Adapt your cybersecurity program to be autonomous, innovative and agile.
- Gartner client? Log in for personalized search results.
How to Organize Your Cybersecurity Program
Create an effective cybersecurity program that addresses key challenges and prioritizes strategic initiatives while facing resource constraints.
Cybersecurity leaders are faced with the challenge of meeting increasing demands for higher project volumes, faster turnaround times, and greater flexibility and customization. Plus, they are constrained by limited resources. How can cybersecurity leaders deliver the goods without burning out? This research report shows how to:
- Address timely factors that may impact your programs, such as tariffs
- Prioritize effectively to ensure project execution within 12 months
- Smart tactics for integrating governance into their programs
Business transformation has disrupted cybersecurity
Technology acquisition, creation and delivery are moving from centralized IT functions to lines of business, corporate functions, fusion teams and individual employees. Adapt your cybersecurity program to the realities of technology adoption in three key ways.
Centralize to Decentralize
Aim for Flexibility
Enter the Executive Ranks
Centralize risk governance to empower local cyber judgment
CISOs face a cyber risk deluge that is growing at an exponential rate, not only in volume, but in complexity and scope. Cybersecurity staff can’t possibly review (or even identify) each one, but loss of control and visibility could lead to unacceptable risk.
Meanwhile, CEOs and business executives are moving tech work directly into business functions, and an increasing number of employees perform technology work that involves customizing, building or acquiring technology solutions. The volume and complexity of the risk decisions made at the edge of the enterprise now outweigh those made by central IT and cybersecurity groups.
The “centralize to decentralize” trend represents a new approach to cybersecurity governance. Now, decision centralization reflects a more informed — and scalable — approach emphasizing a flexible, centralized policy while supporting local decision making. Control standards are created locally, and local decision-making supports a centrally governed policy.
To make this work, build steering committees or governance, risk and compliance teams to create the policies and processes that empower local risk decision owners to make the right choices. If you’re going to make them accountable, make it easy for them to do what you would do.
Defy bottlenecks with new teams, processes and policies
Trading waterfall for agile is key to scalable cyber judgment. Most cyber-risk decisions and implementations are now made at the edge by product teams or business units using agile processes — not centrally controlled, stage-gated waterfall processes. Superficial changes won’t cut it; cybersecurity programs must fundamentally change to support new operating models:
Embed new roles within local, dispersed teams (business information security officers, local information security officers, security champions).
Match new ways of working with new processes (DevSecOps, cloud-first models).
Build scalable processes that selectively escalate conflicts, excess residual risks and exception requests for hands-on support at the speed the business needs.
When it comes to policy, less is more. CISOs are consolidating or reducing — not expanding — policies to be more user friendly. By collaborating with end users on policy, you give risk and data owners control and flexibility to apply standards and implement solutions that work best for them. In short, define the what centrally, and solve the how locally.
Look at the big picture
An invitation into the C-suite means you can initiate more change and take fewer marching orders. But first you may have to shift your perspective from technology manager to business enabler who can successfully influence risk decision making. To demonstrate credibility, pull back from tactical and operational meetings in favor of more strategic executive engagements.
To make your voice known in the C-suite:
Offload tactical and operational responsibilities and up your executive engagement. Consider delegating administrative operational functions (e.g., patch management, user administration) to IT teams and user awareness training to the HR training department.
- Broaden your horizons by understanding enterprise risk and business metrics. You can’t influence decisions unless you know how best to present your case. Before meeting with fellow executives, learn about their investments and financial and functional challenges. Learn about their priorities by analyzing material produced by the company and specific departments (annual reports, mission statements). Identify at least one metric that aligns with cybersecurity’s strategic objectives to draw a correlation between the risk, the metric and the actions cybersecurity can take to impact other leaders’ metrics.
Build value stories to boost the cybersecurity function’s credibility. The perception of cybersecurity as the “office of no” is alive and well, so work on changing the view of your function from technology center to business enabler. A value story with supporting metrics can demonstrate how cybersecurity outcomes generate greater business value. To influence executive leaders, tie the narrative to clear business objectives, and tailor the message to stakeholders’ priorities.
Are you a CIO or IT leader at a midsize enterprise?
See how your peers are navigating AI adoption, vendor decisions and evolving business demands — with tools tailored to your role:
Explore our resources for midsize enterprises
Check out a curated list of Gartner’s most popular research being utilized by your peers
Experience IT Security and Risk Management conferences
Join your peers for the unveiling of the latest insights at Gartner conferences.
Frequently asked questions on cybersecurity programs
What are some upcoming trends for cybersecurity programs?
The top cybersecurity trends this year are:
Optimizing for resilience
Optimizing for performance
Optimizing for resilience involves continuous threat exposure management, extending IAM’s cybersecurity value, third-party cybersecurity risk management and privacy-driven application.
Optimizing for performance involves generative AI, security behavior and culture programs, outcome-driven metrics, evolving cybersecurity program operating models and reskilling.
How can I improve the cybersecurity capabilities of my organization?
The skills that cybersecurity teams need are changing drastically, yet cybersecurity leaders continue to hire for legacy roles and skills. SRM leaders must reskill their teams by retraining existing talent and hiring new talent with new profiles. Fifty percent of large enterprises will use agile learning as their primary upskilling/reskilling method by 2026.
Take these actions:
Develop a cybersecurity workforce plan.
Hire for the future, not the past.
Foster an agile learning culture.
What is cyber risk?
“Cyber risk” refers to risks that may impact the goals and values of an organization in terms of financial loss, operational disruption, damage or harm caused by the failure of the technologies employed for informational and/or operational functions within interconnected digital environments.
Cyber-risk practitioners must adopt practices to scope and prioritize these risks, link treatments to organizational goals and enterprise risk management, and facilitate decentralized accountability and decision making.
Drive stronger performance on your mission-critical priorities.