They hail from enterprises worth US$12bn and with workforces averaging 40,000 employees, but their candid responses hold lessons for all CEOs

When cyberattacks happen, C-level executives answer to the response as the face of the company. In a cyber climate wherein the Asia Pacific region faced the highest number of cyberattacks in 2022, what mindsets and playbook strategies should leaders in the region and beyond arm themselves with?

In a recent report gleaned from the hour-long candid insights of 37 CEOs (nine Americans, 13 Asians and 15 Europeans, of which nine had actually experienced an attack) from corporations commanding average annual revenues of at least US$12bn and employing an average of 40,000 employees, four key mindsets were discerned.

First, all the respondents indicated (under conditions of anonymity) that they felt accountable for cybersecurity. However, a perception gap was observed in some Chief Information Security Officers (CISOs) who did not feel their CEOs demonstrated the accountability. This gap in perception could lie partly in how CEO’s perceived the definition of being accountable: they could have seen themselves as being the face of the mistake instead of being a leader trusted to assume co-responsibility together with their CISO.

Three other mindsets

In addition to the first mindset of having a correct and acceptable understanding the meaning of accountability, the other three summarized in the report in reference to CEOs of large enterprises, were:

    1. Stay away from blindly trusting their technology teams. Instead, CEOs should move to a state of ‘informed trust’ about their enterprise’s level of maturity in cyber resilience.
    2. Embrace the ‘preparedness paradox’: an inverse relationship between the perception of preparedness and the actual level of resilience: the more highly a CEO thinks of his/her organization’s preparedness for a serious cyberattack is, the less resilient the organization likely is.
    3. Adapt their communication styles to regulate pressure from external stakeholders that have different and sometimes conflicting demands. Depending on the stakeholder and the situation, CEOs of such corporations should either be a transmitter, filter, absorber or amplifier of pressure.

According to Rashmy Chatterjee, CEO, ISTARI, which co-produced the report: “As our research shows, CEOs struggle to know how to lead their organizations’ responses. From these candid conversations, we can better answer what their role should be, and fill the gap in what CEOs need to do to build and command cyber resilient organizations.”

Michael Smets, Professor of Management, Saïd Business School, University of Oxford and co-author of the joint research, said: “The fact that all CEOs in our study felt accountable for cybersecurity, but less than a third of them felt comfortable making decisions in that area, reveals an alarming gap. To build cyber resilience, CEOs must close that gap.”