Cybersecurity Leaders’ Elusive Balance Between Protecting and Enabling the Business

Gartner’s 2022 Drivers of Secure Behavior Survey reveals that 69% of employees bypassed their organization’s cybersecurity guidance in the last 12 months. Further, 74% said that they would be willing to bypass cybersecurity guidance in the future too, if it helped them or their team achieve a business objective (for example, meet an urgent deadline and/or revenue target).1 This willful disregard of security guidance stems from friction that slows down employees and makes it more inconvenient for them to do their work. Moreover, over 90% of survey respondents who admitted behaving unsecurely indicated that they knew their actions would increase cybersecurity risk levels for the organization and, unfortunately, they did them anywayThis cybersecurity-induced friction (hereafter referred to as “friction”), or the “unnecessary” effort exerted by employees to do their work due to the presence of cybersecurity measures, not only drains employee productivity but also pushes them to adopt unsecure practices.It might be convenient and self-serving for cybersecurity teams to think about friction as the “small price” everyone needs to pay to safeguard the organization. But employees often don’t share this view and are willing to circumvent cybersecurity controls if these controls hamper them from doing their work. To drive secure behaviors, CISOs need to move away from thinking about friction as a natural and even desirable consequence of cybersecurity measures (a “necessary evil”) and focus instead on identifying and reducing friction that employees experience.In this podcast, we explore Gartner research related to cybersecurity leadership, operational models and shifts in approaches, and delivery of value. Examples include:Evolving role of a CISO from a technical focus to executive leader (whose primary focus is helping business leaders make informed cyber-risk decisions).New cybersecurity teams, functions and processes to address the evolving business environment, such as cybersecurity creating more linkages with the business and working toward shared responsibility.Shifts in cybersecurity policy design and enforcement. There is a shift toward liberalizing the cybersecurity policy toward co-creation with the business as well as making policies less prescriptive and more flexible. This will enable users to have more autonomy for improved execution for security controls. Evidence1 2022 Gartner Drivers of Secure Behavior Survey. This survey was conducted via an online platform from May through June 2022 among 1,310 employees across functions, levels, industries and geographies. The survey examined the extent to which employees behave securely in their day-to-day work, root causes of unsecure behavior, and the types of support and training they received from their organizations to drive desirable secure behaviors. We used descriptive statistics and regression analysis to determine the key factors that drive or impede employees’ secure behaviors and their development of cyber judgment.