CXO / IT Leadership

Gartner: Use Minimum Effective Mindset for Maximum Impact

Gartner Analysts Dispel Myths Holding Back Cybersecurity Leaders
Gartner: Use Minimum Effective Mindset for Maximum Impact
Deepti Gopal, director analyst at Gartner and Oscar Isaka, senior director analyst at Gartner delivering the keynote at Gartner Security & Risk Management Summit in Mumbai

The recent Gartner Security & Risk Management Summit in Mumbai centered around the theme of cybersecurity delivering business value, emphasizing practitioners' efforts to achieving maximum impact with minimal effort.

See Also: Endpoint Security Essentials for the C-Suite: An Executive's Digital Dilemma

Oscar Isaka, senior director analyst at Gartner, and Deepti Gopal, director analyst at Gartner, in their keynote, debunked four common security myths that hinder the effectiveness of security teams led by CISOs.

Myth 1: More Risk Analysis Equals Better Protection

Maximum impact is not merely about defending the organization but visibly accelerating toward the goal, Gopal said. A study from Gartner found that 73% CISOs experienced burnout due to excessive workload.

"We usually put in maximum effort, which causes us to fall short of the goal of creating maximum impact. It works against us," Gopal said. "Cybersecurity must be sustainable. This means minimum inputs and moving away from the approach of applying maximum effort everywhere. We need to be ruthless about where we apply our finite resources."

Reality: Minimum Effective Insight Equals Better Protection

Isaka and Gopal recommended identifying the least amount of information needed to assess an enterprise's cybersecurity funding and the number of vulnerabilities it addresses.

"Instead of continuing to pursue more data and analysis, CISOs must adopt a minimum effective insight approach to maximize the impact of cybersecurity for the business. This mindset promotes the delivery of maximum impact,” Gopal said.

Cybersecurity leaders are tasked with managing and quantifying cyber risks; however, Isaka said, only 36% of CISOs reported that their cyber-risk quantification lead to actionable outcomes.

Outcome-driven metrics, or ODMs, can offer minimum effective insight to support business-driven cyber decisions and investments, Isaka said.

Myth 2: More Tools Equals Better Protection

It is a myth that more tools equals better protection. CISOs often find themselves in a "gear acquisition mindset" when what they truly need to focus on is adopting a "minimum effective toolset."

With cybersecurity vendors offering solutions to almost every security challenge, CISOs often invest in a plethora of best-of-breed tools. That leads to increased complexity and requires maximum effort to manage all those tools.

According to Gartner, vendors have taken note, and 75% are working toward consolidation.

Source: Gartner

Reality: More Tools Do Not Result in Better Protection

"Even with all this technology spending, most organizations still feel that they are inadequately protected," Gopal said. "The reality is more tools lead to more effort."

Gartner advises CISOs to increase visibility and reduce the "human tax" - the effort that goes into managing technologies. CISOs should make technology interoperable and adaptable into design principles, and minimum effective toolset must encompass fewer technologies to observe, defend and respond to exploitations of the enterprise's exposures.

Myth 3: More Cyber Pros Equals Better Protection

Gartner found that there is a shortage of 3.4 million skilled cybersecurity experts globally, and CISOs are struggling to bridge the demand-supply gap. The impact of a global cybersecurity skill shortage is multifold (see image). The solution is to train and empower the existing workforce.

Source: Gartner

"Develop minimum effective expertise that involves providing employees with the necessary expertise and technology to enable them to make risk-informed decisions independently," Gopal said.

Reality: Skills Gap Demands Workforce Development

According to Gartner, minimum effective expertise is about building only as much expertise as required by non-tech professionals. Alternatively, organizations should relook their recruitment strategies and train existing talent on technologies such as generative AI.

Security solutions providers are embedding generative AI interfaces into their products, allowing non-IT users to input questions in natural language. Some products are equipped to act autonomously to block the spread of threats.

Gartner encouraged businesses to use cyber judgement to help employees make cyber-risk-informed decisions autonomously.

Source: Gartner

Myth 4: More Control Equals Better Protection

More control does not necessarily offer better protection. Employees often breach security policies inadvertently in various ways (see image below). This is internal friction that organizations have to contend with.

"CISOs must adopt a minimum effective friction approach to balancing controls, minimizing the friction on user experience and productivity," Gopal said.

Reality: Optimal Protection Requires Security Awareness

More investment is needed to create cybersecurity awareness. Presently, just 5% - 10% of the cybersecurity budget is dedicated toward creating cybersecurity awareness.

According to Gartner, minimum effective friction balances control efficacy while minimizing any negative impact on user experience. It's about balance between maximum friction (tight security controls that hold back user productivity) and zero friction (exponential and unstoppable attack surface expansion).

Source: Gartner

Isaka and Gopal underscored the importance of strategic decision-making, effective resource allocation, and continuous adaptation for resilient cybersecurity frameworks that deliver tangible business value.


About the Author

Brian Pereira

Brian Pereira

Sr. Director - Editorial, ISMG

Pereira has nearly three decades of journalism experience. He is the former editor of CHIP, InformationWeek and CISO MAG. He has also written for The Times of India and The Indian Express.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cio.inc, you agree to our use of cookies.