Why Must The CEO Lead Cybersecurity Initiatives

by CXOtoday News Desk    Jun 24, 2014


All companies are aware of the growing risk of cyber attacks, yet few are taking the necessary steps to protect their critical information. Where is the gap? A McKinsey report notes that no matter what cyber security efforts the technology team puts in the company, cybersecurity is clearly a CEO-level issue and he must lead the initiative along with other senior-level management.

“A number of structural and organizational issues complicate the process of implementing business-driven, risk-management-oriented cybersecurity operating models, and only sustained support from senior management and especially the CEO can ensure progress and ultimately mitigate the risk of cyberattacks,” says Tucker Bailey, a principal in McKinsey’s Washington, DC, office and co-author of the report.

In other words, despite risks of cyberattacks spanning functions and business units, companies and customers, given the stakes and the challenging decisions posed by becoming cyber-resilient, making the decisions necessary can only be achieved with active engagement from the CEO  along with other senior-management team, says the report, which was based on a survey by senior executives from more than 200 institutions as well as cybersecurity risk-management practices with more than 60 of the world’s 500 largest companies.

Senior-management time and attention was identified as the single biggest driver of maturity in managing cybersecurity risks—more important than company size, sector, and resources provided, says the report. While CISO, CIO and CFO can always create strategic ways to combat cyber attack, those companies that are making the most progress toward developing cyber-resiliency often see an active CEO engagement.

The report states four ways CEOs can lead the cybersecurity initiative while involving other senior managers within the organization.

-Actively engaging in strategic decision making. Just as with other types of enterprise risk, CEOs and the rest of the senior-management team must provide input on the organization’s overall level of risk appetite for loss of intellectual property, disclosure of customer information, and disruption of business operations. Subsequent to that, business-unit heads—and their management teams—must engage with cybersecurity managers to help prioritize information assets and make specific trade-offs between risk reduction and operational impact, says the report.

-Driving consideration of cybersecurity implications across business functions. CEOs must ensure business managers incorporate cybersecurity considerations into product, customer, and location decisions, while functional leaders are responsible for addressing cybersecurity considerations in human-resources and procurement decisions. In addition, they make sure that the disclosure of cybersecurity priorities is incorporated into the company’s public-affairs agenda.

-Pushing changes in user behavior. Given how much sensitive data senior managers interact with, they have the chance to change and model their own behavior for the next level of managers. This can begin with simple steps, such as becoming more judicious about forwarding documents from corporate to personal e-mail accounts. In addition, senior management can and should provide the communications “airtime” and reinforcement required to help frontline employees understand what they need to do to protect critical information assets.

-Ensuring effective governance and reporting is in place. No matter how thoughtful a set of cybersecurity policies and controls may be, some managers will seek to circumvent them. The CEO obviously needs to make sure that policies and controls make sense from a business standpoint. In that case they need to backstop the cybersecurity team to help with enforcement. In addition, he should put in place effective, granular reporting on how the company is progressing against specific milestones in its cybersecurity program.

Pervasive digitization, open and interconnected technology environments, and sophisticated attackers make cybersecurity a critical social and business issue, says James Kaplan, a principal in the New York office and co-author of the report. If inadequately addressed, it could materially slow the pace of technology and business innovation in the years to come. That’s why companies must make rapid progress toward cyberresiliency, and only sustained focus and support from topmost management can overcome myriad structural and organizational hurdles.