What will be the CISO Story of 2021?

At Evanta, a Gartner Company, we work continually to ensure the information security gatherings we support allow timely, relevant and actionable idea exchanges for C-level security leaders across the world. Yet amid this ever-evolving focus are the three themes we revise every six months across our chief information security officer communities, themes that are our guiding pillars as we seek to understand the story of the CISO entering 2021.

How do these themes resonate with you in your role?

Accelerating security to match the pace of digital business initiatives

When the COVID-19 epidemic prompted a widespread shift to white-collar work-from-home, those employees didn’t necessarily have a handbook for doing business remotely. So they figured it out, drawing on video conferencing tools more than ever before and whatever means necessary to collaborate with clients and colleagues.

It wasn’t just existing virtual collaboration tools that came to the rescue. In order to get business done, workers turned to whatever “worked,” including third-party video conference and file sharing applications from outside their vetted internal ecosystem. And as so often is the case, the established language of business revenue opportunity came into tension with the considerations of business, and information, risk.

From Evanta’s vantage point in 2020, information security executives spoke broadly of having a “seat at the table” in the early and forced “pandemic pivots” of their organizations. CISOs largely said they were an active and ongoing part of the conversation when it came to mitigating risks from distributed devices, and quickly developed best practices to still allow seamless workflows remotely.

Yet the virtual business climate continued to accelerate and mature, and with it, new challenges became apparent. What does it mean to deliver telemedicine from a home office, when a family member can hear sensitive patient data? When does it make sense to deploy a virtual machine environment for a personal computer versus deploying new laptops? What level of security is necessary to ensure video is secure, and what level of security is too much?

In many ways, the questions we observed security leaders asking in 2020 represented familiar challenges around enterprise risk management and basic security hygiene. Yet the pace of business solution-finding made necessary by the pandemic felt that it entered a new threshold. In 2021, we will be looking for CISO strategies, solutions and success stories of how they have kept pace with the change.

Managing the risk created from a landscape of new core technologies

As organizations have accelerated their digital initiatives and transformation in 2020, Evanta has observed several common talking points among information security leaders related to consolidating third-party services. We expect that understanding and navigating the risks of core technologies, including how to discuss those points with the business at large, will be important in 2021.

Early in the “pandemic pivot,” some CISOs described how the increased adoption of functionality already present in their virtual office suites revealed an opportunity to realize cost savings by eliminating redundant third-party services. Redundant video call services gave way to functionality that was already present in inter-office chat products, for example. Many CISOs said that they were experiencing a general trend of optimization and consolidation among their third-party services, meaning, frankly, less vendors to assess and secure.

Yet as organizations optimize and consolidate their tools for reasons including cost savings in an uncertain economy, how does that change the conversation between security leaders and third-party suppliers? When the business depends on one cloud provider, where does leverage, trust and leadership come into play?

In 2021, we expect CISOs will be asking harder questions of their service providers and deepening their efforts to understand the risk from fewer, but vaster, relationships.

Achieving sustainability for the CISO role without compromising outcomes

Evanta conference teams observed a shift in how information security leaders discussed self-care and sustainability in their roles in 2020. We have assessed for some time that the stresses of the role are unique among C-suite leaders, leading to various implications including relatively shorter tenure, yet last year marked the most discussion we have observed to date about strategies to address those challenges on an individual leader level. As the role matures, we believe leadership development and supportive efforts to increase in-role tenure and effectiveness will continue to be part of the conversation.

CISOs are solution-minded leaders who face a common enemy in the form of malicious actors. This mission, we believe, overrides some practical discussion around the CISOs role as business leader. Several CISOs have told us that they frequently take on additional work from their direct reports in order to advance projects, which is an admirable effort from an outcome perspective that we believe hurts the long-term sustainability of the role. This conversation is starting to shift – whether in new practices or through new technologies such as automation and orchestration, is it possible for the CISO to reclaim some measure of work-life balance? 

We believe the long-term implications of efforts to achieve better sustainability for the CISO role will be positive for any organization, and we will be looking for success stories of leadership in this area in 2021.