If you agree with that old expression that recognising the problem is half the battle, then members of the cyber security profession have cause for optimism, at least based on the findings of KPMG's 2018 Global CEO Outlook.
That's because our annual survey of the world's leading CEOs revealed a higher - and perhaps more realistic - level of concern about the threat of a cyber attack compared to last year. But before we celebrate this breakthrough attitudinal-shift among senior executives, remember that the bigger battle, and harder work, lies ahead.
It's clear that there is a rising sense of `cyber certainty' among the CEOs, as they recognise that the likelihood of their organisation becoming a victim of a cyber attack is a case of `when,' and not `if'. Almost half of the executives held this view and they now rate cyber security threats as the second highest risk to their firm's future growth, up from fifth place in our 2017 survey.
In addition, more than half of the CEOs stated that a strong cyber strategy is critical to engendering trust with their key stakeholders. And they feel a sense of urgency, since only 51 percent of survey respondents said they are well-prepared for a cyber attack.
How has cyber security made its way onto the radar of so many CEOs? It's partly due to the number of high profile cyber incidents in the past year, which have turned cyber into a universal threat across industries, from shipping to manufacturing, and beyond the traditionally-viewed higher risk sectors such as banking or technology.
I know that within my home geography, the Asia Pacific region, many of our clients are now making cyber a mandatory topic at the board level. These top leaders are approaching us with urgent requests, such as “What is our cyber exposure? Can you help us quantify the value at risk?” and “Can we develop plans for the unknowns? How do we deal with the exposures we do not know?”. They are also showing increased interest in operational resiliency and means to ensure continuity of business during and after major cyber events.
There are a number of steps that CEOs need to take to convert this `cyber concern' into `cyber confidence'.
First, CEOs need to ensure their entire senior management team understands that cyber must be a strategic-level priority. The reality is that an organisation that implements one-dimensional, tech-focused solutions concentrated on protection alone will miss the big picture and may put the organisation at greater risk. Cyber security can't just be a technology problem, but rather it must be a holistic one, by which cyber security considerations are imbedded at the earliest levels of product and service design, so that safety measures and risk assessments are baked into company strategies from the start, rather than letting cyber fears stunt company innovation and digital goals down the road.
Second, CEOs must translate their words into actions by playing an active part in cyber security discussions. That means interacting directly with the executives responsible for cyber including their Chief Information Security Officers, to help understand the key issues impacting the business, champion their work and help deliver their mandates across the business environment not specifically within the technology space. I was so encouraged to hear that 59 percent of our respondents see protecting customer data as a critical personal responsibility. That high level of personal accountability will likely translate into greater engagement by CEOs in the cyber measures developed and managed by their IT teams.
As CEOs take increased personal responsibility for cyber issues, they are acknowledging that there is no alternative. Having recognised the problem exists, it's time to start the real work of fortifying their organisation against cyber threats that are no longer a matter of `if' but `when?'