Can the CEO make a difference to your organisation’s cybersecurity?

Chief executives at companies that had the best cybersecurity outcomes over the past two years are 14x more likely to provide significant and broad support to cybersecurity.

Make ‘simply secure’ your business mantra

Cyber has got CEOs’ attention, but are they taking action?

Chief executives cited cyber threats as the number-two risk to business prospects in PwC’s 24th Annual Global CEO Survey — topped only by pandemics and other health crises. In North America and Western Europe, cyber was number one.

Our findings from the 2022 Global Digital Trust Insights Survey suggest an “expectations gap” for cyber, with CEOs perceiving that they are more involved in, and supportive of, setting and achieving cyber goals than their teams do. A persistent gap can spell disaster if it instills a false sense of security company-wide, given the CEO’s leading role in defining an organisation's culture.

How involved are CEOs in cyber? We asked nearly 700 CEOs and 2,900 other C-suite execs. Among our respondents, CEOs tend to see themselves as more involved in cybersecurity than others in the organisation do.

Many CEOs self-identify as engaged and strategic in their approaches to cyber. Our CEO respondents indicate that they participate in discussions about the cyber and privacy implications of mergers and acquisitions, future changes to their operating model, and future strategy.

Other executives don’t view things in quite the same way. Non-CEOs rated their CEOs as more reactive than proactive regarding cybersecurity. They say the chief executive is most likely to take part in cyber and privacy matters after a company breach or when contacted by regulators — not before.

Executives see CEOs getting involved in cyber when a crisis strikes. CEOs think they are more engaged.
Question: On which of the following cyber & privacy matters, would you/your CEO become personally involved? Rank them in order.
Base: Non-CEO Respondents: 2,929; CEO Respondents: 673
Source: PwC, 2022 Global Digital Trust Insights, October 2021.

How much support does the CEO provide CISO leadership?

CEOs were more likely than non-CEOs to rate as “significant” their level of support in six areas. For instance, 37% of CEOs said they provide significant support for “ensuring adequate resources, funding and sufficient priority” to cyber, while only 30% of non-CEOs agreed that their CEOs do so.

And 34% of CEOs say they provide significant help to cyber leadership with “reducing investors’ uncertainty regarding organisational cyber risks” — while just 29% of non-CEOs agree. Thirty-six percent of CEOs say they empower their cyber leadership to connect with customers and business partners, while only 30% of non-CEOs say cyber gets that kind of support.

CEOs matter. CEOs in our “most improved” group (those with the best cybersecurity outcomes over the past two years) are 14x more likely to provide significant support across all categories. Similarly, the non-CEOs in the most improved group are 12x more likely to say their CEOs provide that significant boost.

The CEO’s engagement and support wield long-term importance. Executives in most regions and industries say the most important act for a more secure digital society by 2030 is educating CEOs and boards so they can better fulfill their cyber duties and responsibilities.

It’s time to close the expectations gap between the chief executives and the others in the C-suite regarding the level of CEO involvement and support of cybersecurity. Things seem headed in the right direction: Interactions with the CEO on cyber matters have increased significantly in the past two years, according to 46% of our survey respondents.

 


CEOs believe they give ‘significant’ cyber support, but only 3 in 10 executives agree


CEO view
non-CEO view

Ensure adequate resources, funding, and sufficient priority
%
%
Connect with confidence with customers and business partners
%
%
Embed cyber and privacy in key operations and decisions of the organisation
%
%
Reduce uncertainty around arising cyber risks for investors
%
%
Inspire the security team and increase their professional satisfaction
%
%
Clarify roles and responsibilities for cross-functional teaming on cyber
%
%
Create a cyber-proficient culture throughout the organisation
%
%
Clarify positions when there are tensions and conflicts among competing values
%
%

Question: What level of support do you/does your CEO provide your cyber leadership to accomplish the following?
Base: Non-CEO Respondents: 2,929; CEO Respondents: 673
Source: PwC, 2022 Global Digital Trust Insights, October 2021.

CEOs and other executives agree on the changing cyber mission

Asked how CEOs frame the cyber mission in their organisation, more than half (54%) of the CEOs chose bigger-picture, growth-related objectives from their security team, as opposed to narrower, shorter-term expectations.

Non-CEOs echoed this mindset. In both groups, “a way to establish trust with our customers with respect to how we use their data ethically and protect their data” was the number-one cyber mission choice. CEOs really do set the tone for the rest of the organisation.

 

Cybersecurity’s mission is shifting to developing trust and business growth

Question: Which of the following best describes how you/your CEO frames the cybersecurity mission to your organisation?
Base: Non-CEO Respondents: 2,929; CEO Respondents: 673
Source: PwC, 2022 Global Digital Trust Insights, October 2021.

CEOs and non-CEOs name similar top goals for cyber in the next three years. These objectives mirror the famous Maslow’s hierarchy of needs, with prevention as the baseline, or most important; resilience coming next; followed by trust (including consumer trust: “improved customer experience” and “higher customer loyalty” rank fifth and seventh, respectively). Protection, resilience and trust comprise the three legs of the cybersecurity stool, each important for the security of the business overall.

Top goals are:

  • Increased prevention of successful attacks (this ranks number three in the energy and utilities sector)

  • Faster response times to incidents and disruptions

  • Improved confidence of leaders in the organisation’s ability to manage present and future threats (number one in energy, utilities, and resources)


Cyber-ready for today and tomorrow: goals for the next three years

Question: In the next three years, what goals will you be focused on, in relation to the changes you will be making in cyber strategy, people and investments?
Respondents: Industrial manufacturing=789, technology, media and telecommunications=824, financial services=724, retail and consumer=581, energy, utilities and resources=299, healthcare=255, government/public services=126
Source: PwC, 2022 Global Digital Trust Insights, October 2021.

How can CEOs make a difference to their organisation’s cybersecurity?

The top 10% that are “most advanced” in cyber practices or “most improved” on cyber outcomes are in a good position. But the majority overall — 63% of organisations — don’t get the kind of support they need from their CEO. The fact is, both the CEO and CISO need to work together better to benefit the company.

CEO: How much should you be involved in your organisation’s cybersecurity — without taking on undue burden?

A powerful CEO move: making an explicit statement establishing an imperative for security and privacy organisation-wide. In some cases, the organisation’s mission statement is already implicitly supportive, such as Liberty Mutual’s mission statement to “help people live safer, more secure lives.” Red Bull’s dedication to distinguished products and services gives its CISO the mandate to make security an integral part of the product and service quality delivered to customers.

A related CEO imperative: empowering your CISO to carry out the cybersecurity mission, voicing support and providing resources for secure-by-design, secure-by-default processes. Some may add the CISO to the C-suite. Others may help the CISO communicate more with the board or revamp the enterprise’s structure to embed security staff on business teams. Empowering CISOs may also mean giving them the platform to speak outside the organisation to customers about its security and privacy initiatives, as a trust officer would.

This period of great complexity in the business world demands a third CEO imperative. The CEO must modify certain elements of the company’s business and/or operating models to make the company “simply secure” when the security team identifies wasteful habits. For example, in the name of speed, a “get to market first, fix security later” mindset prevails. Companies aren’t fully mitigating remote work risks. Business units often buy technologies and contract with third parties autonomously. Cybersecurity is too often an afterthought in cloud adoption or transformation.

By taking action, the CEO reinforces a zero-tolerance mentality for complexity that gets in the way of security.

CISO: How well do you understand the business? How connected are you with leaders on the business side?

For an organisation that’s simply secure, CISOs must move out of the technology trenches and broaden their outreach — learning from the CFO how to talk about the financial implications of risk, for example, in a language the board understands, or working with the product manager to devise developer-friendly ways to secure applications.

This change may require a mindset shift for many CISOs. CISOs interact most frequently with the CIO and chief technology officer, our survey shows, and least frequently with the chief marketing officer and product management leader. The CFO also ranks low on the interactions list. CISO will need to spend more time with these business partners to begin to speak their language and better understand their business imperatives.

More than 21% placed the CEO among the three positions with whom they least come in contact; some 10% placed the CEO at the very bottom of the list. The CEO-CISO divide is widest in Europe: 27% of CISOs in western Europe and 28% in eastern Europe placed their chief executive among the bottom three with whom they interact, followed by Asia Pacific (21%) and North America (19%).

Takeaways

For the CEO

  • Frame cybersecurity as important to business growth and customer trust — not just defense and controls — to create a security mindset organisation-wide.
  • Demonstrate your trust in and steadfast support for your CISO.
  • Come to grips with the problems and risks in your business models and change what needs to be changed. You’ll have lots of opportunities to follow Peter Drucker’s advice: “Management is doing things right; leadership is doing the right things.”

For the CISO

  • Familiarise yourself with your organisation’s business strategy.
  • Build a stronger relationship with your CEO, and keep the dialogue going to help your CEO clear the way for simply secure practices.
  • Equip yourself with the skills you need to thrive in the evolving, expanding role for cyber in business. And reorient your teams, if you haven’t already, towards business value and customer trust.
Follow us

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Contact us

Sean Joyce

Sean Joyce

Partner, Global Cybersecurity and Privacy Leader, Risk Services leader, PwC United States

Hide