Can the CEO make a difference to your organisation’s cybersecurity?

Cyber has got CEOs’ attention, but are they taking action?

Chief executives cited cyber threats as the number-two risk to business prospects in PwC’s 24th Annual Global CEO Survey — topped only by pandemics and other health crises. In North America and Western Europe, cyber was number one.

Our findings from the 2022 Global Digital Trust Insights Survey suggest an “expectations gap” for cyber, with CEOs perceiving that they are more involved in, and supportive of, setting and achieving cyber goals than their teams do. A persistent gap can spell disaster if it instills a false sense of security company-wide, given the CEO’s leading role in defining an organisation's culture.

How involved are CEOs in cyber? We asked nearly 700 CEOs and 2,900 other C-suite execs. Among our respondents, CEOs tend to see themselves as more involved in cybersecurity than others in the organisation do.

Many CEOs self-identify as engaged and strategic in their approaches to cyber. Our CEO respondents indicate that they participate in discussions about the cyber and privacy implications of mergers and acquisitions, future changes to their operating model, and future strategy.

Other executives don’t view things in quite the same way. Non-CEOs rated their CEOs as more reactive than proactive regarding cybersecurity. They say the chief executive is most likely to take part in cyber and privacy matters after a company breach or when contacted by regulators — not before.

Executives see CEOs getting involved in cyber when a crisis strikes. CEOs think they are more engaged.

CEOs and non-CEOs name similar top goals for cyber in the next three years. These objectives mirror the famous Maslow’s hierarchy of needs, with prevention as the baseline, or most important; resilience coming next; followed by trust (including consumer trust: “improved customer experience” and “higher customer loyalty” rank fifth and seventh, respectively). Protection, resilience and trust comprise the three legs of the cybersecurity stool, each important for the security of the business overall.

Top goals are:

• Increased prevention of successful attacks (this ranks number three in the energy and utilities sector)

• Faster response times to incidents and disruptions

• Improved confidence of leaders in the organisation’s ability to manage present and future threats (number one in energy, utilities, and resources)

The top 10% that are “most advanced” in cyber practices or “most improved” on cyber outcomes are in a good position. But the majority overall — 63% of organisations — don’t get the kind of support they need from their CEO. The fact is, both the CEO and CISO need to work together better to benefit the company.

CEO: How much should you be involved in your organisation’s cybersecurity — without taking on undue burden?

A powerful CEO move: making an explicit statement establishing an imperative for security and privacy organisation-wide. In some cases, the organisation’s mission statement is already implicitly supportive, such as Liberty Mutual’s mission statement to “help people live safer, more secure lives.” Red Bull’s dedication to distinguished products and services gives its CISO the mandate to make security an integral part of the product and service quality delivered to customers.

A related CEO imperative: empowering your CISO to carry out the cybersecurity mission, voicing support and providing resources for secure-by-design, secure-by-default processes. Some may add the CISO to the C-suite. Others may help the CISO communicate more with the board or revamp the enterprise’s structure to embed security staff on business teams. Empowering CISOs may also mean giving them the platform to speak outside the organisation to customers about its security and privacy initiatives, as a trust officer would.

This period of great complexity in the business world demands a third CEO imperative. The CEO must modify certain elements of the company’s business and/or operating models to make the company “simply secure” when the security team identifies wasteful habits. For example, in the name of speed, a “get to market first, fix security later” mindset prevails. Companies aren’t fully mitigating remote work risks. Business units often buy technologies and contract with third parties autonomously. Cybersecurity is too often an afterthought in cloud adoption or transformation.

By taking action, the CEO reinforces a zero-tolerance mentality for complexity that gets in the way of security.

CISO: How well do you understand the business? How connected are you with leaders on the business side?

For an organisation that’s simply secure, CISOs must move out of the technology trenches and broaden their outreach — learning from the CFO how to talk about the financial implications of risk, for example, in a language the board understands, or working with the product manager to devise developer-friendly ways to secure applications.

This change may require a mindset shift for many CISOs. CISOs interact most frequently with the CIO and chief technology officer, our survey shows, and least frequently with the chief marketing officer and product management leader. The CFO also ranks low on the interactions list. CISO will need to spend more time with these business partners to begin to speak their language and better understand their business imperatives.

More than 21% placed the CEO among the three positions with whom they least come in contact; some 10% placed the CEO at the very bottom of the list. The CEO-CISO divide is widest in Europe: 27% of CISOs in western Europe and 28% in eastern Europe placed their chief executive among the bottom three with whom they interact, followed by Asia Pacific (21%) and North America (19%).