Digital Disruption
How CEOs can pass the cybersecurity leadership test
Most organizations aren’t getting the support they need from their chief executives on cybersecurity matters. Our research reveals four areas of focus for CEOs looking to change the game.
If you’re a CEO today, your organization fits in one of two categories: companies that have suffered a serious cyber breach, and companies that haven’t but are worried they’ll be next. The ranks of the former and the vulnerability of the latter have grown with the pandemic.
In reaction to COVID-19 responses and subsequent behavioral shifts, many organizations compressed what would have been years of digital transformation into months, potentially reshaping their cybersecurity risk profile. Cyberattacks increased globally as people migrated online, which overwhelmed already-strained IT departments and disrupted millions of new users of remote-work technology. Some organizations, faced with supply-chain interruption, resorted to alternative suppliers whose suboptimal cybersecurity practices opened new avenues of attack.
A company’s key stakeholders—shareholders, customers, and employees—have come to equate any security breach to a breach of trust, and building and keeping trust is the foremost job of the CEO. To pass this cybersecurity leadership test, chief executives must play active, engaged, and continuous leadership roles. They must be a trusted partner of their chief information security officer (CISO), chief information officer (CIO), and chief technology officer (CTO), while ensuring that everyone in the organization is accountable, driving tangible value, and using trust and purpose to frame the cyber mission. The problem: few are actually doing so.
As part of PwC’s 2022 Global Digital Trust Insights Survey, we asked almost 700 CEOs and 2,900 other C-suite executives how involved the CEO is in their companies’ cyber matters. CEOs view themselves as “engaged” and “strategic,” participating in discussions about cybersecurity and the privacy implications of mergers and acquisitions, as well as conversations regarding changes to operating models and strategies. But others see a much different story: non-CEO survey respondents say they see their CEOs as more reactive than proactive, more likely to get involved in cyber and privacy matters only after a company breach or when contacted by regulators—not before. Almost two-thirds (63%) of non-CEOs say their organization doesn’t get the kind of support they need from their CEO.
Yet there are CEOs out there who have turned this problem on its head. A small number of leading organizations in our survey (10%) have created a blueprint for a securable enterprise by reducing corporate complexity and establishing a framework for shared cybersecurity responsibility, with the CEO playing a key leadership role. Based on our analysis of these companies, we see a common approach to cybersecurity embodied by four Ps: principle, people, prioritization, and perception. CEOs who embrace the four Ps are turning what historically have been liabilities into advantages to be taken into the marketplace, weaving them into their business and operational strategies and making cyber leadership a fundamental feature of their strategy and purpose.
Principle
The first order of business for CEOs is connecting the organization’s mission to the security of data, assets, and people. CEOs can do this by articulating an unambiguous foundational principle that establishes security and privacy as operational goals and business imperatives.
Aflac, the largest provider of supplemental insurance at the workplace in the United States, has positioned cybersecurity at the center of who they are and what they do as a company. “We are one of the few insurance companies that measures ourselves on how fast we pay,” Aflac CISO Tim Callahan says. “Our operational managers are held to a standard of paying our claims fast. Dan Amos, our chairman and CEO, has never lost sight of who our customers are, and how much trust they have in us, and how we’re there for them during their time of need. That extends to protecting their information. He understands what the lack of cyber protection can do to our brand, to our customers, to our reputation. If the CEO were not passionate about that, then there’s a bigger problem.”
People
The ability to attract and retain top talent is one of the most important jobs for CEOs in establishing their organization as a cybersecurity leader. The chief executive, as the one person with a view across the entire company, must understand the business’s most critical cyber needs and have a way of encouraging and measuring talent development to ensure an influx of employees with a mindset of building and transforming—rather than just maintaining—what’s already there.
The CEO needs to work with the CISO to help employees understand the cybersecurity implications of their decisions. However, about a fifth of surveyed CISOs report little contact with CEOs.
CISOs ranking positions in the organization by degree of contact, %
10% of CISOs
name the CEO as the position with whom they have the least contact
21% of CISOs
name the CEO among the three positions with whom they have the least contact
CISOs ranking CEO among their three positions of least contact, by region
This work begins by hiring the right CISO and empowering the CISO and security teams to create cross-functional units within the business. The CEO, working with the CISO, must also equip employees with the necessary skills and mindset to be attuned to the cybersecurity risks and opportunities that all business decisions present. All members of the organization must understand the cybersecurity implications of their decision-making.
“To be a successful CISO, you need to understand the business you’re operating in and get behind what the business wants to do,” said Nicola O’Connor, chief information security and IT risk officer at AIB, in a recent PwC-hosted roundtable discussion.
Prioritization
The CEO can raise the priority level of cyber in two concrete ways: by simplifying the enterprise and by making cybersecurity a factor in strategy development.
The companies represented in our survey that had the best cybersecurity outcomes over the past two years were five times more likely than others to have streamlined operations enterprise-wide—work that included reorganizing functions and ways of working (59%) and creating an integrated data governance framework (58%). These companies also prioritize cybersecurity by using technology solutions to measure risk continually.
At the strategic level, CEOs can incorporate their commitment to cybersecurity into decision-making processes. For example, many organizations might consider cybersecurity risks as part of an M&A review, but how many of them would actually walk away from a deal because the acquired company would introduce such a risk? And how many companies would delay a product launch until key cyber vulnerabilities were fixed? How many would question whether entering a new market would open the company to new and potentially devastating cyber-threats?
The pace of technological change is happening faster than the institutional capacity of many IT organizations to adapt to it. Therefore, the CEO must create a culture in which companies move fast—but with a commitment to managing risk.
Perception
CEOs must recognize the cyber perception gap that might exist, particularly when it comes to their supply chains. Only 40% of companies we surveyed thoroughly understand their third-party cybersecurity and privacy risks, while companies that had the best cybersecurity outcomes over the past two years are 11 times more likely to claim the same.
Gina McIntyre, CEO of the Special EU Programmes Body, a cross-border entity between the UK and Ireland, believes companies must grasp the human element of cyber defense, especially throughout their supply chains. That means ensuring every partner has trained staff to act with vigilance. “Your biggest vulnerability is going to be that one human being clicking on something that they should not click,” she said in a recent PwC webinar.
Led by the CEO, the leading companies we’ve looked at focus on consolidating the number of third parties with whom they do business, recognizing that the uncontrolled evolution of the supply chain has created risk through unnecessary complexity. They also simplify their own organizations.
Swiss Reinsurance Company, commonly known as Swiss Re, had three different finance systems for three different business units—with each business unit implementing its own technology solutions for specific needs—before opting to simplify. Those technology solutions would then be integrated into company-wide systems. The challenge, according to Philipp Krayenbuehl, global chief security officer for Swiss Re, is that each integration point and interface incurs costs from an infrastructural point of view and in terms of security. This applies to technology platforms in general and to cybersecurity tools in particular. In addition, maintaining such complex environments becomes increasingly difficult, particularly when it comes to security vulnerabilities.
Although the four Ps are by no means exhaustive, we believe the framework provides a good starting point for CEOs to negotiate the era that lies ahead. The continued growth of the digital economy depends on the ability of the CEO to participate in building an effective cybersecurity strategy, increase cyber literacy, and lead the organization through all kinds of cyber-threat challenges, while pursuing opportunities to create competitive differentiation. We’re under no illusion that this is an easy task for today’s CEOs, who increasingly must be proficient across a wide set of paradoxical characteristics to succeed in the post-pandemic era. But we believe those leaders who embrace their cybersecurity leadership role will become the champions of the digital age.
Explore the series
Get your business ready for what comes next
Using our market leading studies, data, and expert analyses, we pinpoint the forces making an immediate impact on your business—and empower you to reinvent the future by examining global macrotrends, exploring sector-specific shifts, and discovering the latest technological tools to drive change.
Find out more here
Richard Horne
The Leadership Agenda
Sharp, actionable insights curated to help global leaders build trust and deliver sustained outcomes. Explore our latest content on the global issues affecting organisations today from ESG to value creation, technology and cyber to workforce transformation.
Explore now
Contact us
Global Industries & Sectors Leader and National Managing Partner, Clients & Markets, PwC Canada
Tel: +1 403 509 7483