Security

RSA 2024: CISOs’ Jobs Keep Getting Harder, So They’ll Need to Be More Efficient

Just like CEOs, security leaders must learn to scale more effectively to survive.

Bob is the managing editor of BizTech magazine.

The job of the typical CISO continues to grow more complex and challenging, but the most important thing for them to get better at is efficiency of scale. So argued Leigh McMullen, a distinguished vice president and security analyst with Gartner, speaking Tuesday at the RSA Conference 2024 in San Francisco.

“If you think about the core mission of every CEO, they’re all ultimately judged on their ability to scale their enterprise,” McMullen explained. “Unfortunately, in cybersecurity, we’re now being confronted with that same goal.”

The reasons are clear: Businesses are asking far more of their security leaders than ever before at a time when security talent is getting harder to find.

Businesses have gotten so good at digital transformation that there’s almost no such thing as a manual process anymore; everything is digital. Consequently, McMullen said, “there is no part of our enterprise that is not fundamentally digitally vulnerable, which is making our job harder. The way we’re going to make it easier is by scaling differently.”

Click the banner to learn how to assess your zero-trust maturity level.

5 Bold Cybersecurity Predictions

McMullen delivered Gartner’s top security-related predictions through 2028. Here are five of them:

1. By 2024, modern privacy regulation will blanket the majority of consumer data, but less than 10 percent of organizations will have successfully weaponized privacy as a competitive advantage.

“You want a quote?” McMullen asked. “Here’s your quote: By the end of this year, there will be more people covered by a data protection law than will have access to clean drinking water."

Yet even as governments continue to develop new privacy regulations, Gartner argues that privacy is moving beyond simply a compliance and regulatory activity. Although it continues to be those things, McMullen said, smart organizations will also recognize privacy as a competitive differentiator, working to engage customers on privacy while developing privacy strategies that align with their business objectives. “When you have an ethos around privacy, customers will trust you,” he said. “Apple actually used privacy as a marketing and search keyword for advertisement. They built an entire value chain around it, and we saw their revenues go up by as much as 44 percent in some markets just by focusing on privacy.”

He advised that businesses adopt “strategic forgetting policies,” in which they eliminate stored personal data that they no longer need. The idea of simply deleting data strikes many organizations as unwise, but artificial intelligence changes the stakes: “AI is a bias amplification machine,” McMullen said, “and if you don’t let it forget things, it will carry those biases forever and ever.”

2. By 2025, nearly half of cybersecurity leaders will change jobs, 25 percent for different roles entirely. CISOs are under incredible pressure. “CISOs are being crushed under the weight of an ever-expanding digital business defense mission,” McMullen said. “It’s not just about security anymore. It’s not just about controls. It’s also about enterprise resilience, it’s about privacy, and now we’re being asked to tackle AI.”

Modern CIOs are more business-oriented and less technical than ever, often leaving the CISO as an organization’s leading technologist. Hybrid work is also making it more difficult to disengage.

The keys to combatting cybersecurity fatigue and work-related stress, not to mention the human error that can result? Recruitment and retention. “We’ve got to change the rules of engagement,” McMullen said. “We have to figure out a way to retain the people we have and grow the people we already have in our organizations.”

When you have an ethos around privacy, customers will trust you.”

Leigh McMullen Distinguished Vice President and Security Analyst, Gartner

3. By 2026, 70 percent of boards will include one member with cybersecurity expertise. In the past, CISOs have struggled to get their boards of directors to pay attention to cybersecurity or understand it on more than a passing level. That’s changing quickly. Soon, CISOs may have the opposite problem: at least one board member with genuine subject matter expertise — or who thinks they have such expertise.

That’s a good thing, McMullen said, but it means that CISOs must be more mindful of who their board members are. “Then we need to tailor our communication to those folks,” he said. “If you have that board member who thinks they know a lot about cyber but is actually causing you trouble because they think they know more than they do, use that opportunity to make that person smarter. In the process, we make them an ally.”

4. By 2027, 75 percent of employees will acquire, modify or create technology outside IT’s visibility — up from 41 percent in 2022. This growth in shadow IT sounds risky, and it is. But it also suggests more technology savvy and a greater comfort level among workers, which is something even CISOs should celebrate, McMullen said. “If somebody is building technology projects within your enterprise and nothing is blowing up or falling over, somebody’s doing something right, and we should pour gas on that.”

Workers can also be provided with low- and no-code tools, deployed within containers, to let them experiment. “When we stop thinking about trying to stop these folks and start thinking about how to enable them, we can see that we can give them tools that are known to be good and pre-secured,” McMullen said.

5. Through 2027, 50 percent of CISOs will formally adopt human-centric design practices into their cybersecurity programs to minimize operational friction and maximize control adoption. A Gartner survey several years ago found that 77 percent of employees had intentionally violated a security control as a way to simply get their work done. “We live in a world created by Silicon Valley that tries to customize itself to everything we want to be, and then you show up to work and nothing works that way — nothing,” McMullen said. “We have habituated users to the work-around. The work-around is firmly embedded into the technology culture within most organizations, and because of that, people see no difference between working around a security control versus working around how I enter my expenses in Oracle.”

Businesses must do more to get their security teams to focus on the user experience. They need to ask users about any issues or pain points and work to solve usability problems, McMullen said. “A control that is intentionally bypassed is no control at all, because it creates a false sense of security,” he said.

Keep this page bookmarked for articles and videos from the event, follow us on X (formerly Twitter) @BizTechMagazine and join the event conversation at #RSAC.