The Essential Playbook On CEOs And Cyber Resilience

“Whenever I speak to a group of CEOs to share my learnings from the cyberattack, I start by saying, ‘put down your phones for 15 minutes, you’ll want to listen carefully to what I have to tell you’.” CEO of a $4 billion U.S. company.

Leaders who have endured a cyberattack feel strongly about helping others avoid some of the mistakes they have made. Drawing on in-depth interviews with 37 global CEOs, ISTARI, a Temasek-founded global cybersecurity firm dedicated to helping clients build cyber resilience, and Saïd Business School at the University of Oxford today revealed the findings of their joint CEO Report on Cyber Resilience.

More than any previous study, the report applies a top-management lens to cybersecurity risks and underscores the critical role CEOs play in building cyber resilience. It shares insights from thirty-seven, one-hour-long face-to-face interviews with U.S., Asian and European CEOs whose businesses average revenue is $12 billion, employing an average of 40,000 employees. Nine of the CEOs interviewed had guided their company through a serious cyberattack.

Rashmy Chatterjee, a co-author of the report and CEO of ISTARI, said: “It is self-evident that the impacts of a cyberattack go beyond IT. But, as our research shows, CEOs struggle to know how to lead their organizations’ responses. From these candid conversations, we can better answer what their role should be and fill the gap in what CEOs need to do to build and command cyber resilient organizations.”

What CEOs really think about cyber risk: Revealing their Secret Fear, Uncertainty and Discomfort

Ask any CEO to name the issues that keep them awake at night and cybersecurity risk is likely near the top of the list – with good reason. With the accelerating digitalization of business models comes vulnerability to cyberattack. And while spending on cybersecurity increases every year, so does the number of serious incidents. Even the largest and most technologically advanced companies are not immune.

Under the condition of anonymity, the CEOs spoke with remarkable honesty about their fears, frustrations and regrets about cyber threats and security.

The CEOs acknowledged that they are formally answerable to regulators, shareholders and their board for cybersecurity. Yet the majority (72%) said they were uncomfortable making decisions about cybersecurity, often leading them to delegate responsibility for, and understanding of, cybersecurity to their technology teams, which can jeopardise resilience.

The report contains many candid confessions about the depth of CEOs’ discomfort and fears:

“Publicly I always had a plan and I was focused on people following the plan. But privately I was suffering because you're carrying everyone else’s fears. Everyone else in your room is going, ‘I'm worried, I'm worried, I'm worried.’ So I had to say, ‘it’s okay, don't worry.’ You carry all of that burden alone as a CEO, you just have to. Then when you actually get home at night but you're still dealing with it without sleeping because people need you all the time. It felt like someone was consistently reaching inside of me and pulling my guts out. It was the worst situation I've ever faced in my career.”

“It quickly dawned on us how ill-prepared we were and how little we actually knew about the real risks of being hit by something like that. We did not understand how severe the risk could be, we couldn’t even imagine it.”

“Everybody comes and scares the hell out of me. They told me you should be very scared. I said I'm already very scared, what do you want me to do?

Co-author of the report, Dr Manuel Hepfer, Head of Knowledge and Insights at ISTARI and a Research Affiliate at Oxford University’s Saïd Business School, says: “Many CEOs we spoke with highlighted the agonies of having to make existential decisions on imperfect information under extreme pressure in an area they lack familiarity and intuition.”

The overarching takeaway from those CEOs is that they want to move beyond simply hardening their enterprises’s cybersecurity defences to creating cyber resilience: the ability to anticipate, withstand, respond and adapt to cyberattacks, with the goal of minimizing impact, expediting recovery and emerging stronger.

Four Mindsets CEOs Need to Lead Cyber Resilient Businesses

The study outlines four mindsets CEOs should adopt to build cyber resilience, of which becoming co-responsible for cyber resilience with their Chief Information Security Officer (CISO) is one. They are:

#1 All CEOs interviewed said they feel accountable for cybersecurity. However, a parallel ISTARI survey of CISOs found one in two European (50%) and almost a third (30%) of US CISOs did not believe that their CEOs feel accountable. This gap in perception, according to the research, lies partly in the meaning of accountability: instead of seeing themselves as accountable – being the face of the mistake afterwards – CEOs should assume co-responsibility for cyber resilience together with their CISO.

#2 CEOs should stay away from blindly trusting their technology teams. Instead, they should move to a state of informed trust about their enterprise’s cyber resilience maturity. As one CEO confessed when he failed to know how many servers the business relied on: “That was an incentive for all of us to understand more. We realised that we spend millions each year on this kind of technology but don’t really understand it.“

#3 EOs should embrace what the authors call the ‘preparedness paradox’, which is an inverse relationship between the perception of preparedness and resilience – the better-prepared CEOs think their organisation is for a serious cyberattack, the less resilient their organisation likely is, in reality. “We have done some things to look like we are doing something about (cyber risks), but it was much more a ticking of the box exercise instead of really understanding it.”

#4 CEOs should adapt their communication styles to manage pressure from external stakeholders who have different and sometimes conflicting demands. Depending on the stakeholder and the situation, CEOs should either be a transmitter, filter, absorber or amplifier of pressure.

Put down your phones

The second part of the research report synthesizes such advice in a playbook for CEOs wanting to build cyber resilience in their enterprises, laying out specific steps CEOs can personally take to anticipate, withstand, respond and adapt to serious cyberattacks.

Michael Smets, co-author and Professor of Management at Saïd Business School explains, “The fact that all CEOs in our study felt accountable for cybersecurity, but less than a third of them felt comfortable making decisions in that area reveals an alarming gap. To build cyber resilience, CEOs must close that gap. This report offers a first playbook to help CEOs do so.”

Professor Smets’ work focuses on the leadership development and delivery of large-scale (digital) transformations, and he regularly contributes to Oxford Saïd’s flagship leadership programs. “The CEO is especially critical in building cyber resilience,” he insists, “as it is a significant, long-term investment in technology, culture and operations to protect against an existential threat. To succeed, these efforts must be sponsored and integrated at the top of any organization.”

Throughout the ISTARI / Oxford Saïd CEO Report on Cyber Resilience, the authors identify the key questions CEOs should ask themselves, and offer five provocations to keep in mind, including “Don’t ask what your cyber team can do for you. Ask what you can do for your cyber team.”

Their overarching takeaway is in the title of the report. Enterprises today need to move beyond simply shoring up their cybersecurity defences to the more complex but critical task of building organisational cyber resilience. Meeting this challenge requires, above all, CEO leadership.

To discover more about how CEOs can build a cyber resilient organization, you can read the full report here.