Are Australian CEOs out of touch with cyber security?

04 December 2019

Leon Fouche , National Leader, Cyber Security |

Australian CEOs are out of touch with their cyber security team regarding the preparedness of their business, and the risks posed by cyber threats. This was highlighted in a recent Unisys report, which highlights differing perspectives between CEOs and their CISOs.

So, how much are Australian CEOs out of touch, why has this happened, and what can be done about it?

Why Australian CEOs are out of touch?

The Unisys report reveals a number of stark statistics that show the different perspectives we’re talking about today. For instance, when asked whether their organisation had recently suffered a data breach, 6% of CEOs said ‘yes’ compared to 63% of CISOs. Additionally, nearly half of CEOs believe their organisation can respond to cyber threats in real-time, compared to 26% of CISOs.

Now, it’s logical that CISOs would be more aware of cyber issues because they have a better understanding of that side of the business - they understand the problem and what’s required to deal with it. But CEOs may not have the right education and background to be dealing with cyber risk. One-third of CEO respondents to the Unisys survey believed cyber security is an IT or operations issue, and so don’t see it as a business priority. Additionally, Unisys’ Australia/NZ Industry Director, Cyber Security Gergana Kiryakova believes CEOs and CISOs don’t share the same definitions of terms such as ‘cyber breach’.

"For a CISO,” she told CIO Australia, “[Theft of] metadata might represent a data breach whereas, for a CEO, the metadata might not.”

What can be done to bridge the gap?

Bridging the communication gap between CEOs and CISOs will require more frequent communication on the parts of both parties.

For CISOs…

CISOs need to change the way they communicate cyber risks. Creating regular reports and briefing the CEO or board is a vital first step, however, these reports must be communicated in a language that these parties understand.

We’re not suggesting that technical information be ‘dumbed down’, but rather the focus of the report switch from technical issues to their potential business impact. For example, rather than reporting that there has been an increase in phishing attacks that employees are falling for, instead, the CISO needs to communicate the impact these attacks have on the business operation. So, a 10% loss in productivity due to risk mitigation and recovery efforts from phishing attacks, an increase in reputational risk if customer data has been lost through a cyber attack, and so on.

CISOs can then establish which threats are the greatest priority, and present this information to the CEO or board.

For CEOs…

CEOs need to view cyber security as a business priority and not a mere IT issue. Then, they can put in place appropriate processes to evaluate the business risk posed by such cyber threats, in collaboration with their CISO.

CEOs should then consider providing the right authority and allocating appropriate resources back to their CISOs so they can act on the threats. In this way, the CISO isn’t just accountable for the detection, response to and recovery from cyber threats, but they also have the authority to implement appropriate strategies for protecting against the threats.

How can BDO help?

At BDO Australia, our cyber and risk teams work in close collaboration to ensure that we can provide integrated cyber risk services across all levels within the organisation and appropriate advice on how to best prepare for cyber threats.

Our risk practice can work to help you understand the impact of certain business risks and to ensure you make smart decisions about your appetite for risk.

Meanwhile, our cyber team can work with our risk team and your board to help facilitate better understanding and communication between cyber security teams and organisational leadership. We can perform in-depth risk assessments that cover the whole cyber spectrum, including IT, information and physical-systems security. From here, we can help you develop appropriate cyber resilience strategies to mitigate the risks to your enterprise.

To learn more about our risk and cyber security services, contact us today.