CISO role changes as cyber-risk appetites in the C-suite grow
As cybersecurity fears in the C-suite wane, the cyber-risk appetites of executives and boards are changing. Find out what it means for cybersecurity spending and the CISO role.
While cybersecurity incidents are inevitable, they're rarely existential threats, according to Will Candrick, analyst at Gartner, who discussed shifting cyber-risk appetites during a session at the firm's 2026 Security and Risk Management Summit.
"In the long run, the likelihood of having an incident is 100%," Candrick said, adding that it's not a question of if it happens but when. In most cases, however, fallout is short-lived. "The impact, as painful and immediate as it may be, is disruptive but typically fleeting."
For years, enterprises have suffered blistering data breaches and, in most cases, have bounced back. C-suite attitudes toward cybersecurity incidents are shifting to reflect that reality, according to Gartner, with executives becoming accustomed to the occasional cyberattack. A recent survey found 71% of board members are now willing to accept greater cyber-risk to achieve their business goals. For CISOs, that likely means less fear-based spending on security controls -- but also opportunities to modernize their roles to align with enterprise needs.
The security drag
While security's goal is to protect the business, Candrick said, some security investments disproportionately harm it.
Looking strictly at the cost-benefit ratio of a company's cybersecurity function, a business leader could easily argue that tighter controls have failed to keep threat actors out, while those same controls have caused business friction that stifles innovation, such as AI integration.
"More security is actually not the answer, because more security does not mean better business outcomes," Candrick added. "Instead, more security means more business cost, slower speed to market, stalled innovation, dated AI tools, more red tape, excessive fear-mongering and drained productivity."
As corporate directors accept the inevitability of security incidents and prioritize other business objectives over cyber-risk management, security leaders might find their budgets and influence dwindle. On the other hand, Candrick added, the shifting dynamic also offers an opportunity to realign the CISO role with the strategic goals of the enterprise.
"Cybersecurity's new mandate is to more holistically minimize harm and impact to the business before, during and after a cyberattack," Candrick said. "As opposed to maximizing outright prevention, which of course is not achievable no matter how much we spend."
Cybersecurity's new mandate is to more holistically minimize harm and impact to the business before, during and after a cyberattack.
Will Candrick, senior director analyst, Gartner
CISO performance indicators, he suggested, should include the following:
For many CISOs, this represents a broader set of responsibilities and leadership skills. The shift in mindset from cyberdefense to business resilience will take some getting used to. They'll need to reframe the idea of cybersecurity controls as both a defensive measure and a business cost that requires trade-offs.
To begin, Candrick recommends that CISOs prioritize the following:
Identify the business processes that drive profit centers.
