Cyber has got CEOs’ attention, but are they taking action?
Chief executives cited cyber threats as the number-two risk to business prospects in PwC’s 24th Annual Global CEO Survey — topped only by pandemics and other health crises. In North America and Western Europe, cyber was number one.
Our findings from the 2022 Global Digital Trust Insights Survey suggest an “expectations gap” for cyber, with CEOs perceiving that they are more involved in, and supportive of, setting and achieving cyber goals than their teams do. A persistent gap can spell disaster if it instills a false sense of security company-wide, given the CEO’s leading role in defining an organisation's culture.
How involved are CEOs in cyber? We asked nearly 700 CEOs and 2,900 other C-suite execs. Among our respondents, CEOs tend to see themselves as more involved in cybersecurity than others in the organisation do.
Many CEOs self-identify as engaged and strategic in their approaches to cyber. Our CEO respondents indicate that they participate in discussions about the cyber and privacy implications of mergers and acquisitions, future changes to their operating model, and future strategy.
Other executives don’t view things in quite the same way. Non-CEOs rated their CEOs as more reactive than proactive regarding cybersecurity. They say the chief executive is most likely to take part in cyber and privacy matters after a company breach or when contacted by regulators — not before.
CEOs were more likely than non-CEOs to rate as “significant” their level of support in six areas. For instance, 37% of CEOs said they provide significant support for “ensuring adequate resources, funding and sufficient priority” to cyber, while only 30% of non-CEOs agreed that their CEOs do so.
And 34% of CEOs say they provide significant help to cyber leadership with “reducing investors’ uncertainty regarding organisational cyber risks” — while just 29% of non-CEOs agree. Thirty-six percent of CEOs say they empower their cyber leadership to connect with customers and business partners, while only 30% of non-CEOs say cyber gets that kind of support.
CEOs matter. CEOs in our “most improved” group (those with the best cybersecurity outcomes over the past two years) are 14x more likely to provide significant support across all categories. Similarly, the non-CEOs in the most improved group are 12x more likely to say their CEOs provide that significant boost.
The CEO’s engagement and support wield long-term importance. Executives in most regions and industries say the most important act for a more secure digital society by 2030 is educating CEOs and boards so they can better fulfill their cyber duties and responsibilities.
It’s time to close the expectations gap between the chief executives and the others in the C-suite regarding the level of CEO involvement and support of cybersecurity. Things seem headed in the right direction: Interactions with the CEO on cyber matters have increased significantly in the past two years, according to 46% of our survey respondents.
Asked how CEOs frame the cyber mission in their organisation, more than half (54%) of the CEOs chose bigger-picture, growth-related objectives from their security team, as opposed to narrower, shorter-term expectations.
Non-CEOs echoed this mindset. In both groups, “a way to establish trust with our customers with respect to how we use their data ethically and protect their data” was the number-one cyber mission choice. CEOs really do set the tone for the rest of the organisation.
CEOs and non-CEOs name similar top goals for cyber in the next three years. These objectives mirror the famous Maslow’s hierarchy of needs, with prevention as the baseline, or most important; resilience coming next; followed by trust (including consumer trust: “improved customer experience” and “higher customer loyalty” rank fifth and seventh, respectively). Protection, resilience and trust comprise the three legs of the cybersecurity stool, each important for the security of the business overall.
Top goals are:
Increased prevention of successful attacks (this ranks number three in the energy and utilities sector)
Faster response times to incidents and disruptions
Improved confidence of leaders in the organisation’s ability to manage present and future threats (number one in energy, utilities, and resources)
The top 10% that are “most advanced” in cyber practices or “most improved” on cyber outcomes are in a good position. But the majority overall — 63% of organisations — don’t get the kind of support they need from their CEO. The fact is, both the CEO and CISO need to work together better to benefit the company.
CEO: How much should you be involved in your organisation’s cybersecurity — without taking on undue burden?
A powerful CEO move: making an explicit statement establishing an imperative for security and privacy organisation-wide. In some cases, the organisation’s mission statement is already implicitly supportive, such as Liberty Mutual’s mission statement to “help people live safer, more secure lives.” Red Bull’s dedication to distinguished products and services gives its CISO the mandate to make security an integral part of the product and service quality delivered to customers.
A related CEO imperative: empowering your CISO to carry out the cybersecurity mission, voicing support and providing resources for secure-by-design, secure-by-default processes. Some may add the CISO to the C-suite. Others may help the CISO communicate more with the board or revamp the enterprise’s structure to embed security staff on business teams. Empowering CISOs may also mean giving them the platform to speak outside the organisation to customers about its security and privacy initiatives, as a trust officer would.
This period of great complexity in the business world demands a third CEO imperative. The CEO must modify certain elements of the company’s business and/or operating models to make the company “simply secure” when the security team identifies wasteful habits. For example, in the name of speed, a “get to market first, fix security later” mindset prevails. Companies aren’t fully mitigating remote work risks. Business units often buy technologies and contract with third parties autonomously. Cybersecurity is too often an afterthought in cloud adoption or transformation.
By taking action, the CEO reinforces a zero-tolerance mentality for complexity that gets in the way of security.
CISO: How well do you understand the business? How connected are you with leaders on the business side?
For an organisation that’s simply secure, CISOs must move out of the technology trenches and broaden their outreach — learning from the CFO how to talk about the financial implications of risk, for example, in a language the board understands, or working with the product manager to devise developer-friendly ways to secure applications.
This change may require a mindset shift for many CISOs. CISOs interact most frequently with the CIO and chief technology officer, our survey shows, and least frequently with the chief marketing officer and product management leader. The CFO also ranks low on the interactions list. CISO will need to spend more time with these business partners to begin to speak their language and better understand their business imperatives.
More than 21% placed the CEO among the three positions with whom they least come in contact; some 10% placed the CEO at the very bottom of the list. The CEO-CISO divide is widest in Europe: 27% of CISOs in western Europe and 28% in eastern Europe placed their chief executive among the bottom three with whom they interact, followed by Asia Pacific (21%) and North America (19%).
For the CEO
For the CISO
Global Cybersecurity & Privacy Leader, US Cyber, Risk and Regulatory Leader, PwC US