ISTARI, a Temasek-founded global cybersecurity firm dedicated to helping clients build cyber-resilience, and Saïd Business School at the University of Oxford have revealed the findings of their joint CEO Report on Cyber-resilience. The report applies a top-management lens to cybersecurity risks and underscores the critical role CEOs play in building cyber-resilience.
It shares insights from 37 one-hour-long face-to-face interviews with American, Asian and European CEOs whose businesses’ average annual revenue is US$12 billion, employing an average of 40,000 employees. One-third of the interviewees are from Asia. Nine of the CEOs interviewed had guided their company through a serious cyberattack.
When cyberattacks happen, CEOs are inevitably at the centre of the incident and act as the face of the company. And in a cyber climate where cyberattacks have become a question of ‘when’ and not ‘if’ – with the Asia Pacific region facing the highest number of cyberattacks in 2022 – CEOs are naturally expected to take accountability when such unfortunate incidents occur.
What CEOs really think about cyber-risk: secret fears, uncertainty and discomfort
Under the condition of anonymity, the CEOs spoke with remarkable honesty about their feelings, frustrations and regrets about cyberthreats and security.
The CEOs acknowledged that they are formally answerable to regulators, shareholders and their boards for cybersecurity. Yet the majority (72%) said they were uncomfortable making decisions about it, often leading them to delegate responsibility for, and understanding of, cybersecurity to their technology teams, which can jeopardise resilience.
Co-author of the report, Dr Manuel Hepfer, Head of Knowledge and Insights at ISTARI and a Research Affiliate at Oxford University’s Saïd Business School, said: “Many CEOs we spoke with highlighted the agonies of having to make existential decisions on imperfect information under extreme pressure in an area they lack familiarity and intuition.”
Four mindsets CEOs need to lead cyber-resilient businesses
The study outlines four mindsets CEOs should adopt to build cyber-resilience:
- All CEOs interviewed said they feel accountable for cybersecurity. However, a parallel ISTARI survey of Chief Information Security Officers (CISOs) found one in two European (50%) and almost a third of US (30%) CISOs did not believe that their CEOs feel accountable. This gap in perception, according to the research, lies partly in the meaning of accountability: instead of seeing themselves as accountable – being the face of the mistake – CEOs should assume co-responsibility for cyber-resilience together with their CISO.
- CEOs should stay away from blindly trusting their technology teams. Instead, they should move to a state of informed trust about their enterprise’s cyber-resilience maturity.
- CEOs should embrace what the authors call the ‘preparedness paradox’: an inverse relationship between the perception of preparedness and resilience – the better-prepared CEOs think their organisation is for a serious cyberattack, the less resilient their organisation likely is, in reality.
- CEOs should adapt their communication styles to regulate pressure from external stakeholders who have different and sometimes conflicting demands. Depending on the stakeholder and the situation, CEOs should either be a transmitter, filter, absorber or amplifier of pressure.