Digital transformation is here. According to the 2019 Gartner CEO Survey, 82% of CEOs have digital transformation programs in flight, a 20% jump from 2018. Value propositions, operations, customer strategies, and business capabilities are being upended by digitization. Consequently, information risk decisions are no longer made solely by IT professionals. Instead, decision rights for information risk are being distributed throughout the enterprise.
To adapt to this new, sprawling base of decision makers across the enterprise, information security functions must focus on building cyber judgment: the ability to independently make informed risk decisions.
Organizations are clamoring for digital skills and increasingly, this digital talent is hired outside of traditional IT functions. Gartner’s TalentNeuron research shows that job postings outside IT referencing artificial intelligence (AI), data science, or robotic process automation (RPA) have all increased 70% or more over the past five years. As a result, more than 40% of information risk decisions are now made outside IT.
Digital transformation not only pushes more risk decisions outside IT, but also drives the volume of risk decisions beyond information security’s capacity to facilitate. Gartner research shows that 73% of organizations are adopting, or plan to adopt, Agile or DevOps methodologies. Coupled with 93% of project managers feeling pressure to speed delivery, it is easy to see why traditional security decision stage gates are crumbling.
Building cyber judgment
To ensure quality risk decision making in a scalable way, progressive information security teams are building cyber judgment in their enterprises. Cyber judgment targets risk decisions that have multiple tradeoffs and no single, obvious answer: for example, a digital operations app developer choosing how to implement RPA for a customer service initiative or a business partner choosing a SaaS provider. The information security function cannot feasibly be directly involved in all decisions of this nature. Differing from the traditional approach of directly facilitating decisions, employees should be enabled to move at the speed of the business without losing sight of relevant risk implications. By instilling cyber judgment, information security can shift resources to higher impact security activities.
While the benefits of cyber judgment make the choice seem easy, most security and risk management leaders are not eager to further transferring decision rights to those with whom they have not traditionally worked. Gartner research shows that only 12% of chief information security officers (CISO) are confident that decision makers have good cyber judgment; the rest are either not confident (60%) or unsure (28%). Embracing distributed decision making requires a fundamental change to the mindset of security and risk management leaders. Most believe it is their teams’ responsibility to identify and assess risk, interpret policy and facilitate all but the lowest-ranked risk decisions. These leaders must build trust in and the competence of decision makers within their organization.
Approaches to building cyber judgment
- Assign trust scores. An insurance company Gartner spoke to formally defines trust scores for groups of decision makers across the enterprise. These scores are based on both a group’s controls maturity, which they implement, and the quality of interactions with information security. Using this method, security and risk management leaders can confidently reduce information security’s direct presence among groups who score highly.
- Create local risk decision governance. One manufacturing company we engaged with strives to govern information risk decisions locally. They preserve local business context by formally transferring decision rights to local councils, comprised of full representation across a given organizational unit. These local councils are trained and continuously supported by the information security function, but operate without direct oversight, unless triggered by local council “health metrics”.
- Employ experiential learning. Instead of educating decision makers through classroom-based methods, one non-profit does so through experiential learning -- where decision makers learn by doing. Bite-size lessons on effective risk management are embedded in decision makers’ workflows, like project risk assessment, which enhances retention.
- Make policy usable for decision makers. Most information security policies are written as reference material for information security staff. To shift policy from internal reference material to functional tools for informed information risk decision making, one R&D company we learned from revisits their policies based on real-time user feedback, promptly addressing concerns about usability and applicability. Meanwhile, an aerospace & defense company structures their policy stack based on user role, creating a one-stop shop for decision makers attempting to access relevant policies.
Information risk decision making is no longer conducted only by IT professionals or formally defined risk owners. Rather, information risk decisions are now made in all areas and levels of the enterprise. Security and risk management leaders traditionally employ direct facilitation and automation to support decision makers, but these tactics fall short. Information security staff cannot be everywhere decisions are made, and not every risk decision can be automated. Information security needs a new approach. That approach is cyber judgment.
Daria Kirilenko is a director of the Information Risk Research Team at Gartner Inc.
Lucas Kobat is a research specialist in the Security and Risk Management group at Gartner Inc.