Cyber Judgment: A New Path Forward for Decision Makers

Digital transformation is here. According to the 2019 Gartner CEO Survey, 82% of CEOs have digital transformation programs in flight, a 20% jump from 2018. Value propositions, operations, customer strategies, and business capabilities are being upended by digitization. Consequently, information risk decisions are no longer made solely by IT professionals. Instead, decision rights for information risk are being distributed throughout the enterprise.

To adapt to this new, sprawling base of decision makers across the enterprise, information security functions must focus on building cyber judgment: the ability to independently make informed risk decisions.

Organizations are clamoring for digital skills and increasingly, this digital talent is hired outside of traditional IT functions. Gartner’s TalentNeuron research shows that job postings outside IT referencing artificial intelligence (AI), data science, or robotic process automation (RPA) have all increased 70% or more over the past five years. As a result, more than 40% of information risk decisions are now made outside IT.

Digital transformation not only pushes more risk decisions outside IT, but also drives the volume of risk decisions beyond information security’s capacity to facilitate. Gartner research shows that 73% of organizations are adopting, or plan to adopt, Agile or DevOps methodologies. Coupled with 93% of project managers feeling pressure to speed delivery, it is easy to see why traditional security decision stage gates are crumbling.

Building cyber judgment

To ensure quality risk decision making in a scalable way, progressive information security teams are building cyber judgment in their enterprises. Cyber judgment targets risk decisions that have multiple tradeoffs and no single, obvious answer: for example, a digital operations app developer choosing how to implement RPA for a customer service initiative or a business partner choosing a SaaS provider. The information security function cannot feasibly be directly involved in all decisions of this nature. Differing from the traditional approach of directly facilitating decisions, employees should be enabled to move at the speed of the business without losing sight of relevant risk implications. By instilling cyber judgment, information security can shift resources to higher impact security activities.

While the benefits of cyber judgment make the choice seem easy, most security and risk management leaders are not eager to further transferring decision rights to those with whom they have not traditionally worked. Gartner research shows that only 12% of chief information security officers (CISO) are confident that decision makers have good cyber judgment; the rest are either not confident (60%) or unsure (28%). Embracing distributed decision making requires a fundamental change to the mindset of security and risk management leaders. Most believe it is their teams’ responsibility to identify and assess risk, interpret policy and facilitate all but the lowest-ranked risk decisions. These leaders must build trust in and the competence of decision makers within their organization.

Approaches to building cyber judgment

Information risk decision making is no longer conducted only by IT professionals or formally defined risk owners. Rather, information risk decisions are now made in all areas and levels of the enterprise. Security and risk management leaders traditionally employ direct facilitation and automation to support decision makers, but these tactics fall short. Information security staff cannot be everywhere decisions are made, and not every risk decision can be automated. Information security needs a new approach. That approach is cyber judgment.

Daria Kirilenko is a director of the Information Risk Research Team at Gartner Inc.

Lucas Kobat is a research specialist in the Security and Risk Management group at Gartner Inc.