Cybersecurity is the strategic business vulnerability American CEOs are most concerned about. A recent KPMG survey of more than 400 US-based CEOs reveals that 38 percent consider cybersecurity to be the top threat facing their business. Comparatively, cybersecurity did not rank in the top five risks just last year. Yet despite the overwhelming concern, only 51 percent of businesses report having invested capital funds in information security over the past year. It’s no surprise that only 26 percent of CEOs consider their business “fully prepared” for a cybersecurity incident.
It’s clear that CEOs recognize the threat, so why hasn’t funding followed suit? There are plenty of business reasons that can explain away delayed investment, but I think it also has to do with the nature of cybersecurity compared to other business risks: it’s always evolving, it’s endlessly complex, and it’s ultimately unwinnable.
Cybersecurity is a constant struggle to stay one step ahead of attackers, but simply keeping up with a conversation on the subject requires a degree in computer science. Case in point: the same KPMG survey found that 18 percent of CEOs are uncomfortable with the degree cybersecurity is part of their job. I’d wager that number will grow quickly with the ubiquity of data security incidents.
But just because there’s a gap between the severity of the problem and the funding its solution receives does not mean the answer is to throw money at it. Quite the contrary, there are smart, cost-effective steps that CEOs should consider to improve their company’s readiness:
- Hire a C-suite level officer to oversee cybersecurity. A dedicated chief security officer will relieve the CEO or COO of concerning themselves with technical details, ensure the issue remains a priority at the highest levels, and improve cybersecurity alignment across the company.
- Invest in employee training specific to cybersecurity. The human element is one of the principal cybersecurity vulnerabilities, yet it’s often forgotten. Train well and train often.
- Prepare for the worst. As the saying goes, it’s not if you’re breached, but when. Unfortunately, the cliché is true, so companies must have a tested response plan and quality cyber insurance to mitigate reputational and financial harm.
If you fall in line with the survey results, then congrats—recognition is the first step. Now it’s time to think strategically and make investments that will protect your company.