Tom Scholtz, Gartner

Cyber leaders sit at an uncomfortable intersection: protect the business, but don’t slow it down. Enable innovation, but don’t increase risk. Be accountable, but don’t overstep. These expectations seem contradictory. Business units want speed and innovation and the CISO’s job is to help them get there without becoming the “department of no”. “The biggest mindset shift cyber leaders must make is moving away from trying to be the protector of the enterprise to being an enabler for the enterprise,” says Tom Scholtz, distinguished VP analyst at Gartner. That means working with the business’ risk appetite, not against it. For CISOs, it involves building trust with executives, guiding behaviour and letting go of the need for full control. This is why cybersecurity is shifting from a siloed function to a shared responsibility. But many organisations, and their security leaders, are still catching up.

Looking at Gartner’s ‘2025 Strategic Roadmap for Cybersecurity Leadership’ report, Scholtz’ finding is that those in charge of security should work more closely with business units, helping them take ownership of the security risks tied to their own operations. “The ultimate accountability for protecting resources rests with the owners of those resources,” he says. This approach, which Scholtz refers to as “owner accountability”, requires a change in mindset. Here, the CISO takes on the role of advisor, overseeing risk decisions without making every call. It’s a more collaborative model that comes with added risk, but Scholtz sees that as a necessary part of moving faster. “If organisations want to move quickly, they need flexibility in how they comply with policy,” he says.