CEO and CIO cyber disconnect: Fixing the communications breakdown

Teamwork makes the dream work. Unfortunately, when it comes to cyber security issues, CEOs and their CIOs aren’t always on the same page, and the dream can turn into a nightmare.

This communications breakdown is highlighted by two recent surveys showing that CEOs view their companies’ cyber security readiness very differently than their CIOs. The KPMG U.S. CEO Outlook 2018 found that 77 percent of CEOs believe their organizations are either “very well” or “well” prepared for a cyber incident. This stands in stark contrast to only 22 percent of CIOs and tech leaders who feel the same way, according to Harvey Nash/KPMG CIO Survey 2018.

This is a critical gap as cyber security is a growing threat to all organizations. And you can’t go past a newspaper stand or TV without seeing a story about how cyber-attacks have devastated a company. A company can take a huge hit to its pocketbook or reputation if money or data is lost, stolen or deleted. Investors, the public, and even your employees are left believing that you were negligent with your cyber security setup, which can ultimately undermine your company’s stability, and possibly survival.

Why the disconnect?

There’s enough blame to go around. In some cases, CEOs may be willfully blind about the state of the firm’s cyber security protection. The may want to paint a rosier picture to investors, the board or the stakeholders than what actually exists so they can generate or boost confidence in the business. In other instances, they may not fully understand the nuances of cyber security and may be convinced, often by third party vendors, that the firm’s cyber defenses are pristine.

But the blame may also fall on the shoulders of the CIO. Communicating complicated, technology-related information in a manner that non-IT experts understand can be a challenge. CIOs (and their IT departments) may be experts in their field, but they may fall short in articulating the shortcomings of their firm’s cyber security system and what needs to be done in a manner that resonates with the CEO.

Getting the message across

Here are some techniques to help CIOs communicate the true status of their firm’s cyber status with their CEOs and boards.

• Meet regularly with the CEO to communicate cyber-risk and technology issues. You should also attend board and other executive meetings whenever possible to help you stay up-to-date on relevant company information and issues. Note that while almost two-thirds of CIOs are members of the board or part of the executive management team, this figure is down nine percent from the prior year.
• Tell the cyber and technology “story” at the appropriate level when you meet with the CEO and/or the board. Don’t be too basic, but also don’t bombard them with bits and bytes of data that will just go over their heads. Be transparent about performance issues and present benchmarking information about what other comparable organizations are doing.
• Become more business savvy. CIOS need to view the cyber world through the lens of the business. Have your CEO clearly articulate the firm’s business goals and risk tolerance level in terms of cyber. After that, you can better identify, quantify and prioritize cyber risks, and describe, in plain language, the potential cyber risk in terms of “buckets” of financial, reputational, regulatory, and personnel/safety damage (e.g., critical: $500 million+;  moderate: $50 million or less). Then, make recommendations about what the business should do, where it needs to invest (or increase investment), and how the investment will help.
• Act as a cyber risk consultant with respect to third-party vendors. In the past, CIOs typically had significant input in decision-making with respect to third party vendors or suppliers where potential IT issues were involved. These days, CIOs and internal IT departments are often cut out of this process.

CEOs and individuals business units might go off on their own and make deals with vendors who provide services or supplies with IT-related components (e.g., supply chain providers, lead-generation marketing services, and cloud service providers). These vendors may give CEOs a false sense of security, reassuring them that their cyber protection is bullet proof. And, these reassurances are too readily accepted because the CEOs are focused on functionality, not cyber security.

CIOs need to insert themselves into the situation and take the role of risk management consultants. They’re the ones in the weeds and know the right questions to ask and what to look for (e.g., what’s the level of privilege user management). This may require CIOs and their departments to upgrade their business skills and “market” themselves a little differently to their organizations.

Making the dream come true

In this new business environment, to help their organizations bolster their cyber security protections and also boost their careers, CIOs must find ways to communicate more effectively and consistently with their CEOs and the board. They must integrate themselves into the various business units, learn what their IT needs are, and work together to help them achieve their goals while remaining on top of potential cyber security risks.