Gartner to Security Pros: Start Working with the Business

Security professionals who want to protect security budgets during the downturn need to better align their operations with overall business goals, Gartner said last week. That includes treating users as customers and not as obstacles in the race to implement new security technologies.

During an information security summit in London, Research Vice President Jay Heiser told attendees that Gartner frequently sees security professionals make four risk management mistakes:

  1. Imposing uniform protection and security spending practices across functional units in the organization. "An optimal level of security spending takes into account the assessed level of risk, avoiding overspending and overprotection," Heiser wrote in a statement on the topic. "Business managers should be offered a relatively small number of risk management profiles that are designed to meet different use cases for data sensitivity and risk."
  2. Allowing technology versus business needs to drive security plans. "Security professionals have historically made technology-centric investment, implementation, and deployment decisions based on what they believe is required," Heiser wrote. "It is impossible to defend security plans, and the budgets they require, if they aren't based on business objectives." In situations where the business manager declines or refuses to participate in prioritizing risk for the business processes within their divisions, Gartner recommends bringing in higher-level managers to mediate.
  3. Using jargon that business people can't understand. Instead of describing security concerns about IT systems, data, and processes using language that only other security and IT professionals will understand, Gartner recommends using a three-level scale--high, medium, and low--to specify priorities for risk management services.
  4. Taking responsibility for risk decisions that really belongs to functional business managers. Frequently, business managers will assume that the IT organization's "standard offering" will address their unit's IT risks. "Such an approach makes the IT organization or the IT security organization the scapegoat for security failures and any consequent reduction in perceived service or flexibility," Heiser wrote. He recommends pushing ownership of the process of aligning risk with business benefits back to the business groups so that they're held accountable for failures in security and continuity in their operations.

"Simple, manageable risk assessment frameworks, explicit acceptance of residual risk, and security service level agreements will make it possible to deliver sound enterprise security, and to defend security budgets against cutbacks," said Heiser. "The first step that IT risk managers can take towards better alignment with the business is not to treat business managers as a problem that needs to be solved, but rather to regard them as customers who need secure and reliable computing services."

Heiser has written a Gartner research note, "Four Risk Management Mistakes That Threaten Your Security Budget" ($95), on the topic. Further information can be found here.

About the Author

Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.

Featured

  • Neon blue security locks with a single red highlight

    With AI, Cybersecurity Focus Shifts from Finding Flaws to Fixing Them

    For decades, one of cybersecurity's biggest challenges has been finding vulnerabilities before attackers do. A growing number of security professionals now say artificial intelligence is changing that equation, shifting the focus from discovering flaws to fixing them quickly enough to prevent exploitation.

  • abstract glowing cube outlines

    Microsoft Positions Windows as a Platform for AI Agents

    The recent Microsoft Build 2026 developer conference highlighted a significant shift in the company's Windows strategy. Rather than presenting artificial intelligence as a collection of standalone features, Microsoft is increasingly positioning Windows as an operating environment for AI agents.

  • interconnected nodes with currency symbols

    Report: Half of Gen AI Projects Could Exceed Budget by 2028

    Organizations may be underestimating the cost of generative AI as they move from experimentation to production, according to Gartner's "10 Best Practices for Optimizing Generative and Agentic AI Costs" report.

  • Teacher meeting parents discussing student progress in classroom

    Michigan's Flint Community Schools Adopts Human-Centered Approach to Fight Chronic Absenteeism

    In an effort to boost enrollment and combat chronic absenteeism, Michigan's Flint Community Schools has partnered with Concentric Educational Solutions to help address the academic, social, emotional, and environmental factors that prevent students from enrolling, re-enrolling, or attending school.