What Cybersecurity Chiefs Need From Their CEOs

COMMENTARY

It seems obvious: CEOs and their chief information security officers (CISOs) should be natural partners. With the persistent rise in cyber threats, most CEOs recognize the importance of having a strong security leader to protect the company's data, not to mention its reputation.

And yet, according to a PwC report, only 30% of CISOs feel they receive sufficient support from their CEO.

As if defending their organizations from bad actors despite budget constraints and chronic cybersecurity talent shortages wasn't already difficult enough, two 2023 cases — fraud charges against SolarWinds and its CISO and the sentencing of Uber's former CISO — have thrown security chiefs into the perilous position of potentially facing criminal charges and regulatory wrath if they make a mistake.

Small wonder that Gartner predicts nearly half of cybersecurity leaders will change jobs by 2025 due to multiple work-related stressors. "Cybersecurity professionals are facing unsustainable levels of stress," the analyst firm's Deepti Gopal has said.

It is in no organization's interest to experience high turnover in the CISO role and absolutely serves them well to have successful, stable CISOs. Supportive partnerships between CEOs and cybersecurity chiefs are crucial. Here are four things CEOs can do to help:

1. Ensure the CISO Has a Direct Line to the CEO

Today, the vast majority of CISOs report to the CIO rather than the CEO, according to executive search and management consulting firm Hedrick and Struggles (PDF). Whatever the formal reporting relationship is in a given organization — CISO to CIO or directly to the CEO — the most important thing is that the security chief and company chief are in lockstep on cyber strategy and execution.

A 2023 Forrester report said this direct line can have five benefits for CISOs, including strong control over and management responsibility for the cybersecurity program, funding for security initiatives, and increased awareness of cybersecurity responsibilities company wide.

With cybersecurity now so vital, and in light of the uniquely huge pressures on the CISO, this is a good time for CEOs to examine how they're communicating and collaborating with their CISOs.

2. Have the CISO's Back

 How does a supportive CEO act? They empower the CISO to lead and execute the cybersecurity mission, they provide resources, and they're empathetic about how hard the job has become.

The importance of empathy can't be understated. Remember, in the wake of the SolarWinds and Uber cases, CISOs are now personally obligated to report material cybersecurity information accurately or they could face legal action. CEOs should deeply appreciate these hard truths and always approve the CISO's efforts toward full transparency.

When the CISO makes a good case for resources, the CEO must be honest about the severe risks that come with saying no. This kind of CEO is aligned with the CISO in never settling for "secure enough" but backing the security leader in opportunities for improvement.

3. Work With the CISO on a Resilience Strategy

While cybersecurity for the past 20 or 30 years was defined by prevention, it has become clear that the discussion needs to be reframed around resilience. Data has grown and diversified at a dizzying clip, to the point that most organizations struggle to even identify all the data they have and what's critical and what isn't. The Rubrik Zero Labs report found that, in 2022, data increased more than 25% in a typical organization, with data from software-as-a-service (SaaS) applications exploding at an astounding 236%.

This means that while organizations still need prevention strategies, they also are wise to acknowledge that attacks are inevitable and shift to a more achievable goal: protecting the most critical data (like confidential customer information and core company financial data and intellectual property), limiting the impact of attacks, working quickly to rectify them, and keeping the business running.

Key to building this resilient future are CEOs and CISOs who are in lockstep on why it makes sense and are collaborating closely to achieve it.

4. Agree on AI's Impact

The rise of generative AI and GenAI usefulness for attackers and defenders alike has received a lot of attention. AI is enabling cybercriminals to generate more code to attack organizations and, in turn, is becoming a necessary tool to assist security teams in understanding what's going on. CISOs need to be on top of both sides of this equation, but there also is another dynamic in play that CEOs can help arbitrate.

For many on the business side in a company, AI is a shiny new thing that presents opportunities to, say, offer customers new product features. But cybersecurity teams must take a close look at the use of GenAI in product development or customer support functions if they feel it is pushing the security risk envelope.

In any situations where this natural tension creates disputes that end up in front of the CEO, the CEO can support the CISO and the company's cyber mission by carefully weighing potential security exposures rather than defaulting to a "move fast and break things" mentality that prioritizes speed over security.

As these four suggestions show, CEOs have the power to help CISOs navigate the enormous expectations being placed on their shoulders. CEOs who exercise those powers aren't just doing the right thing for their CISOs, they're greatly benefiting their companies.