ITEM: If you think cyber attacks are bad for companies, imagine how the CEO feels. A new global study does just that, revealing that cyber attacks take a serious emotional toll on CEOs. The good news is that the experience is an opportunity (or a wake-up call) to shift their mindset from cybersecurity to cyber resilience.
The study – conducted by Temasek-founded global cybersecurity firm Istari and Saïd Business School at the University of Oxford – involved hour-long face-to-face interviews with 37 CEOs from North America, Europe and Asia. The latter group accounted for a third of the sample, and arguably had the most to worry about – the Asia Pacific region experienced the highest number of cyber-attacks last year.
Naturally, when cyber attacks happen (and that’s “when”, not “if”), CEOs have to be the face of the company when they talk to regulators, shareholders, board members, customers, partners and anyone else who might be affected by the attack. But while CEOs understand that they have to be accountable when their company is hacked, 72% said they were uncomfortable making decisions about it. This is why so many CEOs delegate responsibility for (and understanding of) cybersecurity to their technology teams.
“Many CEOs we spoke with highlighted the agonies of having to make existential decisions on imperfect information under extreme pressure in an area they lack familiarity and intuition,” says Dr Manuel Hepfer, report co-author and Head of Knowledge and Insights at ISTARI, as well as a research affiliate at Oxford University’s Saïd Business School.
CEOs are human too, you know
This paragraph from the report gives an idea of the agonies involved:
The CEOs we spoke with who endured a serious attack highlighted the agonies of making existential decisions based on imperfect information under extreme pressure. Some described it as the grimmest experience in their careers. They found themselves having to bring their businesses back from the brink of extinction, while navigating insistent pressure from shareholders, regulators and customers. They discovered that although their company had spent significant resources on technological defences, it often lacked basic forms of organisational resilience.
Hence a study on the emotional impact cyber attacks have on CEOs. Putting the obvious jokes aside, CEOs are human beings with emotions. And like most humans, they react emotionally to cyber attacks:
A serious cyberattack is the ultimate corporate crisis: it occurs unexpectedly, creates high levels of uncertainty, and can threaten the very survival of an organisation.
But a serious cyberattack differs from other crises. Unlike, for example, a pandemic, an attack is malicious. It feels personal to be attacked, yet enterprises do not know who is behind it. […]
The predominant feeling is loss of control. And yet the CEO has to be a reassuring presence for all stakeholders.
The emotional response to cyber attacks is also partly rooted in the fact many execs still think of attacks as preventable – thus, a successful hack means you failed to prevent it. But as everything goes digital, the truth is that every company is going to be hacked in some way, sooner or later.
Consequently, cybersecurity experts talk more these days about cyber resilience, where the emphasis is not just on fortifying defenses, but also anticipating, withstanding, responding and adapting to cyber attacks to minimise impact, expedite recovery and emerge stronger.
Four mindsets
Whether embracing cyber resilience will make attacks less stressful for CEOs is an open question. But it does change their perspective on what really matters when it comes to cybersecurity. According to the report, CEOs whose companies have been hacked have learned the value of resilience.
But acting on that epiphany requires a different mindset. In fact, according to theIstari/Said study, CEOs who want to take cyber resilience seriously will need to adopt four mindsets.
First: share the responsibility for cyber resilience with the CISO. All CEOs interviewed for the survey feel they are accountable for cybersecurity, but up to half of their CISOs don’t agree:
“This gap in perception, according to the research, lies partly in the meaning of accountability: instead of seeing themselves as accountable – being the face of the mistake – CEOs should assume co-responsibility for cyber resilience together with their CISO.”
Second: Don’t pass security off to the tech teams and trust them to handle it. Keep tabs on them and stay informed about your company’s cyber resilience maturity.
Third: embrace the ‘preparedness paradox’, which basically means: “the better-prepared CEOs think their organisation is for a serious cyberattack, the less resilient their organisation likely is, in reality.”
Fourth: adapt a communication styles to regulate pressure from external stakeholders who have different and sometimes conflicting demands.
“Depending on the stakeholder and the situation, CEOs should either be a transmitter, filter, absorber or amplifier of pressure.”
The full report is here.
Related article: Zero Trust, Cloud, Remote Working all driving digital resilience
Be the first to comment