Gartner Identifies Four Myths Obscuring Cybersecurity’s Full Value
There are common myths that speculate the value of cybersecurity in the enterprise level, which inhibits security program effectiveness, according to Gartner, Inc. “Many CISOs are burnt out and feel they have little control over their stressors or work-life balance,” said Henrique Teixeira, Senior Director Analyst at Gartner. “Cybersecurity leaders and their teams are putting in the maximum effort, but it’s not having maximum impact.” To combat this, a “minimum effective” mindset is suggested. “A Minimum Effective mindset is a deliberate, ROI-driven approach to leading cybersecurity into the future,” added Leigh McMullen, Distinguished VP Analyst at Gartner. “While the idea of ‘minimum’ may seem uncomfortable, it refers to the inputs, not the outcomes. This approach will enable cybersecurity functions to go beyond merely ‘defending the fort’ to unlocking their true potential to create tangible value.” In the opening keynote of the Gartner Security & Risk Management Summit, Teixeira and McMullen debunked four common security myths and explained how security leaders can create new value across business engagement, technology and talent. They are:
Myth #1: More Data Equals Better Protection
“It’s commonly believed that the best way to drive action from executive decision makers on cybersecurity initiatives is through sophisticated data analysis, such as calculating the likelihood of a cyber event occurring. This approach does not deliver shared accountability between cybersecurity and enterprise decision makers necessary for materially reducing business risk. Gartner research has found that just one-third of CISOs report success driving action through cyber risk quantification. CISOs should use an outcome-driven metrics (ODM) approach to action Minimum Effective Insight. ODMs link security and risk operational metrics to the business outcomes they support by explaining the levels of protection currently in place and the alternative protection levels available based on spend.”
Myth #2: More Technology Equals Better Protection
“Worldwide spending on information security and risk management products and services is forecast to grow 12.7% to reach $189.8 billion in 2023. Yet even as organizations spend more on cybersecurity tools and technologies, security leaders still feel they are not properly protected. Organizations can begin the journey to a Minimum Effective Toolset by taking a human-cost view, keeping the overhead on cyber professionals managing cybersecurity tools lower than the benefit of the tool in mitigating risks. In parallel, take an architectural view to measure whether any given tool is additive to, or subtractive of, the ability to protect the enterprise.”
Myth #3: More Cybersecurity Professionals Equals Better Protection
“Gartner predicts that by 2027, 75% of employees will acquire, modify or create technology outside IT’s visibility, up from 41% in 2022. CISOs can reduce the burden on their teams by helping these business technologists build Minimum Effective Expertise, or cyber judgment. A recent Gartner survey found that business technologists with high cyber judgment are 2.5 times more likely to consider cybersecurity risks when developing analytics or technology capabilities.”
Myth #4: More Controls Equals Better Protection
“A recent Gartner survey found that 69% of employees have bypassed their organization’s cybersecurity guidance in the past 12 months, and 74% of employees would be willing to bypass cybersecurity guidance if it helped them or their team achieve a business objective. ‘Cybersecurity organizations are well-aware of the pervasive non-secure behavior of the workforce, but the typical response of adding more controls is backfiring,’ said Henrique Teixeira, Senior Director Analyst at Gartner. ‘Employees report a huge amount of friction involved with secure behavior, which is driving unsecure behavior. Controls that are circumvented are worse than no controls at all.'”