Most organizations aren’t getting the support they need from their chief executives on cybersecurity matters. Our research reveals four areas of focus for CEOs looking to change the game.
The CEO needs to work with the CISO to help employees understand the cybersecurity implications of their decisions. However, about a fifth of surveyed CISOs report little contact with CEOs.
10% of CISOs
name the CEO as the position with whom they have the least contact
21% of CISOs
name the CEO among the three positions with whom they have the least contact
This work begins by hiring the right CISO and empowering the CISO and security teams to create cross-functional units within the business. The CEO, working with the CISO, must also equip employees with the necessary skills and mindset to be attuned to the cybersecurity risks and opportunities that all business decisions present. All members of the organization must understand the cybersecurity implications of their decision-making.
“To be a successful CISO, you need to understand the business you’re operating in and get behind what the business wants to do,” said Nicola O’Connor, chief information security and IT risk officer at AIB, in a recent PwC-hosted roundtable discussion.
The CEO can raise the priority level of cyber in two concrete ways: by simplifying the enterprise and by making cybersecurity a factor in strategy development.
The companies represented in our survey that had the best cybersecurity outcomes over the past two years were five times more likely than others to have streamlined operations enterprise-wide—work that included reorganizing functions and ways of working (59%) and creating an integrated data governance framework (58%). These companies also prioritize cybersecurity by using technology solutions to measure risk continually.
At the strategic level, CEOs can incorporate their commitment to cybersecurity into decision-making processes. For example, many organizations might consider cybersecurity risks as part of an M&A review, but how many of them would actually walk away from a deal because the acquired company would introduce such a risk? And how many companies would delay a product launch until key cyber vulnerabilities were fixed? How many would question whether entering a new market would open the company to new and potentially devastating cyber-threats?
The pace of technological change is happening faster than the institutional capacity of many IT organizations to adapt to it. Therefore, the CEO must create a culture in which companies move fast—but with a commitment to managing risk.
CEOs must recognize the cyber perception gap that might exist, particularly when it comes to their supply chains. Only 40% of companies we surveyed thoroughly understand their third-party cybersecurity and privacy risks, while companies that had the best cybersecurity outcomes over the past two years are 11 times more likely to claim the same.
Gina McIntyre, CEO of the Special EU Programmes Body, a cross-border entity between the UK and Ireland, believes companies must grasp the human element of cyber defense, especially throughout their supply chains. That means ensuring every partner has trained staff to act with vigilance. “Your biggest vulnerability is going to be that one human being clicking on something that they should not click,” she said in a recent PwC webinar.
Led by the CEO, the leading companies we’ve looked at focus on consolidating the number of third parties with whom they do business, recognizing that the uncontrolled evolution of the supply chain has created risk through unnecessary complexity. They also simplify their own organizations.
Swiss Reinsurance Company, commonly known as Swiss Re, had three different finance systems for three different business units—with each business unit implementing its own technology solutions for specific needs—before opting to simplify. Those technology solutions would then be integrated into company-wide systems. The challenge, according to Philipp Krayenbuehl, global chief security officer for Swiss Re, is that each integration point and interface incurs costs from an infrastructural point of view and in terms of security. This applies to technology platforms in general and to cybersecurity tools in particular. In addition, maintaining such complex environments becomes increasingly difficult, particularly when it comes to security vulnerabilities.
Although the four Ps are by no means exhaustive, we believe the framework provides a good starting point for CEOs to negotiate the era that lies ahead. The continued growth of the digital economy depends on the ability of the CEO to participate in building an effective cybersecurity strategy, increase cyber literacy, and lead the organization through all kinds of cyber-threat challenges, while pursuing opportunities to create competitive differentiation. We’re under no illusion that this is an easy task for today’s CEOs, who increasingly must be proficient across a wide set of paradoxical characteristics to succeed in the post-pandemic era. But we believe those leaders who embrace their cybersecurity leadership role will become the champions of the digital age.
Get your business ready for what comes next
Using our market leading studies, data, and expert analyses, we pinpoint the forces making an immediate impact on your business—and empower you to reinvent the future by examining global macrotrends, exploring sector-specific shifts, and discovering the latest technological tools to drive change.Find out more here
Sharp, actionable insights curated to help global leaders build trust and deliver sustained outcomes. Explore our latest content on the global issues affecting organisations today from ESG to value creation, technology and cyber to workforce transformation.Explore now