Cyber leaders sit at an uncomfortable intersection: protect the business, but don’t slow it down. Enable innovation, but don’t increase risk. Be accountable, but don’t overstep. These expectations seem contradictory. Business units want speed and innovation and the CISO’s job is to help them get there without becoming the “department of no”. “The biggest mindset shift cyber leaders must make is moving away from trying to be the protector of the enterprise to being an enabler for the enterprise,” says Tom Scholtz, distinguished VP analyst at Gartner. That means working with the business’ risk appetite, not against it. For CISOs, it involves building trust with executives, guiding behaviour and letting go of the need for full control. This is why cybersecurity is shifting from a siloed function to a shared responsibility. But many organisations, and their security leaders, are still catching up.
Looking at Gartner’s ‘2025 Strategic Roadmap for Cybersecurity Leadership’ report, Scholtz’ finding is that those in charge of security should work more closely with business units, helping them take ownership of the security risks tied to their own operations. “The ultimate accountability for protecting resources rests with the owners of those resources,” he says. This approach, which Scholtz refers to as “owner accountability”, requires a change in mindset. Here, the CISO takes on the role of advisor, overseeing risk decisions without making every call. It’s a more collaborative model that comes with added risk, but Scholtz sees that as a necessary part of moving faster. “If organisations want to move quickly, they need flexibility in how they comply with policy,” he says.
That flexibility starts with rewriting the rules. Scholtz suggests moving away from policies that mandate specific tools or technologies. Instead, organisations should define security outcomes and allow business units some freedom in how they get there. “You can say every application must have multifactor authentication, but not prescribe the product that gives the business autonomy without compromising security.” That said, governance still needs to be structured. Scholtz recommends formal risk registers, escalation paths and clear lines of accountability. The framework should be adaptable, but it has to be pragmatic. “You have to work within the culture of your organisation,” he says. “Not every business is ready for owner accountability, so you tailor your approach accordingly.”
Security leaders must stop seeing themselves as the protector of the enterprise and start acting as its enabler.
Tom Scholtz, Gartner
Tiered models can help by splitting responsibility across organisational levels. In high-maturity environments, more risk decisions can be decentralised. In lower maturity ones, security leaders might need to hold stronger controls until teams can take effective decisions on their own. “It’s not one-size-fits-all,” Scholtz says. “You design governance based on the behaviour and culture you have, not the one you wish you had.” He also points out that culture change takes time. “CISOs just don’t have enough authority to unilaterally change the corporate culture of the enterprise,” he says. Influence matters more than control. Scholtz believes that good communication and forming relationships, not formal authority, allows security leaders to create the conditions for accountability to shift.
Changing how organisations manage risk starts with when they engage with it. Scholtz points out that security leaders should be involved in business decisions from the start, and not brought in later as a formality. That includes planning sessions, roadmaps and transformation projects.
“Cybersecurity should be part of the business planning cycle, not an afterthought,” he says. This shift calls for a more deliberate approach to risk, where the goal is not to avoid it entirely, but to weigh it against business outcomes. Cyber leaders should understand the potential cost of acting or not acting, and should be prepared to defend their decision. To make that work, organisations need clear responsibility models and solid processes for escalating concerns. They also need to track decisions over time to avoid repeating the same mistakes.
Gartner data shows that 81% of high-performing CISOs use scenario-based planning to test alignment and governance. It’s a practical way to see whether strategy holds up when things go wrong. “You quickly find out whether your governance model holds up under pressure,” says Scholtz.
Richard Cassidy, EMEA CISO at Rubrik, sees the same need for clarity, particularly in execution. “Threat data is everywhere. What matters is turning it into direction,” he says. Cassidy believes that cyber leaders need to act with speed and precision, especially when dealing with incomplete data. “There’s no luxury for over-analysis. Precision and speed are essential in crisis and strategy alike.”
Despite growing investment in awareness programmes, human error was still the cause of 95% of data breaches in 2024, according to a study by Mimecast. The issue isn’t knowledge; it’s how people act under pressure, distraction or conflicting priorities. That’s why Scholtz acknowledges that cyber leaders need to focus less on awareness and more on behaviour. “Policies alone won’t change how people behave,” he says. “You need to understand what drives decisions at all levels of the organisation.” Even if someone knows the rules, it doesn’t mean they will follow them. Scholtz compares this to neighbourhood speed limits: we know what the law is, but don’t necessarily stick to it. The same knowledge gap shows up in security.
People click through training, but their behaviour doesn’t change, which means that awareness is only the starting point. To change habits, leaders need to understand incentives and pressure points. If product teams are measured on speed to market, they need support that helps them move faster, safely. If HR is leading onboarding, it needs clear responsibility for identity and access. Security has to meet people where they are, which is why Scholtz encourages CISOs to avoid technical jargon and focus on stories that connect security to business goals. What happens if a system goes down for a week, for example? What’s the cost to operations?
“Executives tend to be risk-takers,” adds Scholtz. “Most are glass-half-full people. They’re not glass-half-empty people. So they don’t like negative messages.” His advice is that, instead of painting doomsday scenarios, ask questions that lead people to their own conclusions about risk. Metrics should follow the same logic. Rather than tracking vulnerabilities or patch counts, focus on time to detect and respond, third-party exposure, regulatory readiness and programme maturity. “You have to move beyond the technical,” Scholtz says. “Executives want to see progress that ties to business outcomes.” He also recommends road testing board content with a non-technical executive mentor. That way, CISOs can tune their messaging and stay focused on what actually resonates.
As cyber risk becomes more embedded inbusiness operations, so must responsibility. Security leaders can no longer carry it alone. The teams introducing risk through their decisions need to take greater ownership of managing it. But ownership requires more than awareness. In fact, the same Gartner report found that 93% of employees who engaged in unsecured behaviour already knew it was risky. Knowing the risk isn’t the issue – it’s whether people feel responsible for managing it.
Chris Norton, general manager for Sub- Saharan Africa at Kaspersky, says a strong security culture is one “where security is not just IT’s job, but embedded in every role in the business”. That kind of culture, he says, depends on employees being active participants in protecting the organisation. “A strong culture means employees report threats, question anomalies, and take ownership,” he says. That shift relies on training that speaks to roles, habits and day-to-day decisions, not just policy awareness.
You can’t be everywhere. But your influence can.
Richard Cassidy, Rubrik
Abhishek Kumar, business architect at Cisco, has similar views. He sees the modern cyber leader as a strategist who aligns governance frameworks with enterprise goals, something increasingly important with AI. “You can no longer manage AI in a silo,” he says. “It has to be embedded into your broader governance model.”
Scholtz, from Gartner, says that if business units want to embrace AI to accelerate innovation, they must also be accountable for the risks that come with it. “These technologies do have huge potential, but they also need to understand that if it goes wrong, they are going to be held accountable,” he says. That responsibility needs to be formalised in governance structures, in job descriptions and in how decisions are escalated. Scholtz also stresses the need for clear guardrails around how AI is used. That includes centres of excellence involving IT, security, legal and risk, as well as renewed focus on data governance.
But governance is only half the equation. As organisations adopt AI more widely, the risks aren’t just strategic or procedural, they’re deeply technical. As Rubrik’s Cassidy points out, AI initiatives expand the attack surface and introduce new forms of exposure. He advises security leaders to treat AI data like any other high-value asset. “Your cyber resilience plan must account for protecting the data AI learns from and creates.” That includes fast recovery, tamper-proof backups and anomaly detection that can trigger automated isolation.
“Breaches are inevitable. What defines leadership now is the ability to limit the blast radius, recover fast and keep the business running,” says Cassidy. “Resilience isn’t a fallback, it’s the frontline.” For him, the key is moving from control to influence. He says that embedding secure thinking into how the business operates multiplies resilience far beyond the security team. He also sees trust as the foundation of effective leadership. That includes how you communicate during incidents, how transparently you lead under pressure and how clearly you connect security to business priorities.
Norton adds that many CISOs operate under relentless pressure, with limited space for strategy or reflection. “Boards want clarity and context, not technical noise,” he adds. Sustaining that pace without support can lead to burnout and reactive decision-making. This is why Cassidy believes the future of cyber leadership will be defined not by control, but by how effectively leaders embed security into the way the business thinks and works: “You can’t be everywhere. But your influence can.”
* Article first published on brainstorm.itweb.co.za
Share