A Security View of the 2023

CIO and CEO Agenda

Katell Thielemann

© 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affi liates. This publication may not be reproduced or distributed in any form
without Gartner's prior written permission. It consists of the opinions of Gartner's research organization, which should notbe construed as statements of fact. While the information contained in this
publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research
may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are
governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or
influence from any third party. For further information, see "Guiding Principles on Independence and Objectivity."
2 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
2022 and 2023 Surveys Show

Board Directors CEOs CIOs

• 89% say digital business • Say profitability • 33% say they struggle to
is now embedded in all improvement is their top integrate the digital vision
business strategy. financial business priority. with existing
enterprise strategies.
• 64% say they are planning • 84% say they will increase
to increase their risk appetite their investments in • 32% say leaders in their
for business growth. digital capabilities. organizations think digital
technology investments in
employee productivity lag
in delivering expected value.

3 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
 Boards are willing to increase
risks but want results.
Implications

CEOs want “digital dividends” — Become a Digital

tangible growth from their investments. Dividend Partner —
Ensure Secure Tangible
Returns From
CIOs need to deliver Digital Investments
digitalization outcomes.

4 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Key Issues

How do you become a digital dividend partner?

1.Prioritize
2.Measure
3.Facilitate

5 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Key Issues

How do you become a digital dividend partner?

1.Prioritize
2.Measure
3.Facilitate

6 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Digital Tech Initiatives Remain Top of Mind
for Boards
Top 10 Strategic Business Priorities for 2023/2024 — YoY Percentage Change
Sum of Top 5, Coded Multiple Responses
Increase Decrease
100%

60%
55%
50%
36%
25% 23% 21% 19% 19% 18% 18%

0%
2% 6% 61% -0.4% -28% 0.1% 41% 71% -12% -15%
Digital Tech Workforce (e.g. Business Financial (other ESG, Health and Customer (e.g., Effective Cost Efficiency Profit Mergers &
Initiatives retention, Expansion/ than revenue or Sustainability engagement, Business Improvement Acquisition
(including training, hiring Diversification profit) acquisition, Management
Technologies/ etc.) retention etc.)
IT)

n = 281; Nonexecutive Board of Directors

Q03. Please tell us about your organization's top 5 strategic business priorities for the next 2 years (2023/2024).
Source: 2023 Gartner Board of Directors Survey on Business Strategy in an Uncertain World
Note: Show ing Top 10 only

7 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
BoDs: 89% Agree That Digital Is Now an Implicit
Part of All Business Growth Strategies
Agreement With the Statement
Agree: 89%
Mean: 6.0
60% 49%

Disagree: 6%
30% 24%
15%
2% 3% 6%
0.4%
0%
1. 2. 3. 4. 5. 6. 7.
Strongly Somewhat Slightly Neutral Slightly Somewhat Strongly
Disagree Disagree Disagree Agree Agree Agree
“Our nonexecutive board is focused on driving digital technologies into our organization’s growth initiatives
such that “digital” is no longer seen as a separate strategy but is an implicit part of all business growth
strategies, i.e., we are in a “postdigital” world.”
n = 281; Nonexecutive Board of Directors
Source: 2023 Gartner Board of Directors Survey on Business Strategy in an Uncertain World
Note: Some of the percentages may vary due to rounding.

8 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
4 Out of 5 CEOs Plan to Increase Digital
Capabilities Investments
Investment Increases — Change Year Over Year
100%

84% Digital Capabilities

71% Information Technology
69% People and Culture Development
61% Sustainability and ESG
60% Product Enhancement
50% 56% R&D and Innovation

0%
2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023
n = 422, All Respondents
Q02. Compared to fiscal year 2022, how w ill your organization’s investments in the follow ing business areas change in fiscal year 2023?
Source: 2023 Gartner CEO and Senior Business Executive Survey
ESG = Environment, Social and Governance

9 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
CEOs Believe AI Will Most Significantly Impact
Their Industries Over the Next 3 Years
Coded Responses — Showing Top 15
18% 2022 CEO Survey
AI 21%
11% (n = 396)
Digitalization
12%
3%
Automation 7% 2023 CEO Survey
4% (n = 408)
Data Analytics 5%
Cloud Computing 4%
4%
2%
Payment and Fintech 4%
4%
IoT, IoE and Related Technologies
3%
New Materials 3%
2%
Blockchain Related 3%
2%
Carbon Capture/Control 3%

0% 30% 60%
n varies, All Respondents Excluding NA/None/DK
Q03. The new technology that w ill most significantly impact our industry over the next three years is.
Numbers may not total 100% due to rounding
Source: 2023 Gartner CEO and Senior Business Executive Survey
IoT = Internet of Things; IoE = Internet of Everything

10 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Enterprises Are Rebalancing
Their Technology Portfolios
Changes in Technology Investments — Percentage of Total Respondents
Percentage of Total Respondents Decreasing Investment (n = 1,842) Percentage of Total Respondents Increasing Investment (n = 2,150)

Cyber/Information Security 1% 66%

Business Intelligence/Data Analytics 2% 55%
Cloud Platforms 2% 50%
Application Modernization 6% 46%
Integration Technologies/APIs/API Architecture 2% 39%
Total Experience Solutions 2% 34%
Artificial Intelligence/Machine Learning 1% 32%
Enterprise Resource Planning 13% 27%
Business Continuity Management 3% 25%
Hyperautomation 2% 24%
Digital workplace 8% 24%
Connectivity 8% 19%
Legacy Infrastructure and Data Center Technologies 47% 17%
Containerization and Orchestration of Application Workloads 2% 15%
Internet of Things 4% 15%
Digital Media 4% 14%
Digital Twins 2% 10%
Product Portfolio Management Tools 6% 10%
Human Augmentation 4% 5%
Next-Generation Compute Technology 4% 2%
None 31% 1%
85% 0% 85%

n varies by question; CIOs and technology executives answering, excluding not sure
Q. What are the technology areas w here your enterprise w ill be spending the largest amount of new or additional funding in 2023 compared w ith 2022?
Q. What are the technology areas w here your enterprise w ill be reducing funding by the highest amount in 2023 compared w ith 2022?
Source: 2023 Gartner CIO and Technology Executive Survey

11 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Implications for CISOs

• More Digital Projects Are Coming

• New Technologies Like AI Will Mean
New Security Headaches
• Cybersecurity Investments
Will Grow

You Must Prioritize

12 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Security Portfolio and Projects
Security Controls Security Process Security Consulting Compliance
Implementation Improvements on Business Projects Initiatives

Security Portfolio

Security
Projects

High-Priority Projects Low-Priority Projects

Source: Security Portfolio Prioritization: How to Structure and Assess Security Investment Decisions (G00766518)

13 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
What Are Your Organization’s Strategic Goals?

Revenue Improve Operational Increase

Growth Excellence Innovation

Improve Customer Improve Employee Introduce New

Experience Experience Products/Services

Ensure Business Continuity Ensure Legal and Increase Cost

and Resilience Regulatory Compliance Efficiency

… … …

14 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Define Evaluation Criteria Aligned to Your
Organization’s Strategic Plan
Project Scores
Project Evaluation Criteria A B C
% % %
Strategic Alignment
Alignment with overall enterprise strategy and vision (Sample)
0 — No alignment or measurable impact
1 — Partly aligned but no measurable impact
2 — Partly aligned and measurable impact 5 5 4
3 — Somewhat aligned but no measurable impact
4 — Somewhat aligned and measurable impact
5 — Explicitly aligned and measurable impact
Organizational Resilience/Risk Reduction
Scale of 0 to 5
Frictionless Customer/Employee Experience
Scale of 0 to 5
Ability to Execute (Resources, Budget, Skills)
Scale of 0 to 5

15 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
 Project A Project B Project C Project D Project E

Strategic Alignment

Organizational Resilience/Risk Reduction

Score Your Security

Frictionless Customer/Employee Experience

Projects’ Alignment Ability to Execute

to the Goals
Prioritized
Projects
by Score
Project D 92
Project E 80
Project C 78
Project A 75
Project B 69

16 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Best Practices for CISOs to Add Rigor
to Portfolio Prioritization

Prioritize projects that support the highest-value capabilities

Use a Prioritization Framework by evaluating which security projects have clear
business impact.

Seek stakeholder input regularly on project prioritization

Be Open and Transparent decisions by creating predictable opportunities to provide
transparency for stakeholders and business partners.

As your organization continues to build, expand and adapt to

Assess and Validate Regularly changing demands, regularly assess and validate evaluation
and prioritization criteria and weightings.

17 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
 Technology Deployments
Will Continue to Outpace
Your Ability to Secure Them.
You Must Prioritize.

18 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Key Issues

How do you become a digital dividend partner?

1.Prioritize
2.Measure
3.Facilitate

19 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
65% of BoDs Say They Have More Work
to Do to Achieve Their Goals
Digital Business Progress or Achievements Till Date

We have not made any notable progress in digital business success but we
20.7%
continue to invest in digital business

We have made the desired level of progress in digital business optimization

43.9%
but not achieved our goal yet

We have achieved our digital business optimization goal and are now pivoting
16.4%
investments to drive digital business transformation

We have achieved our digital business optimization goal and made progress in
11.1%
digital business transformation

We have achieved our digital business optimization and digital business

transformation goals. Our digital business performance has been a competitive 7.5%
game changer

Other 0.4%

0.0% 25.0% 50.0%

n = 280; Nonexecutive Board of Directors, Excluding Don't Know
Source: Q06. Which of these best describes your organization's digital business progress or achievements till date?
Source: 2023 Gartner Board of Directors Survey on Business Strategy in an Uncertain World

20 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
CFOs Say Digital Spending Is Underdelivering
Digital Spending Performance Against Expected Outcomes
Proportion of Organizations, CFO-Reported

33%
Meeting or Exceeding Expectations

67%
Underperforming Expectations

n = 102 CFOs
Source: 2022 Gartner Driving Business Outcomes From Enterprise Digital Spending Survey

21 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Implications for CISOs

While Senior Leaders Are Doubling

Down on Digital Investments
… They Are Not Happy With the
Current Returns
… and Want Measurable Results.

You Need to Up Your Measure Game

22 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Define Metrics You Can Track

Incident Incident OS Patching Third-Party Risk

Containment Time Remediation Time Cadence Engagement

Unassessed Third Expired Policy Endpoint Protection Ransomware

Parties Exceptions Coverage Recovery Exercise

Ransomware Multifactor
Cloud Security Access
Downtime Authentication
Coverage Removal Time
Workarounds Coverage

Privileged Access Security Awareness Phishing Training Phishing

Management Training Click-Throughs Reporting Rates

Source: 2022 Gartner Cybersecurity Value Delivery Benchmark

23 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Map Investment Levels to Achieve Various Levels

This Is a Protection-Level
Agreement (PLA)
Making an investment decision based
on a measurable level of protection.
30-Day Patching
for $1M per Year

24 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
 Senior Leaders Are Concerned
With Measurable Results.

Cybersecurity Is Not Immune.

25 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Key Issues

How do you become a digital dividend partner?

1.Prioritize
2.Measure
3.Facilitate

26 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Technology Talent Is Increasingly
Distributed Beyond IT

67% 47% 54%

CEOs and senior business CIOs say professional CIOs often (as opposed to
executives want a higher technologists outside of the sometimes, seldom or never)
proportion of technology work IT department are building work with other executives to
done directly within business technology capabilities at move technology decisions to
functions/departments.1 their enterprise.2 areas beyond IT.2

1 n = 393 CEOs and Senior Business Executives

2 n = 96 CIOs and IT Business Leaders
Source: 2022 Gartner CEO and Senior Business Executive Survey; 2022 Gartner Overcoming the Barriers to Digital Execution Surv ey;
Implement Talent Management Practices to Retain and Nurture Business Technologists (G00775670)

27 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Current Trend: Centralize Risk Decision Rights;
Decentralize User Accountability
Changes Made to Cybersecurity Risk Decision Rights and Accountability
Sum of 4 Top Rank vs. First Choice
Sum of Top 4 First Choice

Cybersecurity Risk Decision Rights Have Become More Centralized

37% 65%
in a Central Cybersecurity Team

Cybersecurity Risk Decision Rights Have Become More Centralized

33% 58%
in an Enterprise Security Steering Committee
Information Resource (E.g. Data Systems, Technology) Owners
Have Been Made Formally Accountable for the Cybersecurity Risks 16% 57%
Associated With Their Resources
Cybersecurity Risk Decision Rights Have Become More
14% 38%
Decentralized Into Lines of Business or Product Teams

Other 1% 1%

0% 50% 100%
n = 344; All respondents, excluding cybersecurity risk decision rights and accountability have not materially changed in the past 24 months/DK
Q01. Which of the follow ing changes have been made to cybersecurity risk decision rights and accountability over the past 24 months w ithin your enterprise?
Source: 2022 Gartner Shifting Cyber Security Operating Model Survey

28 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Implications for CISOs

• Technology adopters and creators are

increasingly distributed across
your organization.
• Organizations are centralizing governance,
while decentralizing accountability.
• You can no longer be responsible
and accountable.

You Need to Facilitate

29 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Centralize Governance

Deploy a Cybersecurity Steering Committee:

– Chief Information Security Officer (CISO)
– CIO or IT Leader
– Corporate Functions, Such as the Chief Risk Officer (CRO),
Privacy Officer, Legal Counsel and HR Representative
– Senior Representatives of All the Key Business Units, for
Example, Manufacturing, Sales, Distribution and Operations

Facilitate Governance Of:

– Risk Tolerance and Risk Decision Rights
– Security Controls
– Roles and Responsibilities in Case of an Incident
– Security Policies
– Internal and External Communications
– Personnel Decisions and Reporting Relationships

30 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Decentralize Accountability

Facilitate cyberjudgment by
creating risk guardrails and
enabling security decision-
making throughout
the organization.

n = 1,310
Source: 2022 Gartner Drivers of Secure Behavior Survey
1 Percentage increase in cyber judgement should be understood as the highest potential percentage increase in cyber judgement through the implementation of cyber judgement solutions

31 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Example of Tool: Group Trust Score
Group Trust Score Formula

Source: Case Study: Framew ork to Enable Business Ow nership of Cybersecurity Activities (G00771017)

32 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
 Any Sense of Control Assigned to
Your Role Was Always an Illusion.

You Must Become a Facilitator.

33 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
 Boards are willing to increase
risks but want results.
Implications

CEOs want “digital dividends” — Become a Digital

tangible growth from their investments. Dividend Partner —
Ensure Secure Tangible
Returns From
CIOs need to deliver Digital Investments
digitalization outcomes.

34 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Recommendations

Ensure you know what your boards, CEO, CIO and CFO
are focusing on.
Review your governance model to ensure:
– You are equipped with prioritization tools.
– You can articulate business/mission impact metrics.
Seek independent input across your organization to assess
whether the security function is viewed as a controller or a
facilitator, and develop a plan accordingly. Control is an illusion!

35 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Action Plan for CISOs

Monday Morning:
• Share these slides with your team.
• Review your organization’s strategic plan.

Next 90 Days:
• Schedule one-on-one meetings with key members of the C-suite to make sure you are aligned to their
key priorities, can pinpoint/discuss possible overlaps or conflicts, and adjust efforts’ priorities accordingly.
• Define metrics and SLAs; gain C-suite agreement.
• Release a way to capture how your organization views the security function (survey, skip level meetings,
informal outreach, listening sessions, etc.).

Next 12 Months:
• Deploy, monitor and make Course Corrections as needed.

36 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Recommended Gartner Research

Security Portfolio Prioritization: How to Structure and Assess

Security Investment Decisions
Cybersecurity Research Team (G00766518)
Tool: Catalog of Business-Aligned Outcome-Driven Metrics
for Risk and Security
Paul Proctor, Srinath Sampath and Others (G00763676)
Infographic: Building Cyber Judgment to Improve Risk
Decision Making
Cybersecurity Research Team (G00780877)

Access to Gartner research is subject to entitlement. For information, please contact your Gartner representative.
37 © 2023 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.