To respond to an ever-changing threat landscape, security and risk leaders must move from a defensive to an offensive leadership position, according to analyst firm Gartner which recommends an approach consisting of three steps.
“This is a time of extraordinarily high visibility for security leadership,” said Tina Nunno, distinguished research vice president and Gartner Fellow. “By embracing an offensive mindset, security leaders have an opportunity to permanently shift their role from a service provider to a coach who provides critical strategy and guidance to support business value creation.”
Nunno identifies three steps for security and risk leaders to shift from a defensive to an offensive leadership approach.
Strengthen Your Personal Leadership Approach
Fifty-seven percent of respondents in a recent Gartner survey said that COVID-19 has resulted in the CIO, CEO and other senior stakeholders becoming better educated on the value of security and risk management. To maintain this momentum, security leaders must identify whether they are acting defensively or offensively and reposition their personal leadership towards the latter.
“CISOs who find themselves frequently apologizing or explaining security incidents are likely taking a defensive stance, which often results in security being siloed into a service provider role,” said Nunno. “Offensive-minded security leaders instead focus on innovation, forward-looking strategy and the role of security in supporting digital transformation, helping cement their position as critical business partners.”
Systematize Offense for the Team
Gartner research showed that top-performing enterprises embrace distributed accountability for digital outcomes. Security and risk leaders can improve outcomes by assigning security responsibilities to stakeholders across the enterprise, including line-of-business leaders, executive leadership and third-party vendors.
“Responsibility for securing the enterprise goes beyond just the security team,” said Nunno. “Transparent, proactive communication across the organization will help security leaders promote distributed accountability and ensure that stakeholders are delivering on necessary outcomes.”
Gartner predicts that by 2024, 60% of CISOs will establish critical partnerships with key market-facing executives in sales, finance and marketing, up from less than 20% today. Such partnerships will be essential for enabling security and risk leadership to systematize approaches to enterprise security across functions.
Coach the Enterprise Through New Digital Risks
Gartner research has found that enterprises are looking to increase their risk appetite into 2022. In this heightened risk environment, an offensive security approach will guide the enterprise through the resulting volatility and digital uncertainties.
“Boards and executives are generally focused on revenue, cost and risk. Security leaders can coach business stakeholders through security-related decisions by framing them around these three areas, helping determine what trade-offs the business is willing to make,” said Nunno.