- About 60% of CISOs are overwhelmed by "a high volume of information and data," according to a Gartner survey. At least half of CISOs are "overloaded" with security alerts.
- More than one-third of CISOs work between 50 to 75 hours a week, while 58% work between 35 to 50 hours. "There aren't enough hours in the day, and this is one of the problems that's inhibiting the creation of new security knowledge," said Jay Heiser, VP analyst at Gartner, while speaking at the Gartner IT Symposium/Xpo Americas Wednesday.
- Next year, 30% of security programs will add two roles pertaining to risk and digital ecosystems, though they might not be considered a part of the security team, according to Gartner. Titles will vary, but Gartner expects the roles to include chief of staff for security, cloud security architect, security ombudsman and business liaison.
The uncertainty digital transformation thrusts onto security, pushes organizations to find the balance between "desire for change and the need for control," said Heiser. And that includes being adaptive to risk-based decisions on a daily basis instead of getting "trapped with old assumptions."
The line of business needs "to understand what it is we do. If they overestimate or underestimate our form of service, if they take us for granted, or assume that we're not necessary, they're not going to understand the benefits of what we provide," said Heiser. The line of business will also be unable "to help us make good decisions," even though cybersecurity decisions will fall onto them more often.
Gartner called for chief risk officers in 2016, though Heiser said the research firm got it slightly wrong as many companies lack a CRO. Instead, 71% of security leaders are more focused on information security than risk management and only 7% report their company's enterprise risk management team.
"Every chief information security officer is expected to be a jack of all trades, but not all of them are doing all trades," said Heiser. "No two security leaders do the same task," which may be why 40% of CISOs are given "unrealistic expectations" by stakeholders.
In a Gartner survey, 100% of security leaders said they're responsible for information security while 69% included IT risk management, followed by security operations center, data privacy and network security. Only half of leaders cite identity access management as part of their scope. Though far less, 32% of security leaders also claim product security as one of their responsibilities.
"We're in a period of experimentation," said Heiser, and the digital demands of the business are forcing security out of silos. With a remote workforce especially, companies are divvying up security responsibilities for users to be self-sufficient.
"The CISO is incapable of managing all emerging digital ecosystems without more technology to do it for them. "Unfortunately, everybody else in the IT department is also asking the CIO for new tools to help them," said Heiser.