Why CEOs Need to Take a Proactive Approach to Cybersecurity

Ronen Yehoshua, CEO of Morphisec, examines the importance of CEOs tackling cybersecurity alongside the rest of the C-suite and the unique perspective they can bring to the issue.

With Cybersecurity Awareness month here it’s another opportunity for CEOs to understand the dire consequences of cyberattacks, the importance of cyber hygiene and need for robust defences. While most CEOs recognize these needs, the mountain of responsibilities on their plate often means they can’t make cybersecurity a personal priority.

That’s where the Chief Information Security Officer (CISO) comes in. The CEO trusts the CISO to keep the enterprise’s critical IT infrastructure safe from all manner of cyberattacks. Delegating this huge responsibility to someone else ensures that cybersecurity receives the attention and investment it requires – but it also creates unexpected risks – namely, the risk of over-committing to the wrong defensive strategy.

As the threat landscape has exploded in recent years, some CISOs have gone all-in for threat detection and endpoint protection. The emphasis on detection is so pervasive that the market for related technologies has increased by 548% since 2015. One would think that increased investment in security technologies would show a corresponding decrease in successful breaches. And yet the opposite is true: attacks have only become more successful evading defences and economic costs that follow breaches only get higher. These two trends call into question the prevailing wisdom that improved detection can better secure the enterprise against attacks.

These two increases — higher spend and higher economic and reputation damage — should increasingly concern the modern CEO. That’s why I recommend that, instead of rubber-stamping cybersecurity initiatives, CEOs need to get involved in setting a new strategic direction for their enterprise’s cybersecurity to ensure that they mitigate cyber risk and protect the company against attack in a more cost-efficient and effective way.

As the threat landscape has exploded in recent years, some CISOs have gone all-in for threat detection and endpoint protection.

Cybersecurity and the Modern CEO

From the CEO’s perspective, cybersecurity is a form of risk mitigation. Similar to financial risk in having a debt to income ratio that’s too high, cyber risk is about the chances of an attack breaching systems and causing financial damage. Mitigating cyber risk is a huge hurdle, though, considering all the risks associated with any successful attack.

Business disruptions are the most immediate consequence, like when Honda was forced to pause global operations at great personal cost because of a ransomware attack. There are also commercial liabilities to worry about — if, for instance, customers sue after a data breach exposes their private information — along with regulatory liabilities for violating rules like HIPPA and GDPR. Arguably worst of all, cyber attacks give the victim’s brand a bad reputation that inhibits business opportunities for years to come.

It’s no wonder CEOs ask another executive to help them manage this risk. Less obvious is why CEOs continue to accept a woeful record on cybersecurity as the cost of doing business. As recently as 2019, it took an average of 245 days and $8.94 million to detect and remediate a breach even though CISOs are now common in the C-suite.

Why do we seem to be getting worse at cybersecurity? Mostly because prevailing wisdom has decided that attacks are inevitable and unstoppable. It’s common to hear the phrase “it’s not if you get breached, it’s when you get breached.” Rather than trying to prevent attacks from happening, security professionals work to minimise the consequences – with apparently abysmal results. All evidence suggests that the detection-focused approach favoured by so many CISOs hasn’t improved security; all it has done is bloat the security stack with over-specialised and under-performing detection tools.

Which shouldn’t come as much of a surprise. After all, any strategy focused on stopping attacks after they occur guarantees negative impacts. CISOs will claim they’ve adopted this strategy because it’s impossible to stop every attack, so containing it is critical. In reality, investing in endless detection tools allows an executive to appear impactful despite doing objectively little to improve security.

CEOs may not want to get involved with cybersecurity; but when their companies are spending more on defenses without lowering risk, it’s the CEO’s duty as the steward of the enterprise to intervene.

Prioritising Proactive Cyber Defence

A proactive defence strategy comes from the top down. During the budget cycle, before approving more money for cybersecurity, CEOs should first ask for a report detailing all the proactive defences in place and, if the CISO offers a low number, ask what else the team is doing to prevent breaches from occurring.

A CISO might counter that existing tools offer preventative capabilities, but those claims are often inflated by vendors. The simple fact is that if a company is still suffering from attacks, it’s not stopping them early.

Prioritise prevention by encouraging the CISO to implement innovative technologies like moving target defence: a strategy designed to stay ahead of unfamiliar and persistent attacks. Conversely, push back against the notion that legacy approaches and dominant vendors are the safest way to proceed. Aversion to risk can lead CISOs to be resistant to change, but market-validated startups are driving innovation in this industry faster than the major players. Finally, use total cost of ownership (TCO) to evaluate whether to implement a specific new defensive tool. With detection-oriented products, TCO goes up after several months compared to preventative technologies, which do the opposite.

The buck stops with the CEO. There may be an executive tasked with cybersecurity, but the ultimate responsibility falls squarely on the shoulders of the chief. So be proactive – it will cost you and the company a lot less in the long run. As Benjamin Franklin once said, “an ounce of prevention is worth a pound of cure.” Although he was talking about fire departments at the time, the same theory applies to preventing cyberattacks. It is better to invest in approaches and tools that are truly proactive and preventive versus attempting to contain breaches after the fact.