Gartner is the world's leading research and advisory company. We equip business leaders with the indispensable insights, advice and tools to achieve their mission-critical priorities and build the successful organizations of tomorrow.
Are you hungry for more risk in your supply chain? Given the fact that 89% of participants in a Gartner survey experienced a supplier risk event in the past five years, your answer is probably “No.” But think about this: All innovation comes with risks attached. No risk-taking equals no innovation equals loss of market share as your competitors continue to improve through innovation and taking risks.
The answer to the question is rarely a strict “No” nor an enthusiastic “Yes.” A more effective response is “Let’s take a look at our risk appetite statement and evaluate.”
Chief procurement officers (CPOs) are the first line of defense when a disruption occurs. It is their responsibility to minimize time to recover
“Risk appetite is not a new concept, but it’s still widely underutilized,” says Koray Köse, Senior Director Analyst at Gartner. “It details to what extent risks should be taken to achieve strategic and operational goals, sustain competitiveness and increase agility. In times of uncertainty where tariffs and other geopolitical developments can have huge negative impacts on supply chains, a risk appetite statement that is accepted and valued by all stakeholders is more important than ever.”
Chief procurement officers (CPOs) are the first line of defense when a disruption occurs. It is their responsibility to minimize time to recover and the business value at risk and maximize the time the company can survive with the disruption in place. Therefore, CPOs should be responsible for creating a risk appetite statement for the supply chain.
Engage and assess
The first step is to identify and engage with relevant stakeholders in the business units. It’s important to know their goals and core capabilities as well as their dependencies, interdependencies and possible complexities in market regulations.
With this information in mind, the CPO can align procurement and business initiatives and emphasize those that drive the most positive impact to business goals. This is the time to watch for and eliminate discrepancies in risk preferences. For example, there might be an advanced sourcing initiative to drive new product development in high-velocity markets, but it’s slowed down by overly rigid processes in new vendor integration.
Once everyone is on board, build the risk appetite statement while constantly communicating with the stakeholders. Communication with the business units and other senior leaders and functions, such as finance, legal and strategy, needs to be open and frequent. It’s a checkpoint for buy-in and alignment on any economic or political changes as well as compliance to existing governance or regulatory requirements. This process will also ensure the necessary endorsement and ratification.
New risks emerge with increased complexity, impact and velocity
CPOs might also be able to take advantage of a risk monitoring committee, which exists in most organizations. Traditionally, the committee has a reactive role — it monitors and guides responses to risk events after they occur. However, CPOs can use the risk appetite statement to help the committee evolve into an effective and efficient oversight tool that assesses current and emerging risks based on the risk appetite defined in the statement and become a true catalyst for a risk-reward decision-based culture.
No matter if your risk appetite is high or low, technology will usually help to improve risk management. “New risks emerge with increased complexity, impact and velocity,” Kose says. “Most leading organizations tackle this challenge with automated risk assessment and monitoring. Speed, accuracy and awareness are crucial.”
Decision makers increasingly rely on the support of such tools to spot relevant correlations for scenario planning, predictions and provide transparency. However, there is no one-size-fits-all solution. Work closely with your finance and IT departments to facilitate the budget and ensure proper implementation.
Long gone are the days when finance just reported numbers. Finance increasingly provides operational or enterprisewide decision support in addition to meeting its critical responsibilities in governance and oversight. How do chief financial officers (CFOs) determine the optimal structure to fulfill the dual demands of judgment- and rule-based activities?
“Regardless of the size of the organization, CFOs should base decisions on finance function design on a few key principles,” says Craig Risberg, VP, Advisory, Gartner. “The first step is to settle the issue of centralization.”
The ongoing standardization and automation of processes and transactions lends itself to centralization, but a range of options across the centralization spectrum serve different objectives. Gartner research found that on average, finance leaders place two-thirds of their staff at the corporate center and 10-15% in shared locations, though as companies grow in size, complexity, and finance functional maturity so does the location of finance activities.
As companies grow and their clients and operations spread out geographically and are served by more complex business structures, they tend to place a higher percentage of finance staff in business units. When centralization isn’t appropriate, finance leaders must consider which service delivery model will best support their business. Some might choose to migrate to shared services or a center of excellence (CoE); others might sharply divide responsibilities between corporate and embedded finance teams.
Ultimately, the “best” model for a given organization is one that balances finance’s competing governance and guidance responsibilities given the available human and financial resources.
Consider the finance middle-office, which owns the bulk of core accounting work, Gartner research found that two activity attributes — impact and complexity — are most important in identifying which location best balances risk and efficiency.
This framework helps finance leaders establish the base paradigm for activity location - middle office activities of low complexity should be moved into shared locations unless there is a well documented reason for exception; even those activities with medium complexity but broad impact should be considered for a shared location; activities with high complexity should be owned either by the corporate center, or addressed jointly by the center and regional or BU teams.
“While there isn’t a one-size-fits-all approach, this model provides a framework for considering where specific activities should fit within the finance department,” says Risberg.
For front-office activities, Gartner finds organizations implementing a variety of new models to improve the quality and impact of finance analytics. One global telecommunications company adopted a “hub-and-spoke” model in which a centralized CoE (hub) owns some of its more strategic analytics and is linked to “spokes” embedded in the business. In this model, the hub executes multivariate tests recommended by the spokes to produce constructive insights such as profitable-growth targets, customer and produce profitability models, and strategic pricing information.
This model exemplifies how CFOs can create structures that meet their own company’s needs. In this case, the integrity of the pure data analysts is protected in the hub, while the needs of the business are leveraged through the spokes.
After setting the degree of centralization, CFOs can go on to redesign other key aspects of the finance functional organization:
Assess current finance structure. Understand the organization’s spend, staffing, structure, technology, productivity and performance now and anticipate future business needs.
Determine an outsourcing strategy. Select activities to outsource and the location for outsourcing.
Structure finance subfunctions. Make sure the structure is based on functional priorities, and clearly define each subfunction’s scope of activities to avoid duplication.
Establish reporting relationships. Choose the right reporting structure for embedded finance teams and optimize the span of controls. Use role definitions, incentives and performance measures — instead of just redrawing reporting lines — to drive the desired behavior.
This article has been updated from the original, published on March 19, 2018, to reflect new events, conditions or research.
CIOs wanting a master class in situational leadership should look no further than the character of Obi-Wan Kenobi in the movie Star Wars: A New Hope. With Luke Skywalker Obi-Wan acts the mentor, with Storm Troopers the ignorable old man and with Darth Vader the Jedi Master. Obi-Wan adapts because each situation calls for a different mix of persuasion, engagement or force.
The same is true for leaders of digital transformation: Success depends on the ability to adjust your leadership style to suit the digital business initiative and the mix of personalities that make up your digital workforce.
Adapting your leadership to the situation starts by first understanding the leadership models available to you
“To be a digital leader, CIOs must abandon the traditional concept of a single, fixed leadership attitude in favor of a flexible, responsive approach that takes into account the nature of the work required, the state of the team doing the work and the role that the leader plays in shaping team performance,” says Suzanne Adnams, VP Analyst, Gartner.
Adapting your leadership to the situation starts by first understanding the leadership models available to you. Gartner recognizes five leadership “styles” CIOs can adopt depending on the desired outcome of the digital project and the makeup of the digital team.
Define the goals of a project and provide initial guidance on the approach a team should take. Once the effort is underway, however, the commander leaves execution of the project and day-to-day decisions to the team. This approach works best for exploratory projects run by teams composed of experienced digital professionals accustomed to self-direction.
Provide a framework for what needs to get done and offer inspiration, creative support and brainstorming opportunities to the team. Rewards go to those members with the most innovative ideas and who take creative risks. The catalyst type works best for entrepreneurial or innovative teams working on new digital product designs.
Provide day-to-day direction to monitor team progress on digital projects and validate outputs at each stage. Coaches give individual team members advice on ways to improve. Likewise, they set individual and team performance goals. The coach type works best with midcareer professionals focused on converting new designs into deployable digital products.
Take an operational role within the team to serve as an ever-present in-team resource and to model practices the team should adopt. This approach works best with inexperienced teams working on scaling or operationalizing an existing, small-scale digital initiative.
Have vast experience with digital projects in a range of contexts. Their approach is to offer guidance, advice and context at various stages of the project, but leave the decision making to the team members. Consultants are particularly effective for midcareer professionals with solid technical skills working on efforts to improve and revise existing digital initiatives.
To become more adaptive, first review the leadership styles described to see which one best captures the approach that comes most naturally to you. Seek feedback from employees to validate your self-assessment. Then, look at the other approaches to identify the skills and instincts you need to develop.
In the 2019 Gartner Strategy Agenda Poll, 60% of corporate strategists cite slow strategy execution as their biggest challenge for 2019. Companies can remove a major roadblock by making strategic planning at the functional level more effective — and focused squarely on driving enterprise goals.
Strategic planning can be the most valuable exercise an organization undertakes
“Sales leaders need a strategic mindset or the planning process will get hijacked by short-termism,” says Cristina Gomez, Managing Vice President, Gartner. “But when executed effectively, strategic planning can be the most valuable exercise the sales organization undertakes each year.”
At the functional level, it can be especially difficult to compile, articulate and communicate a plan that is driven by and supports enterprise strategic goals. To design an effective strategic plan, functional leaders need to take a comprehensive yet step-by-step approach.
Lay the groundwork for the strategic planning process by ensuring that all participants understand their respective responsibilities, process timelines and expected outcomes. This foundation should include a firm understanding of business goals and the sales capabilities required to support them. To make the most of this phase, sales leaders should:
Quantify and validate the achievability of goals. Goals should be outcome-based, measurable, aligned with business goals, and balanced between demanding and achievable.
Engage other business leaders through meaningful dialogue. Involve others throughout the planning process to develop a solid understanding of their short- and long-term priorities and support needs.
Simplify the plan into a concise story to engage stakeholders. To create a sense of urgency and consensus, highlight the link between organizational and sales goals, explain the cost of inaction and provide the rationale behind the strategy.
Eliminate unnecessary activities and legacy behaviors. Help employees prioritize activities and behaviors that support the new strategy and imperatives.
Phase 2: Build
During the build phase, sales leaders should define:
The sales function’s goals and objectives. Set goals and objectives that are clear, realistic, outcome-oriented, and informed by business priorities and external trends. Make sure that all stakeholders keep a strategic mindset around determining the resources needed to execute the function’s plan, and share a clear and common understanding of the relative cost, risk, time and benefits of potential cost optimization initiatives.
Metrics and targets to measure performance. Identify lagging and leading metrics that can help measure success against goals and objectives; settle on a concise set of metrics; and define thresholds and targets for each.
Prioritized strategic initiatives to address sales objectives. Direct your sales team to identify initiatives that plug capability gaps, meet sales objectives and inflect selected metrics. Prioritize and assign clear ownership responsibilities for active initiatives and new proposals on criteria such as strategic fit and execution capabilities.
As the strategic plan is finalized, sales leaders will need to communicate it to sales employees and the organization’s leadership. To ensure success, leaders must develop a concise and clearly articulated summary that reflects the business goals and initiatives. To earn crucial buy-in and commitment from leadership, communications should share the rationale for their strategy. Lastly, ensure that strategic plans across sales areas are reconciled and aligned.
Phase 3: Monitor
Planning, building and communicating is not enough. Sales leaders must actively measure progress toward objectives and adapt the function’s strategy as business conditions change. To make the most of the strategic plan:
Build flexibility to allow for an acceptable level of risk-taking or experimentation.
Develop clear course-correction triggers to relocate resources when needed.
Create decision factors, well in advance, that will guide project discontinuation decisions so that underperforming projects are quickly terminated.
This article has been updated from the original, published on September 12, 2018, to reflect new events, conditions or research.
Determining the benefits for artificial intelligence (AI) projects is difficult and confusing, but increasingly important. By 2024, 50% of AI investments will be quantified and linked to specific key performance indicators (KPIs) to measure return on investment.
Organizations often ask about the benefits they can expect from deploying AI to begin with, so Gartner collected over 100 use-case examples of AI deployments from nearly 40 vertical industries during the past 18 months to sift out the top-cited benefits. Success in AI depends on considering both its tangible and intangible benefits and determining how to meaningfully quantify them.
While AI investments that reduce risk are clearly valuable, they are hard to quantify. When defining benefits, leaders should ensure a clear link between each benefit and the relevant business KPIs. A critical element in understanding benefits is defining how they will be measured. To do so, Gartner recommends that KPIs be defined before the AI project is deployed (as a baseline) and again after project completion to determine the resulting benefit compared to the baseline.
Identify the sources and types of benefits for each AI project by classifying the best methods for measuring success, noting that many projects have multiple benefits. This then enables more-effective project prioritization and justification.
New applications of artificial intelligence (AI) are emerging at a very fast pace, particularly in the healthcare industry. The industry is full of technology vendors, data science companies, researchers and innovators focused on creating predictive and prescriptive algorithms for improved diagnosis and treatment recommendations.
By 2021, Gartner predicts that 75% of healthcare delivery organizations (HDOs) will have invested in an AI capability that is explicitly improving either operational performance or clinical outcomes. The more activity there is around using AI in healthcare, the greater the need for HDOs to establish AI governance.
“AI governance is necessary, especially for clinical applications of the technology,” says Laura Craft, VP Analyst at Gartner. “However, because new AI techniques are largely new territory for most HDOs, there is a lack of common rules, processes and guidelines for eager entrepreneurs to follow as they design their pilots.”
Most HDOs have not developed an enterprise strategy for how AI will be introduced, invested in and managed. This leads to a lack of trust in AI-powered solutions and creates a new problem that only healthcare provider CIOs are equipped to address. It is important that CIOs take a lead role in making sure there is discipline and accountability around the use of AI in HDOs.
Craft shares three actions that healthcare provider CIOs should take to ensure that any implementation of AI is safe, protected and realizes its potential.
Establish an AI governance council
AI governance need not be separate from an existing leadership body of authority. If a strategic leadership council for a data and analytics program already exists, then this is the most obvious fit, as AI is a natural extension of an analytics program. However, other strategic leadership councils may not have the purpose and setup that make them suitable to take on the responsibilities of governing the investment, value and use of strategic and high-risk AI capabilities.
Whether through an existing or separate council, successful AI governance includes four pillars:
Legal, regulatory and compliance review to decide what happens and who is held accountable when an AI output causes harm.
Clinical and scientific verification and valuation to confirm that the AI algorithm has been tested on a valid data set.
Ethical evaluation and usage guidelines to determine whether or to what extent patients are informed about the role AI is playing in their diagnosis and treatment.
Organizational deployment and change management for training staff on what is expected and the correct actions to take when using AI.
Establish common definitions and strategic value of AI
Organizations must have a common definition of AI to have productive conversations around its value and investment. This means involving clinicians, scientists, technologists and end users in the conversation to produce a universal agreement across all stakeholders. CIOs should use the AI governance council to facilitate discussion and formally adopt an enterprise-wide perspective. Consistency and thoroughness should also be established around AI opportunity, identification and selection.
Anticipate any data challenges
Data is often a big obstacle to the smooth and successful implementation and use of AI. When attempting to curate a clean, complete and accurate dataset, HDOs are challenged by poor data quality; lack of needed data; incomplete data; and issues of data consent, privacy and security. To address this, successful CIOs scrutinize current data governance practices and data acquisition methods by providing guidance for the types of data that will be needed and upgrading data curation tools and services.
“Overall, AI governance must be implemented as a formal set of guidelines with enterprise-level authority,” says Craft. “This sends a clear signal to the organization that AI is considered strategic and has the attention and interest of senior executives.”
Dave, a longtime CIO at a large corporation, finds himself drowning in a sea of new technology developments. He is used to the old way of doing things, where a new technology advancement would come out every few years. As a result, Dave has grown comfortable waiting for the early adopters to figure things out first, then following.
The wait-and-see approach will no longer work for CIOs
“The wait-and-see approach will no longer work for CIOs,” says Leigh McMullen, Distinguished VP Analyst at Gartner. “Digital business will hit the enterprise in four rapid waves, forcing organizations to learn to surf and adapt the new technologies that support new business models.”
McMullen explains the four waves of disruption and how organizations can stay afloat.
Organizations are increasingly shifting from an emphasis on cost cutting, to a search for revenue and profit growth. More than twice as many CEOs say they want to build in-house technology capabilities to create business value than want to outsource IT work, according to Gartner’s 2019 CEO Survey.
“In growth mode, the enterprise must differentiate itself, but in digital business, the enterprise must use technology to do so,” says McMullen.
Recommendation: Redesign the IT operating model to support digital business, to transform talent, ways of working and other long-established elements of the IT organization.
Digital disruptions sows chaos market by market
Digital disruption has not yet reached its peak. It hits different markets in different ways and at different times. For example, heavily regulated industries like healthcare and banking continue to resist full digitalization, whereas streaming media overhauled the music industry entirely.
Recommendation: CIOs across different industries have a few options to respond to forthcoming digital disruptions, but should always assess the areas of the business that can benefit from digital technology and create new value for customers.
Today a digital platform supports many digital businesses — the enterprise’s own and those of its ecosystem partners. For instance, there is more computing power sitting idle on employees’ desks and the device in their pockets than there is in all the world’s data centers.
Recommendation: To support the organization’s main business model, platform or otherwise, explore a distributed cloud architecture that combines cloud and edge computing. Distributed cloud offerings support the Internet of Things (IoT), but will also benefit mobile and desktop environments.
Artificial intelligence, IoT and blockchain create a perfect storm
Blockchain’s ability to support peer-to-peer microtransactions — combined with the intelligent decision-making ability of artificial intelligence (AI) and the sensory powers of IoT — will create never-before-possible businesses. AI applications including chatbots and virtual personal assistants are already being widely adopted across enterprises, and blockchain technologies are continuing to rapidly mature.
Recommendation: Educate senior business leaders about AI, IoT and blockchain so they can understand the implications of these technologies and reorient middle management to cultivating talent around them.
The uncertainty that pervades business today doesn’t just relate to macroeconomic conditions, although threats such as recession obviously loom large in the minds of many. Uncertainty also stems from any number of strategic, operational or other microeconomic changes — including reorganizations, mergers and acquisitions, or the sudden appearance of a new competitor from outside your industry.
No matter the reason, HR leaders must continue to attract, develop and retain the critical talent needed to drive sustained business performance. Only now, they are required to do so amid the short-term demands that arise when conditions aren’t entirely positive or stable.
Progressive leaders commit to their talent strategies even while driving short-term efficiencies
“You have to be creative and always come up with ideas on how to work efficiently without compromising on talent,” a vice president of talent and organizational management told a group of HR leaders recently assembled by me and my Gartner colleagues.
We came together to discuss how to best manage organizational talent needs during uncertain economic times. All agreed that despite such challenges, progressive leaders commit to their talent strategies even while driving short-term efficiencies. Below are a few key ways to do so, as identified by your fellow HR leaders.
Establish people as your organization’s biggest and best investment. For most companies, people are their biggest investment throughout the economic business cycle, making payroll vulnerable to cost cutting during times of uncertainty. Progressive talent leaders work constantly with the business to align their strategies and goals with changing business environments, and to demonstrate the role of talent as a critical driver of innovation and growth.
Embrace cost optimization. The Gartner 2019 Global Labor Market Survey of 10,035 managers and employees showed that active cost-cutting, or plans to cut costs, are prevalent in more than 50% of organizations. The key is to avoid reactive cost-cutting decisions, and instead to be proactive about cost optimization — the continuous discipline of prioritizing initiatives based on their benefits and risks, not just their costs. Progressive leaders find ways to retain their talent while saving costs — for example by reprioritizing services or using technology more efficiently.
Align stakeholders on resource priorities. To optimize costs effectively, stakeholders must be aligned on the priorities for allocating resources. Our survey showed the top two barriers to successful cost optimization are leaders failing to understand how work really gets done and employees resisting the cost saving efforts. Progressive HR leaders play a key role in driving consensus and managing tension and conflict among stakeholders. For example, managers, labor unions or employees may have opposing views about where and how to save costs. HR leaders also need to make sure cost optimization initiatives are implemented and articulated in a way that protects employee engagement and the employment value proposition — and doesn’t trigger employee attrition.
Adapt policies and guidelines to changing times. While it’s difficult to navigate uncertain times, make potentially tough trade-offs and build consensus about resource priorities, progressive leaders use periods of uncertainty as an opportunity. They realign global policies and guidelines, redesign major learning and development programs and generally guide their function to support the organization in driving innovation and growth. They also prepare employees for frequent change, and support managers and employees in overcoming entrenched but counterproductive mindsets and ways of working.
Use these strategies for more improved, efficient and proactive talent management that doesn’t require you to make unnecessary, and potentially harmful, compromises even in the face of unexpected change and uncertainty.
Noémi lives in France. She needs to file her income tax return and — since she’s already doing “admin stuff” — she also checks the status of her healthcare reimbursements and signs up on the local electoral list. FranceConnect allows Noémi to access the public services needed to complete these tasks using a single logon.
Noémie’s story is a clear example of how digital identities can make citizens’ lives and interactions with government agencies easier.
By 2023, at least 80% of government services that require authentication will support access through multiple digital ID providers
“Governments have long been investing in digital identity and authentication methods to make sure citizens can easily, securely and legitimately access public services,” says Arthur Mickoleit, Senior Principal Analyst at Gartner.
“But success has so far been very patchy,” says Mickoleit. "In some Nordic countries like Norway or Sweden, almost the entire population uses digital citizen IDs. Other countries, such as Australia, Germany or the U.S., have long tried to establish a system, but have not succeeded for reasons that often revolve around an overly bureaucratic culture, which leads to an underperforming customer experience.”
To create a working and successful digital citizen IDs, government CIOs must focus on three things: governance, technology and user experience.
Government CIOs whose agency provides a digital service have to choose between two models:
Turn to a growing list of digital identity service providers (IDSPs).
It’s become clear that the better option, in most cases, is to use one or more third-party IDSPs. This allows government agencies to focus their limited capacities on their core business: providing citizen services. And it reduces the “clutter” citizens perceive when having to deal with multiple logins for different institutions.
“By 2023, at least 80% of government services that require authentication will support access through multiple digital ID providers,” Mickoleit says. “Citizens can then use the digital identity of their preference to interact with government agencies instead of having to manage single-purpose identities for each agency.”
As ID technologies become more widespread and affordable, they can accelerate social inclusion of the estimated 1 billion people worldwide that currently have no formal means of identification
However, governments must keep in mind that there are different options for outsourcing digital identity provisioning — from government-issued digital IDs over those issued by companies to combined approaches like FranceConnect. Each option has its pros and cons.
For example, when commercial IDSPs gain greater control over citizen identities and potential insights into their use, privacy concerns will arise. Government CIOs must find a balance between the benefits of faster takeup when partnering with the private sector and potential clashes between the interests of different stakeholders.
Government and citizen expectations around digital identity can be difficult to balance. Government CIOs prioritize a high level of security to ensure citizens are who they claim to be when they access a service. Citizens, on the other hand, mostly want easy and convenient access.
In the past, many governments favored caution over convenience, which often resulted in very secure systems that were difficult to use. Only the most tech-savvy citizens took on the challenge, while everyone else stuck with the traditional, analog points of access.
The three canonical authentication factors — knowledge, token, biometric trait — will continue to be a part of identification and authentication processes
To balance security and convenience, government CIOs should take a more flexible approach and ensure levels of security are specific to the service offered. For example, booking an appointment should require less rigid security measures than declaring your taxes, let alone casting an online vote in national elections, as you can do in Estonia.
Governments need to understand that secure design of identities is not only a technology matter. The recent incidents of digital ID misuse in Estonia were mostly a mix of phishing and social engineering, which needs to be anticipated. Government agencies should run campaigns that sensitize people to the fact that digital identities are becoming as valuable and important to protect as analog identities.
Technologies for digital identity are evolving at a rapid pace. This means that government CIOs must factor change into their technology choices, but also provide a form of continuity for their users.
“The three canonical authentication factors — knowledge, token, biometric trait — will continue to be a part of identification and authentication processes. They are established, secure and constantly evolve in their availability, as you can currently see with biometric sensors,” says Mickoleit.
Nonetheless, it’s critical that government CIOs stay on top of how security and user convenience profiles evolve over time. For example, the standard two-factor authentication methods with SMS-based transaction codes are now being replaced by dedicated code generator apps for more secure and convenient access.
In the future, blockchain approaches might provide even better privacy and user control over identity. And as ID technologies become more widespread and affordable, they can accelerate social inclusion of the estimated 1 billion people worldwide that currently have no formal means of identification.
The theft of private data on 143 million Americans made the Equifax cyberattack one of the biggest in history. The company’s handling of the breach came under intense scrutiny, resulting in the resignation of CEO Richard Smith in September 2017 amid the turmoil.
He wasn’t the first or the last casualty. A Gartner analysis of security breaches reported in news media over a five-year period shows that CEOs are increasingly blamed and punished as a result of cybersecurity-related events — even more so than IT executives. The consequences include dismissal, resignation or loss of significant compensation.
Accountability should mean that a decision to accept risk is defensible to key stakeholders
CIOs and CISOs concerned with IT risk must help CEOs achieve greater defensibility with key stakeholders such as customers, board members, regulators and shareholders, says Paul Proctor, Distinguished VP Analyst at Gartner.
“This isn’t about a scare campaign or a wake-up call for executives and the board,” says Proctor. “This is a real opportunity for CIOs and CISOs to rethink how they engage senior non-IT executives to prioritize and fund security.”
How to create defensibility
Gartner has identified eight reasons why more CEOs will be fired over cybersecurity breaches. Addressing them will make your security program more defensible — not against “bad guys” but with key stakeholders, so they are satisfied with the organization’s security approach.
1. Invisible systemic risk
Businesses make decisions every day that negatively impact their security readiness — for example, refusing to shut down a server for proper patching, or choosing to keep working on old hardware and software to save budget. CIOs need to be sure that invisible systemic risk is recognized, reported and discussed in governance processes.
2. Cultural disconnect
While organizations have understood for more than a decade that security is a business problem, they continue to struggle with approaching it as one. Its treatment remains largely a technical problem, handled by technical people and buried in IT, even though it has been presented in the boardroom at least annually for years.
3. Throwing money at the problem
You can’t buy your way out — you still won’t be perfectly protected. Avoid negatively impacting business outcomes by raising ongoing operational costs and potentially damaging the ability of the organization to function.
4. Your security officer is the defender of your organization
Security staff are hired because they’re experts and their job is to protect the organization. This silos the issue, placing people in charge of protecting business outcomes they don’t understand.
5. Broken accountability
Accountability should mean that a decision to accept risk is defensible to key stakeholders. If accountability means that someone will get fired if something goes wrong, no one will engage.
Read more: Link Cybersecurity to Business Outcomes
6. Poorly formed risk appetite statements
Organizations create generic high-level statements about their risk appetite that don’t support good decision making. Avoid promising to only engage in low-risk activities. This is counter to good business and creates another good reason to fire you if you engage in risky activities.
7. Social pressure
Blaming an organization for getting hacked is like blaming a bank for getting robbed. The difference is that the banks are defensible — most organizations aren’t. When a headline-grabbing security incident happens, society just wants heads to roll. While this isn’t fair, it’s the result of decades of treating security as a black box. Society is not going to change until organizations and IT departments start treating and talking about security differently.
8. Lack of transparency
Gartner has witnessed countless interactions with organizations that have boards and executives who do not want to hear or acknowledge that security is not perfect. Some board presentations are filled with good news about the tremendous progress that has been made in improving security, with little or no discussion about where gaps and opportunities for improvement exist.
“IT and non-IT executives alike must be willing to understand and talk about the realities and limitations of how security works, to tackle the challenges,” says Proctor.
This article has been updated from the original, published on August 15, 2018, to reflect new events, conditions or research.