Four myths hindering the full benefits of cybersecurity for organisations: Gartner

CISOs must embrace a minimum effective mindset to maximise cybersecurity’s impact for the business, according to Gartner.

There are four myths that are hindering the full value of cybersecurity for the enterprise and inhibiting security program effectiveness.

Henrique Teixeira, senior director analyst at Gartner said many CISOs are burnt out and feel they have little control over their stressors or work-life balance.

He said, “Cybersecurity leaders and their teams are putting in the maximum effort, but it’s not having maximum impact.”

Leigh McMullen, distinguished VP analyst at Gartner said a minimum Effective mindset is a deliberate, ROI-driven approach to leading cybersecurity into the future.

He said, “While the idea of ‘minimum’ may seem uncomfortable, it refers to the inputs, not the outcomes. This approach will enable cybersecurity functions to go beyond merely ‘defending the fort’ to unlocking their true potential to create tangible value.”

Gartner busts four myths surrounding cybersecurity implementation, the first one is that more data equals better protection.

Analysts at Gartner said that it is not practical to quantify risk in this way.

Further, this approach does not deliver the shared accountability between cybersecurity and enterprise decision-makers necessary for materially reducing business risk. Gartner research has found that just one-third of CISOs report success driving action through cyber risk quantification.

Teixeira said rather than continuing to pursue more data and more analysis, savvy CISOs engage in a Minimum Effective Insight approach.

“Determine the least amount of information needed to draw a straight line between the enterprise’s cybersecurity funding and the amount of vulnerability that funding addresses,” he added.

Gartner recommended that CISOs should use an outcome-driven metrics (ODM) approach to action minimum effective insight. 

ODMs link security and risk operational metrics to the business outcomes they support by explaining the levels of protection currently in place and the alternative protection levels available based on spend.

The second myth, more technology equals better protection, is not entirely correct as Gartner pointed out that even as organisations spend more on cybersecurity tools and technologies, security leaders still feel they are not properly protected.

McMullen explained that cybersecurity often gets stuck in a gear acquisition mindset, believing that around the corner there must be something better.

“Instead, CISOs must embrace a minimum effective toolset – the fewest technologies required to observe, defend and respond to exposures,” he said.

“This will enable cybersecurity to own their architecture, reducing the complexity and lack of interoperability that makes it so difficult to generate value from technology investments.”  

Gartner explained that organisations can begin the journey to a minimum effective toolset by taking a human-cost view, keeping the overhead on cyber professionals managing cybersecurity tools lower than the benefit of the tool in mitigating risks.

The third myth, more cybersecurity professionals equals better protections is debunked as McMullen said demand for cybersecurity talent has outstripped supply to the point that CISOs are unable to catch up.

McMullen said, “Security is a massive bottleneck to digital transformation, and a lot of that is because of a myth that only cybersecurity professionals can do serious cyber work. Democratising cybersecurity expertise, rather than trying to hire out of the talent gap, is the solution.”

The final myth, more controls equal better protection, isn’t as true as CISOs think as a Gartner survey noted that 74 percent of employees would be willing to bypass cybersecurity guidance if it helped them or their team achieve a business objective.

Teixeira said cybersecurity organisations are well-aware of the pervasive non-secure behaviour of the workforce, but the typical response of adding more controls is backfiring.

“Employees report a huge amount of friction involved with secure behaviour, which is driving unsecure behaviour. Controls that are circumvented are worse than no controls at all,” he ended.