Cyber attacks are on the rise. Each passing year the sheer volume and sophistication of attacks continue to shock even those outside of the cybersecurity community. Despite this, a recent McKinsey report omitted cybersecurity from its list of top CEO priorities for 2024, a decision that has sparked significant debate among industry experts, including Forbes contributor, Noah Barksy in his article responding to this report.
If CEOs take McKinsey’s guidance as gospel and omit cybersecurity from their priority list in 2024, they risk far more than sparking a debate. In 2023, the global average cost of a data breach reached an all-time high, with businesses facing substantial financial and reputational damage and this only looks set to increase in 2024. In light of this, cybersecurity should be a firm priority for all CEOs and board members. Here, we dive into this and explain why cybersecurity should be on the agenda for CEOs in 2024.
In his Forbes article, Noah states, "CEOs simply cannot afford to underestimate cybersecurity, relegate it to 'IT project status' or outright omit it from c-suite agendas." Many are aware of the need to align cybersecurity with business strategy, however, for those who are still seeing cybersecurity as an IT team or CISO problem, 2024 has to be the year this changes. Here’s why:
In the first quarter of 2024 alone, there was a significant increase (28%) of cyber attacks per organization per week from the last quarter of 2023. The driving forces behind the increase are likely a plethora of factors, however, it is likely that advancing technologies, like AI, are somewhat responsible.
Attackers are able to launch more sophisticated attacks more quickly and at a greater frequency than ever before. The speed at which this technology is developing and the rocky global geopolitical landscape providing cause for cyber-attacks has left many businesses scrambling to find a way to combat this in their cybersecurity program and the global geopolitical landscape
CISOs cannot solve this problem alone. There will be a need for investment from the business to arm them with the resources they need to protect their business. But perhaps even more importantly, they need input and buy-in from the wider business to develop a data driven cyber risk management lifecycle that aligns with their wider business strategy and objectives.
Despite businesses spending more on cybersecurity than ever before, these attacks are still increasing. So we can assume that investment is not being utilized in the most effective way. The proliferation of cybersecurity technology has led to a very expensive, fragmented, scatter-gun approach to cyber risk management, that ultimately doesn’t deliver clear business ROI.
That’s why businesses need to see the big picture when it comes to their risk and have the insights they need to make the best decisions on how to protect their business with optimal efficiency and effectiveness. That’s why Noah and the NACD point to X-Analytics - it allows businesses to do just that.
Off the back of events like the SolarWinds breach, it is no secret that cybersecurity regulators are looking at businesses with more scrutiny than ever before. Businesses and security individuals are facing sanctions in the event of a cyber security incident. The deputy attorney general for the U.S. Justice Department has said that “sanctions are the new FCPA,” highlighting that this is likely to become the new normal for businesses and cybersecurity professionals.
Regulations are changing and tightening and non-compliance can result in hefty fines and legal repercussions. For CEOs, avoiding negative press and lawsuits that could potentially tank stocks and public perception (or worse) is always a priority and in today’s world, cybersecurity breaches, non-compliance and negligence is a sure fire way to attract heat from governing bodies and less than desirable headlines.
CEOs need to be working with their CISOs to ensure their business remains compliant as regulations change and that the whole business is onboard with what this means for business operations. GRC (Governance, Risk and Compliance) needs to be on the agenda for all CEOs and business leaders. It’s not just a CISOs problem, it’s a business problem.
Since the events of 2020, CEOs have become increasingly aware of the necessity for digitizing business operations as part of their business continuity plan. While maturing their digital business strategies is firmly on the agenda for C-Suite executives, ensuring that any new processes are inline with their cyber risk governance program seems to fall to the wayside.
As new processes and technologies are adopted, businesses need to be able to understand and manage third party digital risks. In order to do this, CEOs need to be engaging CISOs at every stage of digital transformation to ensure that the correct risk management controls are in place as changes are made.
This process of developing secure digital operations has two key components that need to ensure success:
Firstly, employees need to receive sufficient training and education on day-to-day threats they may encounter, how to avoid falling victim to attack and the correct protocols to follow should they identify a threat. This can be driven by the CISO primarily, but they will need support from the wider business from the top down to drive adoption.
Secondly, businesses need to adopt the right technology to be able to view and manage the level of risk being introduced by these measures, so they can ensure that risk is being mitigated, transferred or managed appropriately. X-Analytics is supporting businesses to do this, by giving them a consolidated view of their cyber risk, including external threats, third party risk and operational risk. That’s why X-Analytics is endorsed by the NACD as the solution to managing risk through a simple business lens in an increasingly complex landscape, allowing CEOs and business leaders to easily understand the cyber risk landscape so they can have productive conversations to protect their business at the top level of the business.
Ignoring cybersecurity is not an option for CEOs in 2024. This is why it is so important that publications like Forbes are highlighting this oversight - cybersecurity needs to be a high priority on every board agenda.
CEOs need to be aware of the risk cyber threats pose to their business, the impact of new technologies and processes on their risk level and at the forefront of fostering a culture of security throughout the business in order to effectively safeguard their organization.
The ultimate responsibility of a CEO is to protect their business and ensure its success. They cannot possibly hope to achieve this if they don’t prioritize managing one of the biggest risks their organization faces in the modern world.