Home » news »

Cyber Judgment: A New Path Forward for Decision Makers

 
Information security staff cannot be everywhere decisions are made, and not every risk decision can be automated.

Digital transformation is here. According to the 2019 Gartner CEO Survey, 82% of CEOs have digital transformation programs in flight, a 20% jump from 2018. Value propositions, operations, customer strategies, and business capabilities are being upended To adapt to this new, sprawling base of decision makers across the enterprise, information security functions must focus on building cyber judgment: the ability to independently make informed risk decisions.

Image: Olivier Le Moal - stockadobe.com

Organizations are clamoring for digital skills and increasingly, this digital talent is hired outside of traditional IT functions. Gartner’s TalentNeuron research shows that job postings outside IT referencing artificial intelligence (AI), data science, or robotic process automation (RPA) have all increased 70% or more over the past five years. As a result, more than 40% of information risk decisions are now made outside IT.

Digital transformation not only pushes more risk decisions outside IT, but also drives the volume of risk decisions beyond information security’s capacity to facilitate. Gartner research shows that 73% of organizations are adopting, or plan to adopt, Agile or DevOps methodologies. Coupled with 93% of project managers feeling pressure to speed delivery, it is easy to see why traditional security decision stage gates are crumbling.

Building cyber judgment

To ensure quality risk decision making in a scalable way, progressive information security teams are building cyber judgment in their enterprises. Cyber judgment targets risk decisions that have multiple tradeoffs and no single, obvious answer: for example, a digital operations app developer choosing how to implement RPA for a customer service initiative or a business partner choosing a SaaS provider. The information security function cannot feasibly be directly involved in all decisions of this nature. Differing from the traditional approach of directly facilitating decisions, employees should be enabled to move at the speed of the business without losing sight of relevant risk implications. By instilling cyber judgment, information security can shift resources to higher impact security activities.

While the benefits of cyber judgment make the choice seem easy, most security and risk management leaders are not eager to further transferring decision rights to those with whom they have not traditionally worked. Gartner research shows that only 12% of chief information security officers (CISO) are confident that decision makers have good cyber judgment; the rest are either not confident (60%) or unsure (28%). Embracing distributed decision making requires a fundamental change to the mindset of security and risk management leaders. Most believe it is their teams’ responsibility to identify and assess risk, interpret policy and facilitate all but the lowest-ranked risk decisions. These leaders must build trust in and the competence of decision makers within their organization.

Approaches to building cyber judgment

  1. Assign trust scores. An insurance company Gartner spoke to formally defines trust scores for groups of decision makers across the enterprise. These scores are based on both a group’s controls maturity, which they implement, and the quality of interactions with information security. Using this method, security and risk management leaders can confidently reduce information security’s direct presence among groups who score highly.
  2. Create local risk decision governance. One manufacturing company we engaged with strives to govern information risk decisions locally. They preserve local business context Information risk decision making is no longer conducted only

    Daria Kirilenko is a director of the Information Risk Research Team at Gartner Inc.

    Lucas Kobat is a research specialist in the Security and Risk Management group at Gartner Inc.

     

Related Posts

  • No Related Posts