The increase in the rate and severity of cyberattacks has highlighted the disconnect between security leaders and the businesses they serve.
To help bridge security gaps across operations, more businesses are looking to decentralize cybersecurity leadership. A decentralized approach allows employees to implement security strategies into everyday operations, which can speed response and hopefully prevent attacks.
The change is "being driven by necessities — the increased sophistication of cybersecurity threats, larger attack surfaces, etc.” said Ron Westfall, senior analyst and research director at Futurum Research. “I think we do need to see tighter implementation of organization-wide, decentralized cybersecurity policies that are driven by the entire C-suite.”
But this shift does not spell the end of the chief information security office (CISO) role. The idea is that with cybersecurity leadership spread out, employees can make risk-informed decisions while meeting enterprise needs. The drive for decentralization comes as CFOs and others in the C-suite are also looking at a range of strategies to make sure the IT and cybersecurity investments they are making in their companies are paying off.
Gartner found nearly eight in 10 employees would bypass security policies to reach enterprise goals. In return, only one in 10 CISOs trust employees to make informed security decisions independently.
The goal with decentralization "is to be more embedded into the business, as opposed to only having a centralized security group that may be, at times, far removed from individual business lines, especially for larger organizations,” said William Candrick, a director analyst for Gartner.
However, this means that CIOs will be managing cybersecurity employees across business operations, straining the already delicate communication channels.
“I would say that is a cost to pay essentially for better cybersecurity implementation at a localized level,” said Candrick.
One way to mitigate this cost is to implement centers of excellence (CoEs). CoEs provide an outlet for better communication and connectivity for the expanding cybersecurity employees.
Another solution is to improve cyber judgment.
“Our clients take a broad array of approaches to improve cyber judgment,” Candrick said. “This includes turning security policies into self-serve tools, using trust scores to evaluate and improve cyber judgment and embedding cyber risk guidance into existing business workflows.”
Westfall said he suspects that the decentralized approach will pick up momentum as organizations become more familiar with cloud platforms and using more “intelligent” policies.
“They can actually meet this challenge and have more peace of mind at the end of the day, even though they’re transitioning away from their more traditional security approaches,” said Westfall.