Blog post

The Hidden Costs of Digital Business and Why I’m Moving to Cyber Security

By Leigh McMullen | October 12, 2022 | 3 Comments

Information TechnologySecurity and Risk Management for CISO CoalitionSecurity and Risk Management Leaders

For more than a decade as a Gartner Analyst , I’ve been talking about technology’s ability to transform, first the front office of the enterprise and lately markets, cultures and experiences.  What we have witnessed in that time is frankly a miracle of technology powered growth and innovation.

It is safe to say that digital technologies have enabled enterprises to both scale their value proposition, and their scale their effectiveness & efficiency in executing that mission asymmetrically to any other investments.  Or as I posed to the leader of a university recently: Say your board wanted you to grow the student population by 10X while only spending 10% more in budget, how would you do that?  Clue: it’s not building more classrooms.

Digital scales asymmetrically, This is well established by now.  What we need to come to terms with is that Digital Also comes with a kaleidoscope of asymmetric threatsCyberWarfare, CyberActivism, CyberCrime or (someone stop me –I’m really doing this), CyberWAC. 

And here’s what’s really ‘WACk’ about that (I’ll stop I promise).  Is that these risks and their associated costs, factor almost nowhere in day-to-day business decision making.  As digital business pioneers build entire business models on the back of collecting customer PII that turn our data centers into goldmines for hackers.  Worse yet we encourage and enable business practices that increase our customers’ susceptibility to social engineering and phishing attacks.

Today, none of the great ideas digital visionaries have can become real if we don’t get the cyber right.  Which is why I’m making the move from envisioning the future to focusing on how to make it real.  And this (not even I can call it “cyberWAC” again (thank you -ed)) is the defining technology issue of our era, and I don’t believe that it’s unsolvable.

  1. We need to invest in developing an “outside in” understanding of the business, to ensure that our cyber strategies meet business strategy where they are, rather than us chasing them, or worse yet, the business chasing us.
  2. We must focus FIRST on changing mental models, to make awareness of the embedded risks of Digital Business a part of every business decision, and then applying appropriate controls.
  3. We need to focus on our adversaries, understand their intentions and aims, and develop strategies that directly confront those rather than simply try and manage vulnerabilities.

This journey isn’t as new or novel as it might seem. The introduction of moving assembly lines, mass manufacturing, lean / agile supply chains give us a clue. We have spent the past 115 years perfecting the management of machine & asset lifecycles and predictive maintenance — this is not fundamentally different than the discipline of cyber hygiene. It is still just making sure that the means of digital production are available and operating at peak efficiency.

Of course, it is the addition of external threat actors & nation-states that complicate this beyond simple asset lifecycle management, and why I’m attracted to this field of research!  I look forward to continuing this journey with you and what we discover along the way.



The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Hi Leigh

    This makes a particularly interesting read as we are certainly seeing more and more of our clients starting to ask critical questions like, ” Who are our cyber adversaries?” and “how do we understand their ways of working?” amongst other things.

    Ultimately while I agree that there needs to be a granular focus on cyber threat actors, I believe a more imperative focal point is User education. There needs to be more investment in user awareness training, user empowerment and a deliberate drive towards what I call, “Security as a Culture” within organisations.

    Also why it falls to the CISOs to design the systems, protocols and policies to address security concerns, the ultimate responsibility for cyber-resilence should sit with everyone in the organisation. It’s not enough to “leave it to the technical folks” anymore.

    Once again, great piece.


    • leigh mcmullen says:

      great observation on changing mindsets. I’m thinking about what it means to have people make “great risk aware business decisions”

      i can think of examples like helping people think of ways to design apps not to collect so much PII in the first place.

      but i want to distill a set of principles – thoughts ?

  • Raj Badhwar says:

    Hi Leigh,
    Agreed, we need to secure our respective digital transformation and enablement journeys.

    This can be achieved by implementing Zero Trust based security paradigms including but not limited to least privileged conditional (user, device, system, process) access bolstered by continuous authentication, end to end data encryption and network micro segmentation.

    Further, to mitigate the risk of attacks by sophisticated adversaries and advanced malware, we need to improve our capability to detect (and block) anomalous activity on our systems and networks by making the move from supervised to unsupervised AI/ML algorithms (powered by deep learning and neural networks) – this can stop the said attack vectors from reaching our employees, users, and our digitally transformed systems and business processes, thereby protecting them from undue cyber risk.

    While we’re doing this, let’s not forget about staying compliant with security and privacy regulations, and lastly getting the message out that cybersecurity is everyone’s responsibility all the time – this can be achieved by engaging in continuous user awareness and training campaigns which should focus on raising awareness about credential phishing, website spoofing, malware infestation through drive by download, social engineering attacks and maintaining credential hygiene.

    Yes, the CISO’s and their teams of security professionals are on this journey with you and other security researchers and analysts.