A new report ‘The Cyber-Resilient CEO’, which was based on a survey of 1,000 CEOs from large organizations from around the world, has identified the top characteristics of CEOs who take a strong approach to organizational cyber resilience.
The Accenture research points to the reactive way in which CEOs treat cyber security, which results in greater risk of attacks and higher costs to respond to and remediate them. It notes that 60% of CEOs said their organizations don’t incorporate cyber security into business strategies, services or products from the outset, and more than four in 10 (44%) of the CEOs believe that cyber security requires episodic intervention rather than ongoing attention.
Adding to this reactive stance is the incorrect assumption by more than half (54%) of CEOs that the cost of implementing cyber security is higher than the cost of suffering a cyber attack despite history showing otherwise.
In addition, despite 90% of CEOs saying they consider cyber security a differentiating factor for their products or services to help them build trust among customers, only 15% have dedicated board meetings for discussing cyber security issues. This disconnect might be explained by the fact that the vast majority (91%) of CEOs said cyber security is a technical function that is the responsibility of the CIO or chief information security officer.
The report also suggests that generative AI holds the potential to introduce a greater level of advanced security threats introducing new challenges that even best-practice cyber defenses may not fully address. Nearly two-thirds (64%) of CEOs surveyed said that cybercriminals could use generative AI to create sophisticated and hard-to-detect cyber attacks, such as phishing scams, social engineering attacks and automated hacks.
The research identifies a small group of CEOs who excel at cyber resilience. This group—which Accenture calls ‘cyber-resilient CEOs’ and accounts for 5% of respondents—uses a wider lens to assess cyber security across all aspects of their organizations. The companies of these leaders detect, contain and remediate cyber threats faster than other organizations. As a result, their breach costs are considerably lower and financial performance significantly better than the rest, achieving 16% higher incremental revenue growth, 21% more cost-reduction improvements, and 19% healthier balance-sheet improvements, on average.
On the flip side are ‘cyber laggards’ — accounting for nearly half (46%) of the CEOs—who don’t consistently or rigorously take any of the actions that cyber-resilient CEOs do and are typically stuck in a reactionary mode.
Five actions that cyber-resilient CEOs are far more likely than cyber laggards to take proactively are:
- Embedding cyber resilience in the business strategy from the start. Cyber-resilient CEOs are nearly twice as likely to manage cyber performance in the same way they manage financial performance (60% vs. 33%).
- Establishing shared cyber security accountability across the organization. Cyber-resilient CEOs are far more likely adopt shared accountability across the c-suite, inspiring executives to champion cyber security as a competitive differentiator that accelerates innovation safely (68% vs. 37%) and work closely with their CISOs to assess and manage the risks of generative AI, ensuring that the technology is used safely and effectively (54% vs. 33%).
- Securing the digital core at the heart of the organization. Cyber-resilient CEOs are more than twice as likely to say they plan to boost their cybersecurity budget as the adoption and implementation of digital and emerging technologies intensifies (76% vs. 35%).
- Extending cyber resilience beyond organizational boundaries and silos. Cyber-resilient CEOs are 40% more likely to implement specific policies and controls for third parties and even more likely to promote an enterprise-wide risk assessment approach that cuts across business units and functions (64% vs. 41%).
- Embracing ongoing cyber resilience to stay ahead of the curve. Cyber-resilient CEOs are far more likely to commit to continually establishing industry-leading cyber security measures that take into account the changing risk landscape and align with c-suite priorities in order to protect the business and detect and respond effectively to cyberattacks (60% vs. 34%).
Accenture Research surveyed 1,000 CEOs from large organizations (revenues > US$1 billion) across 19 industries and 15 countries in North America, South America, Europe, Asia-Pacific, and the Middle East. The goal was to determine their organization’s level of cyber resilience and approach to cyber security business practices. The survey was conducted online in June 2023.