With ISTARI and Saïd Business School at the University of Oxford, we recently examined the role CEOs play in managing cybersecurity risk.
Drawing on 37 in-depth interviews with global CEOs from American, Asian and European businesses, nine of whom had endured a serious cyberattack, we uncovered their emotions and anxieties in building cyber resilience.
In our interviews with them, we asked if they felt accountable for cyber resilience. All of them – without exception – insisted that they did.
But in parallel, we asked 37 chief information security officers who participated in ISTARI’s executive education programme in Europe and America about their perceptions of their CEOs’ accountability. Half of the European participants did not think that their CEOs felt accountable, as did one-third of the US participants.
The likely reason for this gap in perception between CEO and CISO lies in the subtle but important difference between taking accountability and being responsible.
Accountability is associated with ownership of mistakes after a crisis has occurred or with being “the face of the mistake.” It does not, however, mean ongoing engagement and ownership of tasks, something people tend to associate with responsibility.
That is a regret shared by the CEOs who successfully steered their companies through a devastating cyberattack. They learnt the hard way that assuming accountability is not enough, and recognised that they need to become co-responsible with their cybersecurity leader instead of delegating responsibility to technical experts.
The actions CEOs can take to become co-responsible for cyber resilience alongside their CISO
Be engaged and available. Co-responsibility requires doing much more than just being the public face of a crisis after the fact. It means taking action and playing an ongoing role in proactively building cyber resilience before an incident occurs, irrespective of reporting lines. And when an attack happens – as simple as it sounds – CEOs have to be available. Actions and decisions in the early hours of an attack set the enterprise up for success or failure in its response and the recovery of shareholder and stakeholder confidence.
Recognise the business opportunity in cyber resilience. Whereas many CEOs once viewed cybersecurity as an operational expense associated with IT management, many are starting to see it as a strategic risk to their enterprises. But a few executives, typically those who have managed their companies through a serious attack, are even beginning to see it as a strategic opportunity – a driver for value creation and innovation. Enterprises that achieve great cyber resilience usually do so because of a wider set of “resiliency” capabilities, which share the goal of helping the organisation weather all kinds of disruptions – pandemics, wars or cyberattacks.
Move from blind trust to informed trust. Many of the CEOs we interviewed admitted to blindly trusting their cyber and technology teams. But CEOs who had experienced a serious cyberattack said that, in hindsight, they wish they had personally known and understood more. So instead of blindly trusting their technology teams, CEOs should move to a state of “informed trust” about their enterprise’s state of cyber resilience. One way to achieve that is to seek independent, unbiased advice reporting results directly to the CEO, similar to important financial audits.
Embrace the “preparedness paradox”. During our interviews, we asked CEOs to rate their companies’ preparedness for a serious cyberattack on a scale from one to ten. Only a few could be persuaded to give a number; many either dodged the question or openly said that they did not know. Of those who responded, the majority rated their preparedness relatively high. And therein lies a problem. As it turns out, the CEOs with cyberattack experience acknowledged that they, too, had previously believed they were well prepared – before recognising their misperception in hindsight.
CEOs should embrace the inverse relationship between the perception of preparedness and resilience: the better prepared CEOs think their organisation is for a serious cyberattack, the less resilient their organisation likely is, in reality. To avoid complacency, CEOs should see their organisation’s preparedness not as an achievable end state but as a set of ongoing activities.
Adapt your communication style. When a serious cyberattack happens, the spotlight naturally falls on the CEO. Uncertainty about the scale of the impact, where the attack originated and how quickly it can be resolved creates high levels of uncertainty. Internal and external stakeholders, such as the board, customers, or regulators exert pressure on the CEO. To regulate the pressure from stakeholders who have different and sometimes conflicting demands, CEOs should adopt four different communication styles. Depending on the stakeholder and the situation, CEOs should either be a transmitter, filter, absorber or amplifier of pressure.
Revisit budget allocation. Years ago, CEOs saw investment in cybersecurity as a lose-lose situation. If their company was attacked, they would lose reputation and profit, and the upfront investment in cybersecurity had proven ineffective. If their company was not attacked, investments in cybersecurity would be seen as wasted and warnings unduly alarmist. But the CEOs we interviewed rarely viewed cyber resilience as an area of operational IT expense ripe for cost savings. Instead, several gave the impression that they are willing to allocate unlimited budget to cybersecurity. Even if the pendulum has swung toward erring on the side of over-investment, the challenge remains for most CEOs to strike a balance between spending enough but not wasting money – “spending smartly,” as one put it.
Overall, our research found that the domain of cyber resilience requires that CEOs revisit traditional approaches that have worked well for them in other business areas. We believe our findings mark a step forward in helping CEOs lead companies that not only survive cyberattacks, but leverage cyber resilience as a strategic opportunity. In becoming co-responsible for cyber resilience, CEOs can build the foundations that set up their enterprises for success in the digital era.
