Is the C-Suite a Cyber Threat?

CEOs are in danger of being penny-wise and pound-foolish when it comes to cybersecurity. By Derrick Lilly | Summer 2018



There’s a new frontline in the cyber war — it’s within our own companies. “A disconnect about cybersecurity is causing tension among leaders in the C-suite — and may be leaving companies vulnerable to breaches as a result,” states a new report from security firm Centrify and Dow Jones Customer Intelligence.

In “CEO Disconnect is Weakening Cybersecurity,” CEOs are called out by fellow C-suite technical officers (TOs) — including CIOs, CTOs, CISOs, and even CFOs — for being “misinformed about security” and “misaligned with reality.”

The sharp-tongued criticism has survey data to back it: Only 55 percent of CEOs say their organization has experienced any breach, compared to 79 percent of CTOs. Further, 60 percent of CEOs are investing most in malware protection even though most (81 percent) breaches exploit identity. In fact, only 35 percent of TOs cite malware as a primary threat. Instead, TOs “point to identity breaches — including privileged user identity attacks and default, stolen or weak passwords — as the biggest threat,” the report states in revealing that while all respondents understand that identity breaches present a real danger, CEOs are much less inclined to give them prominence.

In short, CEOs are setting their own security strategies, driven in part, according to a survey of 800 senior executives, by sensational headlines about malware breaches in 2017 — like those about the cyberworm Wannacry that hobbled computers running Microsoft systems — and other faulty assumptions.

As a result, CEOs seem more focused on reducing the cost of a breach (55 percent) and protecting shareholder value (45 percent) rather than heeding the words of their TOs and CFOs and directing adequate budgets towards addressing the technical risks and challenges that threaten businesses today.

“While bottom-line considerations fall to them [CEOs], they are in danger of being penny-wise and pound-foolish if they fail to consider the impact of reputational damage,” the report says.

Worsening the situation is poor communication between CEOs and TOs, and a gaping disconnect over who is truly in charge of cybersecurity. The report reveals that 81 percent of CEOs say they are most accountable for their company’s cybersecurity strategy — only 16 percent of TOs agree. Rather, 78 percent of TOs say they are most accountable, and 56 percent of CFOs agree with them.

“The disconnect between CEOs and TOs is resulting in misaligned priorities and strategies, as well as misinvestments in cybersecurity solutions, which are weakening security,” the report states. “The status quo is not working. Business leaders need to bridge the communications chasm with their TOs and rethink security with a focus on identity and privileged access. To continue to do otherwise risks exposure to a preventable crisis.”