CISO for Digital Business

The chief information security officer (CISO) enables business leaders to make the right decisions

Measure, prioritize and improve the performance of your organization’s security

CISOs are key enablers of digital business and are accountable for helping the enterprise balance the associated risks and benefits.

Gartner IT Score for Security and Risk Management is a strategic planning tool for security leaders that helps you understand the current performance of your function, identify steps for improvement and ensure strategy alignment with business needs. 

Download the IT Score for Security and Risk Management.

Download the report

Gain perspective on your highest-priority activities to drive business outcomes.

By clicking the "Continue" button, you are agreeing to the Gartner Terms of Use and Privacy Policy.

Contact Information

All fields are required.

  • Step 2 of 3

    By clicking the "Continue" button, you are agreeing to the Gartner Terms of Use and Privacy Policy.

    Company Information

    All fields are required.

    Optional Optional
  • Step 3 of 3

    By clicking the "Submit" button, you are agreeing to the Gartner Terms of Use and Privacy Policy.

    By proactively assessing risk appetite and the value of the desired business outcome, CIOs and CISOs can transform digital risk management into a competitive advantage.

    John A. Wheeler

    Senior Director Analyst, Gartner Research & Advisory

    CISOs must develop risk-based security programs to prompt business agility

    The transformation to digital business adds complexity to the security operations within an organization. To support the objectives of the CIO, security and risk management leaders need to develop processes that enable risk decisions while protecting the business from security threats, data breaches and other cybersecurity events.

    95% of CIOs expect cybersecurity threats to get worse.

    Insights for the CISO and security team

    Managing information security and risk in today’s business environment is a huge challenge. We provide CISOs and other information security and risk management leaders like you with the indispensable insights, advice and tools needed to advance your security program and achieve the most critical priorities of your organization, beyond just the information technology practice.

    Adopting modern security perspective

    Transformation into digital business has created unprecedented new risks for organizations, especially within the information technology practice. CISOs need to adopt flexible cybersecurity approaches that avoid current limitations.

    The Gartner Leadership Vision for Security and Risk Management 2021

    Watch this virtual discussion to understand why SRM leaders must develop a coherent program based on a clear vision and strategy, and how to lay out that vision and strategy.

    How to Build a Mature Security Program to Mitigate Cybersecurity Risk Effectively

    The Gartner Roadmap for Maturing Information Security is a best-practice insight distilled from interactions with clients who have successfully implemented effective security programs. 

    Experience IT Security and Risk Management conferences

    Join your peers for the unveiling of the latest insights at Gartner conferences.

    New to the CISO role?

    As the information technology landscape evolves, the role of a CISO is becoming more challenging, and the expectations of the CIO and overall organization are becoming higher. It is critical for new CISOs to approach the role with a plan to create a robust security architecture and reporting structure that will help them set a strong foundation for the future.

    Security and risk questions Gartner can help answer

    Much like their CIO counterparts, information security experts operating as CISOs will need to evolve with their roles as the C-suite digitally upskills. 


    • Delegating tactical or “hands-on” cybersecurity work or risk mitigation to staff or other business leaders to focus on strategic oversight and implementation of information risk security planning. 
    • As the digital dexterity of the CISO’s and CIO’s C-suite counterparts increases, cybersecurity experts are evolving to orchestrate more strategic distributed digital initiatives. 


    • Information risk and security leadership becoming a distributed C-suite responsibility, not just those of IT management. This has led to senior leaders outside of IT increasingly hiring their own technology talent and actively shaping digital strategy, to test and scale digital business ideas.
    • Management of digital foundations, including cross-cutting platforms, integration and talent coordination. As decision making becomes more distributed, CISOs and CIOs will have to focus on architecting and managing cross-cutting platforms (e.g., development environments, customer experience, analytics and integration capabilities) and foster common ways of working across distributed fusion teams. 

    As with many key business functions, effective cybersecurity experts need to hold strong relationships with non-IT stakeholders. The influence of the CISO needs to be understood, respected and adhered to, so cultivating rapport with management and executives who are responsible for decision making and implementing security risk strategies is vital. 

    While experience in their current role, experience in their current industry and high industry regulations are keys to successful CISO output, the effectiveness of an organization’s CISO can be determined by their ability to execute against a set of four outcomes: 

    1. Functional leadership: As the leader of the information security function, CISO leadership is imperative in meeting security objectives.  

    2. Information security service delivery: With virtually every business capability today enabled by technology, CISOs must not only protect their organization, but also help it meet its objectives through delivery of quality services that support business objectives.

    3. Scaled governance: Distributed decision making has expanded the volume and variety of information risk decisions that cyberrisk experts need to support, so CISOs need to be able to scale governance to meet the demand and increase cooperation with information security recommendations. 

    4. Enterprise responsiveness: In addition to ensuring governance, CISOs must cultivate an environment where decision makers understand and care about information security and consider security implications in their decision making. They must champion the importance of information risk and cybersecurity effectively.

    Information security leaders, including the CIO and CISO, need to lead their organizations through digital transformation, but importantly, also need to deliver value throughout that process. Keys to delivering value to the business include:

    • Identifying and defining the organization’s appetite for risk through collaboration with business leaders/executives/non-IT decision makers. 
    • Continually driving business discussions on the evolving digital landscape to stay ahead of potential threats.
    • Ensuring business decision makers are aware of current and potential future risks to the organization. 
    • Proactively engaging in sourcing, implementing and scaling emerging technologies.
    • Designing and implementing a strategic succession plan.
    • Delegating tactical activities to staff or other stakeholders to reallocate their own time toward strategic planning and risk management.

    Gartner is a trusted advisor and an objective resource for more than 14,000 enterprises in 100+ countries.

    Learn more about how we can help you achieve your most critical priorities.