For years, the CIOs and CISOs have been trying to get their CEOs to pay closer attention to the growing threat of cyber crime and to do something about it. For their part, many CEOs of leading companies have heeded the call, investing significant time, money and expertise in a bid to help enhance their organizations’ cyber security.
Is it possible, however, that some of these leaders are actually overconfident when it comes to assessing how prepared their organizations are to deal with a cyber event?
Case in point:
in KPMG’s 2017 Global CEO Outlook Survey, cyber security dropped from number one to number five on the list of CEOs’ top concerns.
“That’s a big drop, particularly at a time when international bank heists, disrupted elections, ransomware and state-sponsored attacks continue to make headlines,” says Akhilesh Tuteja, Global Cyber Security Practice Co-Leader at KPMG. “Furthermore, 42 percent of CEOs who responded to the survey said they believe they are ‘fully prepared’ for a cyber event at their organization. Last year, only 25 percent of CEOs said they felt that level of preparedness. My guess is that if we were to ask CEOs these same questions today, in the wake of two worldwide ransomware attacks, a smaller number would say they consider themselves fully prepared.”
The good news in all of this is that CEOs have taken note of the risks associated with cyber crime and many of them are spearheading their companies’ efforts to address these risks. At the same time, however, according to Tuteja, it’s very likely that at least some of these same CEOs have a false sense of security when it comes to their level of preparedness.
“There was one finding from our CEO survey that was particularly fascinating,” says Tuteja. “We asked CEOs from various industries to describe how prepared they felt against a potential cyber event. We found that the CEOs who said they felt most prepared were from industries such as automotive, consumer and retail…industries that have not been particularly hard hit by cyber attacks. However, the CEOs who said they felt least prepared were those from the banking, technology and telecom industries…industries that have had extensive experience dealing with cyber attacks.”
The takeaway? As Tuteja describes it, in the world of cyber security, there’s some truth to the old adage, ‘ignorance is bliss’.
“If you talk to people who have never been hit by any type of cyber threat, they tend to have a stronger sense of denial,”
The moment they get hit with a cyber attack, however, they go into what he calls the ‘worry’ phase, putting every possible dollar, effort and resource into cyber security. The moment such a ‘project’ is complete, they move into the ‘overstated’ or ‘false confidence’ phase.
“They think ‘we were exposed, but now we’ve fixed it’,” says Tuteja. “Then, invariably, they get hit again. That’s what we call the ‘hard lesson’ phase. This is when they come to the realization that there is no such thing as absolute cyber security. It is only then that they can move into the ‘cyber leadership’ phase. A big part of that phase is the realization that cyber security is not an event or a project but, rather, it is an ongoing journey.”
“The reality is that security is not just about how secure you actually are,”
says Tuteja. “It’s also about how secure you ‘perceive’ yourself to be. And we believe that in some cases, these responses are governed more by the perception of security rather than the fact that they’re actually secure.”