CEOs feel responsible for security, but ill at ease on stepping up

Seven in every 10 (72%) CEOs are uncomfortable making decisions about cyber threats and security, often leading them to delegate responsibility to their technology teams, a practice that can jeopardise resilience, according to Istari and Saïd Business School at the University of Oxford.

This happens even as CEOs acknowledge that they are formally answerable to regulators, shareholders and their boards for cybersecurity.

These are among findings of a report based on thirty-seven, one-hour-long face-to-face interviews with American, Asian and European CEOs.

“Many CEOs we spoke with highlighted the agonies of having to make existential decisions on imperfect information under extreme pressure in an area they lack familiarity and intuition,” said Manuel Hepfer, co-author of the report, and head of Knowledge and Insights at Istari.

The study outlines four mindsets CEOs should adopt to build cyber resilience. First is that all CEOs interviewed said they feel accountable for cybersecurity. 

However, a parallel Istari survey of Chief Information Security Officers (CISOs) found half of European (50%) and almost a third of US (30%) CISOs did not believe that their CEOs feel accountable. 

This gap in perception, according to the research, lies partly in the meaning of accountability: instead of seeing themselves as accountable – being the face of the mistake – CEOs should assume co-responsibility for cyber resilience together with their CISO.

Second, CEOs should stay away from blindly trusting their technology teams. Instead, they should move to a state of informed trust about their enterprise’s cyber resilience maturity.

Third, CEOs should embrace what the authors call the “preparedness paradox” — an inverse relationship between the perception of preparedness and resilience. The better-prepared CEOs think their organisation is for a serious cyberattack, the less resilient their organisation likely is, in reality.

And fourth, CEOs should adapt their communication styles to regulate pressure from external stakeholders who have different and sometimes conflicting demands. Depending on the stakeholder and the situation, CEOs should either be a transmitter, filter, absorber or amplifier of pressure.

“It is self-evident that the impacts of a cyberattack go beyond IT,” said Rashmy Chatterjee, a co-author of the report and CEO of Istari. “But, as our research shows, CEOs struggle to know how to lead their organisations’ responses.”

Michael Smets, co-author and professor of management at Saïd Business School said that to build cyber resilience, CEOs must close that gap. “This report offers a first playbook to help CEOs do so.”