Shifting Perspectives on Cybersecurity Risks: A Deep Dive into Gartner’s Insights
During the 2026 Security and Risk Management Summit, Will Candrick, an analyst at Gartner, provided illuminating insights on the evolving landscape of cybersecurity. He asserted that while cybersecurity incidents are a certainty in today’s digital world, they seldom pose existential threats to organizations. Candrick’s remarks highlighted a critical shift in the perception of cyber risks among corporate leaders, suggesting that adapting to these risks is now a fundamental part of modern business strategy.
Candrick emphasized the inevitability of cybersecurity incidents, stating, "The likelihood of having an incident is 100%." He explained that organizations face not a matter of if an incident will occur, but rather when it will happen. Despite the potential severity of these incidents, he noted that their impact is often temporary. "The fallout, as painful and immediate as it may be, is disruptive but typically fleeting," he remarked.
For years, organizations have grappled with significant data breaches. Despite these challenges, many have demonstrated resilience and an ability to rebound. This resilience has influenced C-suite attitudes toward cybersecurity, with Gartner finding that executives are increasingly acclimatized to periodic cyberattacks. A recent survey indicated that 71% of board members are now inclined to accept greater cyber risks to meet their business objectives. This shift in mindset may lead to a reduced emphasis on fear-driven spending on security measures, presenting an opportunity for Chief Information Security Officers (CISOs) to redefine their roles and better align with the overarching needs of their enterprises.
The Burden of Security: A Double-Edged Sword
Candrick shed light on a critical challenge within corporate cybersecurity strategies: the balance between security measures and business efficiency. He pointed out that while the aim of security is to protect the business, some security investments can inadvertently hamper growth and innovation. By weighing the cost-benefit ratio of cybersecurity investments, business leaders might conclude that increased controls do not necessarily enhance security. In many instances, tighter security measures can create friction that stifles innovation, particularly in areas such as artificial intelligence integration.
"More security is not the answer," Candrick stated emphatically. He argued that while robust security is vital, an excess of it can lead to increased business costs, slower market response times, inhibited innovation, outdated technological tools, and ultimately drained productivity. As directors begin to realize the inevitability of cybersecurity incidents, they may prioritize operational objectives over extensive cyber-risk management. This changing dynamic could lead to reduced budgets and influence for security leaders, although it also opens avenues for CISOs to redefine their roles in line with enterprise strategy.
A Transformative Directive for CISOs
In light of these shifts, Gartner has proposed a comprehensive transformation of the CISO’s role within organizations. Candrick asserted that security leaders need to focus more on business acumen rather than solely technical knowledge. He highlighted that "Cybersecurity’s new mandate is to more holistically minimize harm and impact to the business before, during, and after a cyberattack." This approach demands a shift from an emphasis on maximizing prevention—which is practically unachievable regardless of how much is spent—towards effectively managing and mitigating the repercussions of cyber incidents.
To this end, Candrick suggested that performance metrics for CISOs take on a broader scope. This evolution in responsibilities signals that resilience, rather than sheer defensive power, will become the primary focus of cybersecurity strategies moving forward. CISOs will soon find themselves reframing their understanding of cybersecurity measures, recognizing that these controls represent both a defense mechanism and a necessary business cost that demands careful consideration of trade-offs.
Candrick further projected that by 2028, business acumen will emerge as the defining differentiator for high-performing CISOs operating within the C-suite. As the cybersecurity landscape continues to evolve, the call for security leaders to integrate more deeply with business objectives has never been more pronounced.
As organizations navigate this complex terrain, the ability of CISOs to adapt and embrace their new strategic roles will be crucial to fostering resilience and ensuring that businesses can not only survive but thrive in the face of inevitable cyber threats.