How can CEOs make a difference to your organization?

Globally, chief executives at companies that have had the best cybersecurity outcomes over the past two years are 14x more likely to provide significant and broad support to cybersecurity.

Multiplying the effect through simplification

Our 2022 Canadian Digital Trust Insights survey reveals how simplifying business processes and operations can have a “multiplier” effect on security and privacy. Here are the four Ps for CEOs to realize their full cyber potential, as exemplified by the most advanced and most improved organizations, which employ them all.

  • Principle. The CEO must articulate an explicit, unambiguous foundational principle establishing security and privacy as a business imperative.
  • People. Hire the right leader and let your CISO and security teams connect with the business teams. Your people can be vanguards of simplification even as you build “good complexity” in the business.
  • Prioritization. Your risks continually change as your digital ambitions rise. Use data and intelligence to measure your risks continually as well.
  • Perception. You can’t secure what you can’t see. Uncover blind spots in your relationships and supply chains.

As common sense as these precepts and practices might seem, they’re not commonplace. Only the top 10% have adopted them and they also report making significant progress toward their cyber objectives during the past two years. On the other hand, many enterprises continue to struggle amid risky, runaway, befuddling complexity. Bad habits are often why: Using many tech solutions that, too often, don’t even work together. Not coordinating the work of various functions on resilience or third-party risk management. Not creating and adhering to processes for dealing with data (governance). Not speaking in the language of business when talking about cyber.

The good thing, however, is that bad habits can be broken. And CEOs can help develop new habits of coordination and collaboration among all functions, business and tech, for an organization that’s simply secure.

Cyber has got CEOs’ attention, but are they taking action?

The findings from our survey suggest an “expectations gap” for cyber. Globally, CEOs perceive they’re more involved in, and supportive of, setting and achieving cyber goals than their teams do.

Many global CEOs self-identify as engaged and strategic in their approaches to cyber. Our CEO respondents indicate that they participate in discussions about the cyber and privacy implications of mergers and acquisitions, future changes to their operating model and future strategy.

Other executives don’t view things in quite the same way. Global non-CEOs rated their CEOs as more reactive than proactive regarding cybersecurity. They say the chief executive is most likely to take part in cyber and privacy matters after a company breach or when contacted by regulators—not before. We’ve heard the same narrative here in Canada.


Executives see CEOs getting involved in cyber when a crisis strikes, but CEOs think they’re more engaged

CEO view Non-CEO
view
Reactive CEO
After a major cyber breach or attack occurs in the organization 3 1
After a major cyber breach or attack occurs in the
industry
5 6
When regulators contact our organization for cyber incident reporting, matters requiring attention or enforcement action 2 2
Engaged CEO
When the key metrics of cyber are discussed at the board level 7 3
When the cyber and privacy implications of M&A activity are discussed 8 8
When the cyber and privacy implications of a major operating model change are discussed 1 5
Strategic CEO
When the cyber and privacy implications of a new business initiative, whether digital or not, are discussed 6 7
When the cyber and privacy implications of future strategy are discussed 4 4

Question: On which of the following cyber and privacy matters would you/your CEO become personally involved? Rank them in order.
Base: Global CEO respondents: 673; global non-CEO respondents: 2,929
Source: PwC, 2022 Global Digital Trust Insights, October 2021

How much support does the CEO provide CISO leadership?

CEOs matter. CEOs in our “most improved” group (those with the best cybersecurity outcomes over the past two years) of global respondents are 14x more likely to provide significant support across all categories. Similarly, the non-CEOs in the most improved group are 12x more likely to say their CEOs provide that significant boost.

It’s a storyline we’ve also seen in Canada: the CEO’s engagement and support wield long-term importance.

Globally, executives in most regions and industries say the most important act for a more secure digital society by 2030 is educating CEOs and boards so they can better fulfill their cyber duties and responsibilities. We believe this to be true for Canada as well.

It’s time to close the expectations gap between the chief executives and the others in the C-suite regarding the level of CEO involvement and support of cybersecurity. Things seem to be headed in the right direction. Interactions with the CEO on cyber matters have increased significantly in the past two years, according to 46% of our global survey respondents.


Global CEOs believe they give “significant” cyber support, but only 3 in 10 global executives agree


CEO
Non-CEO

Ensure adequate resources and funding, and sufficient priority
%
%
Connect with confidence with customers and business partners
%
%
Embed cyber and privacy in key operations and decisions of the organization
%
%
Reduce uncertainty around arising cyber risks for investors
%
%
Inspire the security team and increase their professional satisfaction
%
%
Clarify roles and responsibilities for cross-functional teaming on cyber
%
%
Create a cyber-proficient culture throughout the organization
%
%
Clarify positions when there are tensions and conflicts among competing values
%
%

Question: What level of support do you/does your CEO provide your cyber leadership to accomplish the following?
Base: Global CEO respondents: 673; global non-CEO respondents: 2,929
Source: PwC, 2022 Global Digital Trust Insights, October 2021

CEOs and other executives agree on the changing cyber mission

When asked how CEOs frame the cyber mission in their organization, more than half (54%) of the CEOs globally chose bigger-picture, growth-related objectives from their security team, as opposed to narrower, shorter-term expectations. And we know Canadian CEOs feel the same way: in our most recent CEO Survey—Canadian insights, they identified cyber as the top threat to growth, even ahead of the pandemic.

Global non-CEOs echoed this mindset. In both groups, “a way to establish trust with our customers with respect to how we use their data ethically and protect their data” was the number-one cyber mission choice.

CEOs really do set the tone for the rest of the organization.

CEOs and non-CEOs name similar top goals for cyber in the next three years. These objectives mirror the famous Maslow’s hierarchy of needs, with prevention as the baseline, or most important; resilience coming next; followed by trust (including consumer trust). Protection, resilience and trust comprise the three legs of the cybersecurity stool, each important for the security of the business overall.

Cybersecurity’s mission is shifting to developing trust and business growth

Narrow framing of mission and expectations from security team  
17% The way to put controls throughout the organization to prevent serious cyber disruptions    

45%

16% A way of operating so the organization responds faster to threats and emerges stronger from disruptions
6% A cost of doing business and a necessary evil
6% A way to avoid getting in trouble with regulators
Bigger picture: Growth-related framing of mission and expectations  
20% A way to establish trust with our customers, with respect to how we use their data ethically and protect their data    

55%

13% A way for our business to compete better and grow, on the basis of trust
12% A way of operating so the organization is harder for threat actors to attack
10% The way to expedite the digital transformation of our organization

Question: Which of the following best describes how you/your CEO frames the cybersecurity mission to your organization?
Base: Global CEO respondents: 673; global non-CEO respondents: 2,929
Source: PwC, 2022 Global Digital Trust Insights, October 2021
Takeaways

For the CEO

  • Frame cybersecurity as important to business growth and customer trust—not just defence and controls—to create a security mindset organization-wide.
  • Empower your CISO to carry out the cybersecurity mission, voicing support and providing resources for secure-by-design, secure-by-default processes and giving them the platform to speak outside the organization to customers and investors about digital trust initiatives.
  • Reinforce a zero-tolerance mentality for complexity by modifying elements of the company’s business and/or operating models to make the company easier to secure.

For the CISO

  • Familiarize yourself with your organization’s business strategy and clearly link cybersecurity to strategic imperatives.
  • Move out of the technology trenches and broaden your outreach beyond CIO/CTO relationships to also CEO, CFO, CMO and COO.
  • Equip yourself with the skills you need to thrive in the evolving, expanding role for cyber in business. And reorient your teams, if you haven’t already, toward customer trust and business value creation.
Follow PwC Canada