We asked CEOs about cybersecurity and resilience: Here's what Information Security Officers must know

“We were in a harrowing situation and had to make difficult choices that no company ever wants to face,” said Joe Blount, chief executive officer (CEO) of Colonial Pipeline, as he was questioned before the US Senate one month after his company faced a ransomware attack. Colonial Pipeline is a major pipeline owner and operator responsible for transporting nearly half of the transportation fuel to the eastern United States.

Such a devastating cyberattack thrusts CEOs into the spotlight. Scrutinised by the media, shareholders, regulators and other stakeholders, they must make existential decisions based on imperfect information under extreme pressure – typically without deep expertise in cybersecurity. But surprisingly, no one to our knowledge has asked CEOs in a systematic way how they manage cybersecurity risk and the lessons they learnt from having endured a severe cyberattack.

In a first-of-its-kind study by the University of Oxford and ISTARI, hour-long interviews were conducted with 37 CEOs of large global companies from the US, Europe and Asia to understand how CEOs think and feel about cybersecurity. Importantly, we spoke to nine CEOs who had to lead their company through a devastating cyberattack. Assured of anonymity, they spoke with remarkable candour and honesty about the lessons learned and their anxieties and regrets.

Understanding how CEOs think and feel about cybersecurity and resilience is critical for chief information security officers (CISOs). It allows them to more effectively support their CEO in managing cyber risk and enables them to ask for more meaningful executive support for their cyber initiatives.

Here are three things CISOs need to know about their CEO to forge an effective cyber resilience partnership.

Although 100% of the CEOs we spoke with insisted that they feel accountable for cybersecurity, the majority (72%) admitted to being uncomfortable making decisions in cybersecurity.

Most CEOs have moved up the ranks through traditional business domains, such as finance, operations or marketing. Very few started their career in technology, let alone cyber, and then became a CEO. As a result, very few are familiar with information technologies and cybersecurity systems.

One CEO of an $8 billion European company succinctly highlighted that: “The CIO (Chief information officer) came to present at an executive meeting and asked us how many servers we thought the company had. The lowest estimate in the room was four, and the highest 250. The reality was more than 4,000.”

But when a serious cyberattack happens, such a lack of familiarity can inhibit a CEO’s ability to make sound decisions. The discomfort on the CEO’s part presents an opportunity for CISOs to help their CEOs become more comfortable in this area.

They can forge a stronger relationship to integrate technology and business imperatives in the pursuit of cyber resilience.

When we initially invited CEOs to be interviewed about cybersecurity, many spontaneously suggested we speak to their CISO instead, or at least invite them along. When the meeting with the CEO started, we could sense palpable anxiety about covering cybersecurity single-handedly.

But a minor change to our approach significantly changed the dynamics in the interviews: framing our conversation in terms of business resilience. When we asked, for instance, what made their company resilient during the COVID-19 pandemic, CEOs were subsequently comfortable moving to a conversation about cyber resilience. Although our interviews were scheduled for one hour, many CEOs stayed longer because, as they told us, they enjoyed the discussion about business and cyber resilience.

The importance of cyber resilience was further highlighted by those CEOs who had led their company through a serious cyberattack. One of their biggest regrets was focusing on cybersecurity protection, not resilience. Experiencing an attack made them understand that perfect cybersecurity protection is a losing game. Instead, they started to see cyberattacks as a 'predictable surprise' that every organization can suffer from. They thus shifted their strategic priority to improving their organization's cyber resilience.

Cyber resilience describes an organization’s ability to anticipate, withstand, respond and adapt to cyberattacks. The goal is to minimize impact, expedite recovery and emerge stronger.

This insight from the CEOs presents an opportunity for CISOs to frame their cyber strategy in terms of resilience, not cybersecurity protection. A few CISOs have reached out to us after reading our research, with one saying: “I’ve tuned our cyber strategy toward cyber resilience, and the message is landing really well across the business.”

All the CEOs we interviewed trusted their cybersecurity teams to do their job. That is generally a good thing. Yet, those CEOs who had suffered an attack regretted having unthinkingly trusted their cybersecurity teams. Blind trust to them meant that they had delegated responsibility and understanding to technical experts without being able to comprehend or critically challenge them fully.

When the company suffered an attack, delegation was no longer an option for the CEOs. Unlike in other more traditional areas, such as marketing or finance, CEOs lacked experience or intuition on moving forward in the cyber crisis. But having unthinkingly trusted experts before, the attack meant they had to put the company's fate in the hands of people who usually are much further down in the decision-making hierarchy, something they would typically not do.

This also presents an opportunity for CISOs to proactively encourage their CEOs to stop blindly trusting their cybersecurity teams and move to a state of informed trust instead.

To achieve this, CISOs can ask their CEO to commission an external audit, just like they commission financial audits. Such unbiased advice from external experts who report their findings directly to the CEO builds informed trust between the CEO and the CISO, while uncovering any blind spots the company might suffer from.