Our 2022 Canadian Digital Trust Insights survey reveals how simplifying business processes and operations can have a “multiplier” effect on security and privacy. Here are the four Ps for CEOs to realize their full cyber potential, as exemplified by the most advanced and most improved organizations, which employ them all.
As common sense as these precepts and practices might seem, they’re not commonplace. Only the top 10% have adopted them and they also report making significant progress toward their cyber objectives during the past two years. On the other hand, many enterprises continue to struggle amid risky, runaway, befuddling complexity. Bad habits are often why: Using many tech solutions that, too often, don’t even work together. Not coordinating the work of various functions on resilience or third-party risk management. Not creating and adhering to processes for dealing with data (governance). Not speaking in the language of business when talking about cyber.
The good thing, however, is that bad habits can be broken. And CEOs can help develop new habits of coordination and collaboration among all functions, business and tech, for an organization that’s simply secure.
The findings from our survey suggest an “expectations gap” for cyber. Globally, CEOs perceive they’re more involved in, and supportive of, setting and achieving cyber goals than their teams do.
Many global CEOs self-identify as engaged and strategic in their approaches to cyber. Our CEO respondents indicate that they participate in discussions about the cyber and privacy implications of mergers and acquisitions, future changes to their operating model and future strategy.
Other executives don’t view things in quite the same way. Global non-CEOs rated their CEOs as more reactive than proactive regarding cybersecurity. They say the chief executive is most likely to take part in cyber and privacy matters after a company breach or when contacted by regulators—not before. We’ve heard the same narrative here in Canada.
|After a major cyber breach or attack occurs in the organization||3||1|
|After a major cyber breach or attack occurs in the
|When regulators contact our organization for cyber incident reporting, matters requiring attention or enforcement action||2||2|
|When the key metrics of cyber are discussed at the board level||7||3|
|When the cyber and privacy implications of M&A activity are discussed||8||8|
|When the cyber and privacy implications of a major operating model change are discussed||1||5|
|When the cyber and privacy implications of a new business initiative, whether digital or not, are discussed||6||7|
|When the cyber and privacy implications of future strategy are discussed||4||4|
CEOs matter. CEOs in our “most improved” group (those with the best cybersecurity outcomes over the past two years) of global respondents are 14x more likely to provide significant support across all categories. Similarly, the non-CEOs in the most improved group are 12x more likely to say their CEOs provide that significant boost.
It’s a storyline we’ve also seen in Canada: the CEO’s engagement and support wield long-term importance.
Globally, executives in most regions and industries say the most important act for a more secure digital society by 2030 is educating CEOs and boards so they can better fulfill their cyber duties and responsibilities. We believe this to be true for Canada as well.
It’s time to close the expectations gap between the chief executives and the others in the C-suite regarding the level of CEO involvement and support of cybersecurity. Things seem to be headed in the right direction. Interactions with the CEO on cyber matters have increased significantly in the past two years, according to 46% of our global survey respondents.
When asked how CEOs frame the cyber mission in their organization, more than half (54%) of the CEOs globally chose bigger-picture, growth-related objectives from their security team, as opposed to narrower, shorter-term expectations. And we know Canadian CEOs feel the same way: in our most recent CEO Survey—Canadian insights, they identified cyber as the top threat to growth, even ahead of the pandemic.
Global non-CEOs echoed this mindset. In both groups, “a way to establish trust with our customers with respect to how we use their data ethically and protect their data” was the number-one cyber mission choice.
CEOs really do set the tone for the rest of the organization.
CEOs and non-CEOs name similar top goals for cyber in the next three years. These objectives mirror the famous Maslow’s hierarchy of needs, with prevention as the baseline, or most important; resilience coming next; followed by trust (including consumer trust). Protection, resilience and trust comprise the three legs of the cybersecurity stool, each important for the security of the business overall.
|Narrow framing of mission and expectations from security team|
|17%||The way to put controls throughout the organization to prevent serious cyber disruptions||
|16%||A way of operating so the organization responds faster to threats and emerges stronger from disruptions|
|6%||A cost of doing business and a necessary evil|
|6%||A way to avoid getting in trouble with regulators|
|Bigger picture: Growth-related framing of mission and expectations|
|20%||A way to establish trust with our customers, with respect to how we use their data ethically and protect their data||
|13%||A way for our business to compete better and grow, on the basis of trust|
|12%||A way of operating so the organization is harder for threat actors to attack|
|10%||The way to expedite the digital transformation of our organization|