<p>While cybersecurity incidents are inevitable, they’re rarely existential threats, according to Will Candrick, analyst at Gartner, who discussed shifting cyber-risk appetites during a session at the firm’s 2026 Security and Risk Management Summit.</p>
<p>”In the long run, the likelihood of having an incident is 100%,” Candrick said, adding that it’s not a question of <i>if</i> it happens but <i>when</i>. In most cases, however, fallout is short-lived. “The impact, as painful and immediate as it may be, is disruptive but typically fleeting.”</p>
<p>For years, enterprises have suffered blistering data breaches and, in most cases, have bounced back. C-suite attitudes toward cybersecurity incidents are shifting to reflect that reality, according to Gartner, with executives becoming accustomed to the occasional cyberattack. A recent <a href=”https://www.gartner.com/en/newsroom/press-releases/2025-11-24-gartner-survey-finds-90-percent-of-non-executive-directors-lack-a-measure-of-confidence-in-cybersecurity-value”>survey</a> found 71% of board members are now willing to accept greater cyber-risk to achieve their business goals. For CISOs, that likely means less fear-based spending on security controls — but also opportunities to modernize their roles to align with enterprise needs.</p>
<section class=”section main-article-chapter” data-menu-title=”The security drag”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>The security drag</h2>
<p>While security’s goal is to protect the business, Candrick said, some security investments disproportionately harm it.</p>
<p>Looking strictly at the cost-benefit ratio of a company’s cybersecurity function, a business leader could easily argue that tighter controls have failed to keep threat actors out, while those same controls have caused business friction that stifles innovation, such as <a href=”https://www.techtarget.com/searchenterpriseai/tip/Integrate-and-modernize-legacy-systems-with-AI”>AI integration</a>.</p>
<p>”More security is actually not the answer, because more security does not mean better business outcomes,” Candrick added. “Instead, more security means more business cost, slower speed to market, stalled innovation, dated AI tools, more red tape, excessive fear-mongering and drained productivity.”</p>
<p>As corporate directors accept the inevitability of security incidents and prioritize other business objectives over cyber-risk management, security leaders might find their budgets and influence dwindle. On the other hand, Candrick added, the shifting dynamic also offers an opportunity to realign the CISO role with the strategic goals of the enterprise.</p>
</section>
<section class=”section main-article-chapter” data-menu-title=”A new mandate for CISOs”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>A new mandate for CISOs</h2>
<p>Gartner suggests a wholesale <a href=”https://www.techtarget.com/searchsecurity/tip/The-CISO-evolution-From-security-gatekeeper-to-strategic-leader”>transformation of the CISO’s role</a>, maintaining that security leaders will, going forward, need to <a href=”https://www.techtarget.com/searchsecurity/tip/To-maximize-their-influence-CISOs-need-diverse-skills”>lead with business acumen</a>, not technical expertise.</p>
<p>”Cybersecurity’s new mandate is to more holistically minimize harm and impact to the business before, during and after a cyberattack,” Candrick said. “As opposed to maximizing outright prevention, which of course is not achievable no matter how much we spend.”</p>
<blockquote class=”main-article-pullquote”>
<div class=”main-article-pullquote-inner”>
<figure>
Cybersecurity’s new mandate is to more holistically minimize harm and impact to the business before, during and after a cyberattack.
</figure>
<figcaption>
<strong>Will Candrick, senior director analyst, Gartner</strong>
</figcaption>
<i class=”icon” data-icon=”z”></i>
</div>
</blockquote>
<p>CISO performance indicators, he suggested, should include the following:</p>
<ul class=”default-list”>
<li><a href=”https://www.techtarget.com/searchdatabackup/feature/The-cost-of-downtime-and-how-businesses-can-avoid-it”>Reducing outages</a>.</li>
<li><a href=”https://www.techtarget.com/searchsecurity/definition/cybersecurity-insurance-cybersecurity-liability-insurance”>Limiting liability</a>.</li>
<li><a href=”https://www.techtarget.com/searchdatabackup/tip/Use-geo-redundant-backups-for-long-distance-data-protection”>Building redundancies</a>.</li>
<li>Boosting revenue.</li&
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: