Four myths obscuring cybersecurity’s full value
According to Gartner, there are four common myths that hinder the full value of cybersecurity for enterprises and impede the effectiveness of security programs. Gartner recommends that Chief Information Security Officers (CISOs) adopt a “Minimum Effective” mindset to maximize the impact of cybersecurity for the business. Let’s explore these myths and the corresponding strategies to create new value in cybersecurity.
Myth #1: More Data Equals Better Protection The belief that sophisticated data analysis and quantifying risk will drive action from executive decision makers is not practical or effective. Gartner suggests adopting a Minimum Effective Insight approach, which involves determining the least amount of information needed to establish a clear connection between the cybersecurity funding and the vulnerability it addresses. Using an outcome-driven metrics (ODM) approach can help link security and risk operational metrics to business outcomes, providing a better understanding of the levels of protection in place and alternative protection levels based on spending.
Myth #2: More Technology Equals Better Protection Despite increased spending on cybersecurity tools and technologies, security leaders often feel inadequately protected. Instead of constantly acquiring new technologies, CISOs should embrace a Minimum Effective Toolset approach. This means using the fewest technologies required to observe, defend, and respond to exposures. By reducing complexity and focusing on interoperability, cybersecurity can own its architecture and generate more value from technology investments. Organizations can adopt a human-cost view and assess whether the benefits of a tool outweigh the overhead on cyber professionals managing it. Cybersecurity mesh architecture (CSMA) principles can also support simplicity, composability, and interoperability.
Myth #3: More Cybersecurity Professionals Equals Better Protection The demand for cybersecurity talent exceeds the available supply, causing a bottleneck in digital transformation efforts. Gartner suggests democratizing cybersecurity expertise and helping business technologists build Minimum Effective Expertise or cyber judgment. By involving business technologists in cybersecurity and ensuring they consider cybersecurity risks when developing technology capabilities, CISOs can reduce the burden on their teams. This approach recognizes that not only cybersecurity professionals but also employees with high cyber judgment can contribute to effective cybersecurity.
Myth #4: More Controls Equals Better Protection Adding more controls in response to non-secure behaviour in the workforce often backfires. Employees may bypass or circumvent controls, leading to increased friction and unsecure behaviour. Gartner proposes a Minimum Effective Friction approach, which prioritizes user experience alongside technical functionality when assessing the performance of security controls. By adopting human-centric security design practices, organizations can minimize cybersecurity-induced friction and maximize control adoption.
By dispelling these myths and adopting a Minimum Effective mindset, CISOs can enhance the effectiveness of cybersecurity programs, maximize value for the business, and address the challenges faced in the cybersecurity landscape.