“A Minimum Effective mindset is a deliberate, ROI-driven approach to leading cyber security into the future,” added Leigh McMullen, Distinguished VP Analyst at Gartner. “While the idea of ‘minimum’ may seem uncomfortable, it refers to the inputs, not the outcomes. This approach will enable cybersecurity functions to go beyond merely ‘defending the fort’ to unlocking their true potential to create tangible value.”

During the Opening Keynote of a Gartner Security & Risk Management Summit in National Harbor, Maryland, USA, Teixeira and McMullen debunked four common security myths and explained how security leaders can create new value across business engagement, technology and talent.  Below is a summary of their findings and recommendations.  

Myth #1: More data equals better protection

It’s commonly believed that the best way to drive action from executive decision makers on cyber security initiatives is through sophisticated data analysis, such as calculating the likelihood of a cyber event occurring. However, it is not practical to quantify risk in this way. Further, this approach does not deliver shared accountability between cyber security and enterprise decision makers necessary for materially reducing business risk. Gartner research has found that just one-third of CISOs report success driving action through cyber risk quantification.

“Rather than continuing to pursue more data and more analysis, savvy CISOs engage in a Minimum Effective Insight approach,” said Teixeira. “Determine the least amount of information needed to draw a straight line between the enterprise’s cyber security funding and the amount of vulnerability that funding addresses.”

CISOs should use an outcome-driven metrics (ODM) approach to action Minimum Effective Insight. ODMs link security and risk operational metrics to the business outcomes they support by explaining the levels of protection currently in place and the alternative protection levels available based on spend.

Myth #2: More technology equals better protection

Worldwide spending on information security and risk management products and services is forecast to grow 12.7% to reach $189.8 billion in 2023. Yet even as organisations spend more on cyber security tools and technologies, security leaders still feel they are not properly protected.

“Cyber security often gets stuck in a gear acquisition mindset, believing that around the corner there must be something better,” said McMullen. “Instead, CISOs must embrace a Minimum Effective Toolset – the fewest technologies required to observe, defend and respond to exposures. This will enable cyber security to own their architecture, reducing the complexity and lack of interoperability that makes it so difficult to generate value from technology investments.”

Organisations can begin the journey to a Minimum Effective Toolset by taking a human-cost view, keeping the overhead on cyber professionals managing cyber security tools lower than the benefit of the tool in mitigating risks. In parallel, take an architectural view to measure whether any given tool is additive to, or subtractive of, the ability to protect the enterprise. Cyber security mesh architecture (CSMA) principles can also support security in designing for simplicity, composability and interoperability.

Myth #3: More cyber security professionals equals better protection

“Demand for cyber security talent has outstripped supply to the point that CISOs are unable to catch up,” said McMullen. “Security is a massive bottleneck to digital transformation, and a lot of that is because of a myth that only cyber security professionals can do serious cyber work. Democratising cyber security expertise, rather than trying to hire out of the talent gap, is the solution.”

Gartner predicts that by 2027, 75% of employees will acquire, modify or create technology outside IT’s visibility, up from 41% in 2022. CISOs can reduce the burden on their teams by helping these business technologists build Minimum Effective Expertise, or cyber judgment. A recent Gartner survey found that business technologists with high cyber judgment are 2.5 times more likely to consider cyber security risks when developing analytics or technology capabilities.

Myth #4: More controls equals better protection

A recent Gartner survey found that 69% of employees have bypassed their organisation’s cyber security guidance in the past 12 months, and 74% of employees would be willing to bypass cyber security guidance if it helped them or their team achieve a business objective.

“Cyber security organisations are well-aware of the pervasive non-secure behaviour of the workforce, but the typical response of adding more controls is backfiring,” said Teixeira. “Employees report a huge amount of friction involved with secure behaviour, which is driving unsecure behaviour. Controls that are circumvented are worse than no controls at all.”

Minimum Effective Friction rebalances cyber security’s assessment of the performance of security controls to prioritise user experience rather than technical functionality alone. Gartner predicts that by 2027, 50% of large enterprise CISOs will have adopted human-centric security design practices to minimize cyber security-induced friction and maximize control adoption.