How confident CEOs should look to take charge of cybersecurity

Today, CEOs are masters at dealing with disruption — which has grown 200% in the last five years. With a heady mix of rising costs, access to capital, supply chain interruptions, geopolitical instability and environmental challenges, it’s small wonder CEOs may have decided to sideline cybersecurity as a business priority. And yet new research shows why they shouldn’t.

Digital innovation that is sparking the reinvention of business to grow to new heights relies on a resilient infrastructure and operations. Yet, despite most CEOs acknowledging the critical role of technology for their future transformation efforts, recent Accenture research finds that nearly three-quarters of them aren’t sure their organisation could stem the tide of business loss from a cyber attack. It’s a challenge that continues to escalate. Cybercrime costs are expected to triple to reach $10.5 trillion by 2025, with global cybersecurity spending forecasted to reach $300 billion a year later. For CEOs, the days of attending to cyber resilience after a breach happens are over.

The role of risk

Although 96% of CEOs see cybersecurity as enabling growth, stability and competitiveness, in practice only 5% of CEOs are personally engaging and enabling their organisations to become cyber resilient in the face of growing threats, vulnerabilities and regulatory expectations. They admit they don’t have a deep knowledge of evolving threats and spend minimal time in the boardroom discussing them. 91% of CEOs treat cybersecurity as a technical, compliance issue and see it primarily as the purview of the CIO or CISO. They’re slow to act on the risk of compromise and reputational damage from new technologies, such as generative AI. And they’re unsure how to measure cyber resilience and lack confidence that their businesses are on the right track to tackle it.

The fact that cybersecurity is hard to quantify also seems to make it easier to overlook — more than half of CEOs we surveyed believe that a cyber attack will cost less than implementing cybersecurity in the first place. It’s a misconception that not only fails to take into account the impact of the loss of reputational damage and customer trust following a breach, but also proves inaccurate financially, according to our research.

This disconnect compounds the lack of preparedness for more advanced security threats that even leading cyber defences may not fully address. Nearly two-thirds (64%) of CEOs surveyed said that cybercriminals could use generative AI to create sophisticated and hard-to-detect cyber attacks, such as phishing scams, social engineering attacks and automated hacks. It’s a sound assumption; in just one year, Accenture Cyber Intelligence saw an 815% surge in the use of AI technologies by dark web criminals.

The CEO plays an important role in blending cybersecurity and business strategies, which is now being recognised. The World Economic Forum reported that 94% of business and cybersecurity leaders said their board of directors has a duty of care when it comes to cybersecurity. And, more recently, this sentiment has been endorsed by a US Securities and Exchange Commission rule requiring that company boards, supported by their CEOs, must demonstrate that they have the ongoing expertise to provide clear and credible oversight of cyber risk management.

Cybersecurity as a differentiator

Our research benchmarked 25 practices that measure cybersecurity resilience and found a small group of CEOs who lead the way. These ‘cyber-resilient CEOs’ prioritise cyber investments and experience up to three times lower cyber breach costs compared with their peers: in short, they detect, contain and remediate threats faster.

Cyber-resilient CEOs outperform peers financially too, with 16% higher incremental revenue growth, 21% improvements in cost reductions and 19% healthier balance sheets. They take five actions in the areas of strategy, talent and culture, technology, ecosystems and continuous resilience and consider cybersecurity to be a key differentiator, both for their products and services and as a means to build trust among all stakeholders.

Five actions for cyber resilience

The cyber-resilient CEO is more confident — 60% said they were cyber resilient compared to 24% of their peers. They also adopt enterprise-wide strategies to reinvent themselves and assess cybersecurity holistically. Using a 360-degree lens, their cybersecurity strategies accommodate non-financial measures such as sustainability, talent, technology innovation and customers.

Below is an actionable guide with five steps every CEO can take for their businesses to become more cyber-resilient:

1. Strategy: Embed cyber resilience in the business strategy from the start. Ensure leaders embrace cybersecurity as an integral part of decision-making processes, from strategic planning to budgeting. Review risk, reduce organisational complexity and prioritise transparency with all stakeholders.
2. Talent and culture: Establish shared cybersecurity accountability across the organisation. Build a cybersecurity-first culture with shared accountability that takes advantage of generative AI and a cybersecurity-as-a-service approach. Close the security talent gap by investing in talent development alongside hiring efforts.
3. Technology: Secure the digital core at the heart of the organisation. Promote security by design, champion zero trust, secure emerging technologies and make building digital trust a priority.
4. Ecosystems: Extend cyber resilience beyond organisational boundaries and silos. Recognise the role of the supply chain, engage leaders and prioritise partnerships. Openly collaborate to contain cyber-attack surprises, address the vulnerabilities between environmental measures and cyber resilience and integrate a cyber risk framework.
5. Continuous resilience: Embrace ongoing cyber resilience to stay ahead of the curve. Redefine the risk profile, continuously enhance security programs, build cybersecurity blackout readiness and champion AI and machine learning for proactive threat protection.

Cybersecurity is everyone’s responsibility, but if there’s one role that’s best placed to take charge of protecting the organisation, it’s the CEO.

*Jacqui Kernot is an experienced cybersecurity and risk professional, currently working as Accenture's Security Director for ANZ, after joining the company in 2022. Prior to this role, she was a cybersecurity partner at EY, working in financial services clients. Jacqui has previously led Telstra's cybersecurity business and held various leadership roles in startups and larger technology companies such as IBM and HP, both in Australia and the UK.

Top image credit: iStock.com/metamorworks