he said.

The analyst sees great opportunity for CIOs and CISOs who can hone this skill in a time and age when security is more tightly regulated than ever, and hackers are building entire business models (i.e. Ransomware as a Service) around the neglect of IT leaders.

“Security and risk management leaders have operated in the shadows for a long time. Now it’s their opportunity to shine,” says Firstbrook. “If they exploit emerging trends and build a strong security program, they can keep their organization safe and significantly elevate their standing.”

A recent study by the Financial Services Information Sharing and Analysis Center (FS-ISAC) revealed that direct communication between the IT security department and the CEO has become imperative, as strong cyber defenses require increasingly rapid decision-making.

And the key upshot from an IANS research studying the pressure mounting on the shoulders of today’s IT leaders was that CISOs who can deliver “a compelling narrative on how InfoSec powers the business” stand a better chance of advancing their objectives and increasing their budgets. Both studies inadvertently strengthen Firstbrook’s point, despite being released before Gartner’s own report.