As ecosystems get distributed, cybersecurity leadership will need to transform, Gartner says

Far from only being an IT concern anymore, risk-altering cybersecurity decisions are now being made by people all over a company. Staying safe means security leadership positions need to change. 

Gartner has released a report of recommendations that are pretty big news for cybersecurity leaders: Their jobs, as they exist now, are becoming obsolete.

Not because cybersecurity isn’t a problem anymore — we all know that’s not true — but because the new form that business technology takes is increasingly outside of the existing roles that encompass cybersecurity leadership.

SEE: Top keyboard shortcuts you need to know (free PDF) (TechRepublic)

Risk management leaders now spend time trying to limit third-party vendor risks, employees have the ability to make more decisions that impact cyber risk, and committees that need a security voice aren’t always getting them, Gartner said. “These factors will lead to an environment where the cybersecurity leader will have less direct control over many of the decisions that would fall under their scope today.”

Sam Olyaei, research director at Gartner, says that modern cybersecurity leaders have been forced into an always-on, be-everywhere, do-everything mode in order to keep up, and they’re getting exhausted.

“This is a direct reflection of how elastic the [cybersecurity leader’s role] has become over the past decade due to the growing misalignment of expectations from stakeholders within their organizations,” Olyeai said.

How to transform cybersecurity leadership for the modern age

The digitally-native nature of many modern organizations means that security is a total business risk rather than just a technical one, a fact which Gartner said 88% of boards of directors agree with.

Here’s where a big part of the transformation of cybersecurity leadership comes in: Because decision making that includes cybersecurity risk has moved beyond the IT department, non-IT leadership will start becoming responsible for cybersecurity risk.

“Gartner predicts that at least 50% of C-level executives will have performance requirements related to cybersecurity risk built into their employment contracts by 2026,” the report said. Gartner said that there will be a “shift in formal [cybersecurity] accountability to business leaders who are responsible to the CEO for delivering strategic objectives, such as revenue and customer satisfaction.”

So, what will the CISO role look like in a future where accountability isn’t its bread, butter and looming anxiety?

“The CISO role must evolve from being the ‘de facto’ accountable person for treating cyber risks, to being responsible for ensuring business leaders have the capabilities and knowledge required to make informed, high-quality information risk decisions,” said Olyaei.

SEE: Google Workspace vs. Microsoft 365: A side-by-side analysis w/checklist (TechRepublic Premium)

As they become advisors who are less accountable for errors and more about planning strategy, Gartner predicts that CISOs will also become a fundamental part of organizational environmental, social and governance efforts.

“Security and risk management leaders will increasingly have to demonstrate an organizational commitment to reducing the social issues that may arise from cybersecurity incidents,” Gartner said. So, CISOs shouldn’t even expect the accountability element of their jobs to go away — they’re just shifting from bearing responsibility for breaches, to bearing responsibility for their economic and social consequences.