When it comes to cybersecurity, the CEO matters: How executive leadership provides support can affect how well your organization is protected from ever-present cyber threats. But only 30% of respondents to PwC’s 2022 Global Digital Trust Insights Survey told us they get sufficient support from their CEO.
Your CEO can help support cybersecurity initiatives in three ways:
Executives who report significant progress in their cybersecurity over the past two years are 12 times more likely to say their CEOs give them the support they need.
How can the CISO help maximize the benefits of interactions with the CEO? For insights on this critical issue, Tech Effect spoke with Joe Nocera, PwC’s leader for the Cyber & Privacy Innovation Institute, and James Shira, PwC’s US and Global Chief Information & Technology Officer.
Joe Nocera: The CISO should help leadership become cyber-fluent, and help connect the dots between security threats and potential business impact. Use the time to really listen to CEOs. Explain where the organization's security process and practices are headed, and make them comfortable with how those processes support the broader business strategy.
“The objective is to help the CEO understand enough so that they feel the threat can be managed. Key is using the language of business and moving the conversation out of tech- and cyber-speak.”
James Shira: Cyber threats, and new kinds of attacks, are coming all the time. Concerns are increasing, and there’s high anxiety around this issue. The objective is to help the CEO understand enough so that they feel the threat can be managed. Key is using the language of business and moving the conversation out of tech- and cyber-speak. The interaction with the CISO should make the CEO feel empowered about the risks that the organization owns.
Joe Nocera: For any given meeting with the CEO, a CISO should cover three topics, in addition to discussing any other pressing issues:
Evaluate existing threats. What are the motives of the bad actors, and what do those motives mean in terms of how they might manifest as significant risks to the organization?
Convey details on the organization’s inherent risks, and explain how the resources now are being used to address those risks, which can vary by industry and risk landscape. Do the expenditures align with expectations around security? Provide an update on the progress that’s being made — to maturity, cybersecurity framework and enhancements to key risk indicators. Is the security team on course to complete the initiatives that it had planned to accomplish?
Demonstrate the measurable results of security initiatives. How has the organization improved its posture, when it comes to enhanced security?
James Shira: When you’re discussing solutions to discover gaps, don’t give them just one option — instead, talk about how various scenarios might play out. How would the tools we have and the strategy we now deploy provide predictability in addressing patterns we’re seeing? Focus on investments that have the most horizontal benefit and breadth of positive results. CISOs have to look for where the investments can get the most impact. For example, at PwC, our capability to continue working during COVID was brought to you by investments we made in 2017. We do go over metrics. We have a slide that shows the amount of time it takes us to do a blocking and tackling defense action. Metrics need to tell a story and inform board members and executives about the progress, or lack of progress, that we’re making. And metrics need to be specific to your specific challenges. Are we getting better over time, based on these investments?
Joe Nocera: The mission is twofold. First, strategize for the future, and, second, put out existing fires. The objective is to master the fundamentals of digital governance and risk management for day-to-day defense, and to anticipate new threats so that the organization can confidently move forward with new digital initiatives.
Leadership typically wants to know how the CISO evaluates the organization’s inherent risks. CISOs are expected to clearly explain the evolving risks to the organization and to engender confidence in the company’s resilience.
“The mission is twofold. First, strategize for the future, and, second, put out existing fires.”
James Shira: Think of security as the lubricant in the engine — it needs to be positioned at the point of friction in the business. What’s the right amount of security, and security investment, that helps the business grow or enter a market? The definition of “good” in security is not fixed. The CISO gets to define what’s good and then position the security enhancements within the CEOs broader agenda.
Joe Nocera: With the CEO, success often comes from how you manage that engagement and make the CEO feel like he or she is getting something out of the interaction. For business executives, the CISO should not rely on them to have security knowledge — instead, the CISO should take security knowledge to them. For most of the audiences we speak to, we need to make the topic relevant to them and absorbable by them.
James Shira: To prepare for talking to the CEO, you have to consult with the key partners in the key territories of the network. You have to understand what their constituent group is going to say. Focus on storytelling and avoid jargon. Try not to alienate your audience by being too technical. The CISO should convey to executives the current level of threats, and convey that the CISO understands the organization's risk appetite, in order to make the right decisions around policy and to put in place the structures necessary to help mitigate the risks most critical to the organization.
A small number of leading organizations in our 2022 Global Digital Trust Insights survey (10%) have created a blueprint for a securable enterprise by reducing corporate complexity and establishing a framework for shared cybersecurity responsibility, with the CEO playing a key leadership role. Every interaction with the CEO can make a difference to the organization.