Cybersecurity And Leadership: Part 3, Executives

Executive leaders set the vision, tone, and mission for their organizations. They are accountable to Boards, and, in conglomerates, HQ-based executives; some are accountable to investors, shareholders, etc. for either revenue growth, market share, or mission accomplishment. 

Why are executives responsible for cybersecurity, and responsible to whom?

CTOs/CIOs and CEOs clearly share both authority and responsibility for cybersecurity. Most obviously a CTO/CIO is ultimately accountable and responsible for cybersecurity in a way that a CFO would not be. The CEO has the statutory authority to direct the CTO/CIO to implement cybersecurity processes and programs. Executives achieve results through subordinate leaders. If there is no middle-manager, e.g. a  CISO, who is accountable for implementing and maintaining a cybersecure organization, has the CTO/CIO outsourced cybersecurity to Big Consulting Company and how is that relationship managed? Or, if you prefer, why is the CTO/CIO having ongoing operational meetings with a vendor?

Let's ask more questions. Some CEOs are company founders, and some founders are CEOs or Board Chairs [no founder -- racking my brain to confirm this -- is going to stay in the corporation as a functional executive]. It is a fundamental fact in behavioral science that people do what they are reinforced to do, and executives are apex examples of this: they will do what gets them paid more. It's unknown in human history that founders, who again are CEOs or Board Chairs, are perfectly willing to make less money or suffer reputational damage because some hired underling failed in their job. 

The cyberthreat environment keeps evolving to include both artificial intelligence agents as well as state-sponsored contractors that may seek to damage any company they can. It is almost impossible and frankly unfair to expect that an executive is proficient and knowledgeable enough in cyberthreat deterrence on a daily basis. Yet unlike Board members, executives need to ensure that they understand the current ands evolving cybersecurity landscape and operations well enough so that they can attest that competent systems, processes, and middle managers have been positioned to detect and deter or defeat threats.

Let's close with answers to our initial questions: Why are executives responsible for cybersecurity, and responsible to whom?

Executives are responsible for cybersecurity effectiveness because they have empowered and paid personnel, either middle managers or Big Consulting Company, to to keep bad cyber-related things from happening. Executives who cannot (or will not) understand what they bought, and who are unable to distinguish between inadequate cybersecurity and tolerable cybersecurity, should not be in a position of authority for cybersecurity. Any executive who is responsible for cybersecurity is reportable to the CEO or the Board, and should be evaluated in terms of their success in creating a secure cyber environment. Ask us how we can work with your executives to align their cybersecurity risk management approach with their mission goals.