Why it's time for the CEO to take the lead on cybersecurity
CEOs need an "explicit, unambiguous foundational principle establishing security..."
When it comes to the CEO and cybersecurity, pressure has mounted on chief executives to become more involved in -- and understanding of -- the challenges their business face. Indeed, as a sweeping new PwC report finds, executives in most regions and industries say "the most important act for a more secure digital society by 2030 is educating CEOs and boards so they can better fulfill their cyber duties and responsibilities".
The report also finds that chief executives at companies that had the best cybersecurity outcomes over the past two years are a huge fourteen times more likely to provide "significant and broad" support to cybersecurity. Specifically, the October 2021 report ("The C-suite guide to simplifying for cyber readiness") emphasises four "Ps" for CEOs to focus on as they start to take a more active role in ensuring their businesses are secure.
- Principle. The CEO must articulate an "explicit, unambiguous foundational principle establishing security and privacy as a business imperative" -- and indeed, frame cybersecurity as important to business growth and customer trust. This may mean coming to grips with risks in existing business models, e..g. a get to market first, fix security later mindset, or one that treats security as an end-of-pipe bolt-on.
- People. Hire the right leader, and let CISO and security teams connect with the business teams.
- Prioritisation. Risks change as digital ambitions rise. Use data to measure risks continually.
- Perception. You can’t secure what you can’t see. Uncover blind spots in your relationships and supply chains.
See also the NCSC's cybersecurity toolkit for boards
Yet CEOs often see themselves as more involved in cybersecurity than others in the organisation do, the report -- based on a survey of nearly 700 CEOs and 2,900 other C-suite executives -- found.
In a warning sign of a gulf between how CEOs conceive of their involvement and how other company leaders see it, the majority of C-Suite respondents overall (63%) said they don’t get the kind of support they need from their CEO.
The CEO and cybersecurity: more conversations with CISOs
CISOs still interact most frequently with the CIO and CTO, the PwC survey shows (least frequently with the chief marketing officer and product management leader). The CFO also ranks low on the interactions list.
CISOs will need to spend more time with these business partners to begin to speak their language and better understand their business imperatives, PwC suggests. (Of course for many companies this starts by actually having a CISO: in mid-tier companies and even many larger ones outside of sectors in which IT has been elevated over recent years to more of a co-innovation partner position, the CISO position remains non-existent...)
Read this: Veeam CISO Gil Vega on security and the board -- and reporting directly to the CEO
Worryingly, more than a fifth of CISO respondents to the survey (21%) placed the CEO among the three positions with whom they least come in contact; a gap that is the widest in Europe: 27% of CISOs in western Europe and 28% in eastern Europe placed their chief executive among the bottom three with whom they interact.
CISOs can do more to bring the cybersecurity agenda closer to the business, the report suggests -- something that might take careful honing of soft skills, including clear communication that recognises business imperatives.
As SASIG Founder Martin Smith recently noted to The Stack: "Ultimately, the responsibility [for cybersecurity] rests with the board. It has a responsibility to understand the problem. Just imagine if boards said 'Oh, I don’t really understand computers – we’re going to leave that up to the CIO', or, 'I don’t really understand money, so I’m gonna leave that to the CFO' or 'I don’t really understand people management, so I’ll leave that to the head of HR'. No! The board has a fiduciary responsibility to understand all of this. That’s why they’re at the board level!
See also: “It’s like a marriage…” The CISO and the board
He added: "By the same measure, if the board doesn’t understand cybersecurity because they see it as too difficult or unimportant, that’s simply because it hasn’t been explained to them properly. People at board level are really bright, that’s why and how they got there. If they don’t understand something then somebody in the chain hasn’t explained it to them properly: in this context that’s the CISO..."
When it comes to the CEO and cybersecurity, a powerful chief executive move can be "making an explicit statement establishing an imperative for security and privacy organisation-wide" PwC notes, while empowering the CISO, voicing support and providing resources for secure-by-design, secure-by-default processes.
"Some may add the CISO to the C-suite...
"Others may help the CISO communicate more with the board or revamp the enterprise’s structure to embed security staff on business teams. Empowering CISOs may also mean giving them the platform to speak outside the organisation to customers about its security and privacy initiatives, as a trust officer would."
CISOs meanwhile "must move out of the technology trenches and broaden their outreach -- learning from the CFO how to talk about the financial implications of risk, for example, in a language the board understands, or working with the product manager to devise developer-friendly ways to secure applications" PwC urges.
A good example from The Stack's recent reporting can be seen at Veeam, where CISO Gil Vega told us his role is "set up in a way that reports directly into the CEO, with an independent path directly to our board of directors."
He added in a recent interview: "I am part of the CEOs leadership team, and the executive team, and that allows me to provide a lot of input and guidance on the company’s strategic plans; where we’re going to spend money, where we’re going to invest, where we’re going to open new business", noting "I feel like Veeam has set this position up in a way that really reflects a state-of-the-art governance model; because there’s still a lot of large companies out there that don’t quite take this issue [cybersecurity], as importantly as they should.”