BCG in an article reviews four questions every CEO must answer and it focuses mainly on Cybersecurity

Until recently, CEOs could delegate accountability for cybersecurity to their chief information or security officers. Those days are gone. Today, when a public company suffers a serious cyber attack—not “if” but “when”—the CEO must explain the details and implications within days to regulators, the investing public, and other stakeholders.

Several factors are vaulting cybersecurity to the top of the CEO agenda:

• More advanced hacking tools. New tools now make phishing attacks easier, more effective, and less time-consuming to execute. With generative AI, for example, infiltrators can create more realistic deepfake text messages, photos, websites, video, and even real-time voice conversations in minutes. Fraud tutorials, money laundering services, ransomware-as-a-service solutions, and cloned drivers’ licenses and credit cards are all available for modest sums on dark web markets.
• A growing need for digital transformation. Some of the most sophisticated and damaging attacks—often by government-backed criminal organizations with abundant time and resources—are penetrating tools and solutions that are integral to corporate digital transformation efforts. “Companies that are going through digital transformation are vulnerable,” says Or Klier, a cybersecurity expert and BCG managing director and partner. “They have to manage two types of technologies—their legacy IT and solutions and those they are migrating to.”
• Increased risk from third-party vendors. Companies are expanding the number and type of third-party vendors they work with, and their supply chains are becoming more complex. Each additional link to a third party presents a potential window into a company’s network.
• Greater regulatory oversight. Mounting systemic threats have prompted regulators in the US and Europe to impose a greater legal onus on boards to ensure their companies have robust cybersecurity risk-management procedures, controls, and governance in place. Government watchdogs are also requiring companies to be more transparent about breaches and their consequences.

The Cybersecurity Questions Every CEO Must Answer

CEOs must be prepared to lead, and engage in, the company’s cybersecurity strategy. They can start by answering four questions:

How prepared am I for a strategic discussion with my board?

CEOs don’t need to dive into the technical weeds of cybersecurity, but they do need sufficient command of the subject to hold an in-depth discussion with their boards, regulators, managers, and key stakeholders. That starts with understanding the greatest cybersecurity threats their company faces and the key vulnerabilities and risk exposure of their most critical systems. CEOs need to know their organization’s “crown jewels”—assets that, if successfully attacked, would cause the most serious damage to their organization, investors, and customers—and what is required to protect them.

How secure is our digital transition?

As organizations race to digitize, CEOs should not assume that the IT solutions and cloud platforms they’re migrating to are sufficiently secure. “Many companies moving to the cloud don’t have a clear plan to manage the transition from legacy systems,” says BCG’s Klier. “They mistakenly believe that all the security they need is supplied by the cloud provider.” Instead, CEOs can embed security into digital overhauls and AI development as they’re being implemented—a concept known as “secure by design.”

Are we spending the right amount on cybersecurity—and in the right places?

The vast majority of cybersecurity spending goes toward defending against attacks, with only 20% devoted to response and recovery. CEOs should devote as much focus and budget to rapidly responding and recovering from breaches as they do to defending against them. By doing so, they will be better equipped to get systems back online as soon as possible when the inevitable breach happens.

Do we have the right capabilities, culture, and talent to enable us to evolve securely?

Most companies train their employees to spot phishing emails and be more careful when sharing data, but human error is still involved to some degree in most breaches. For that reason, CEOs should embed cybersecurity—from detection and protection through response and recovery—into their company culture.

As threats proliferate and the toll from attacks grows, the cybersecurity stakes are only getting higher for CEOs and the companies they lead. CEOs must rise to the moment—because if there is a significant attack, the ultimate responsibility for dealing with the consequences will fall squarely on their shoulders.

Source: BCG in LinkedIn, dated 8th of August 2024