"What Do CEOs Really Think about Cyber Risk? First-Of-Its-Kind Study Reveals All"
Through 37 in-depth interviews with global CEOs, a team of researchers from the University of Oxford and ISTARI revealed the emotions and challenges associated with effectively managing cyber risk. They have shared the findings of their joint CEO Report on Cyber Resilience, which applies a top-management perspective to cybersecurity risks and emphasizes CEOs' critical role in establishing cyber resilience. It presents insights from one-hour face-to-face interviews with American, Asian, and European CEOs whose companies' average annual revenue is $12 billion, with an average of 40,000 employees. Nine CEOs had led their organization through a severe cyberattack. Under anonymity, the CEOs discussed their feelings, frustrations, and regrets regarding cyber threats and security. The CEOs admitted that they are formally accountable for cybersecurity to regulators, shareholders, and their boards. However, most (72 percent) reported being uncomfortable about making cybersecurity-related decisions, often prompting them to delegate responsibility for and understanding of cybersecurity to their technology teams, which can compromise resilience. All interviewed CEOs stated that they feel accountable for cybersecurity, but a parallel ISTARI survey of CISOs revealed that two European (50 percent) and nearly a third of US (30 percent) CISOs did not believe that their CEOs feel accountable. According to the research, this perception gap is partially due to the notion of accountability. CEOs should view themselves as co-responsible with their CISO for cyber resilience, rather than as solely responsible. This article continues to discuss findings from interviews with global CEOs regarding what they think about cyber risk as well as the mindsets CEOs need to lead cyber-resilient businesses.