CEOs are fully aware of the threats to their business from cyberattacks. Yet, most lack confidence in their organisation’s ability to avert or minimise such attacks. They learn how to be cyber resilient only after their organisation experiences a breach.
By Boland Lithebe, security lead for Accenture in Africa
This reactionary way of treating cybersecurity results in greater risk of attacks and higher costs to remediate them.
The rapidly rising cyber threats and the risks posed when security is not embedded into an organisation’s digital core can hamper national and corporate competitiveness. For instance, the war against Ukraine and geopolitical multi-polarisation has amplified many trends; in particular, global cybercrime costs are expected to reach $10,5-trillion annually by 2025, up from $3-trillion in 2015 and global cybersecurity spending is forecasted to reach $300-billion in 2026. Already, cybercrime losses rose from $3-trillion in 2015 to $8 trillion in 2023. This is according our recent study titled The Cyber-Resilient CEO.
Operational technology and products are increasingly vulnerable to cyberattacks, and securing these cyber-physical systems remains a challenge perceived as adding time, cost and complexity. Digital innovation, such as generative AI, is also likely to introduce new forms of complexity. Sixty-four percent of CEOs in our study said that bad actors could use generative AI to create new sophisticated and hard-to-detect cyberattacks.
Ten years ago, Accenture foresaw every business as a digital business and today every organisation is a technology organisation, too. These businesses are using digital technologies extensively, such as cloud, edge computing, 5G and now generative AI, to transform in an increasingly disruptive world. In our research, 96% of CEOs said that technology plays a critical role in their current and future transformation and reinvention initiatives.
But the dramatic changes prompted by these digital transformation and reinvention efforts also introduce new avenues for cyberattacks that are not only proliferating but also upending business plans. The Accenture Global Disruption Index – a composite measure that covers economic, social, geopolitical, climate, consumer and technology disruption – shows that levels of disruption increased by 200% from 2017 to 2022.
In a fast-moving cyber threat landscape, knowledge is power. Yet, there is a growing gap between CEOs’ increasing awareness of the business value of cybersecurity and what they understand about emerging threat actors – which, in turn, lowers their confidence to avert or mitigate cyberattacks. Simply put, businesses are not yet cyber resilient and CEOs are unsure of how to measure cyber resilience or ensure that their businesses are on the right track. But since the digital world connects everything, securing it is essential, especially as digital exposure and vulnerabilities expand.
Many CEOs tend to treat cybersecurity as a technical function that is incident- and compliance-driven. Consider that a massive 76% of CEOs only implement security controls for critical functions or deploy them after transformation is finalised, or when vulnerabilities are detected. The majority (91%) said in our study that cybersecurity is a technical function that is the responsibility of the CIO or CISO, with 95% saying compliance is one of the key drivers of their cybersecurity strategy.
Unfortunately, it is often only after CEOs live through a material cyber incident that they proactively invest time, resources and expand expectations beyond the CISO and technology functions.
Closing the cyber resilience gap is a business priority and CEOs need to consider the following actions: Embed cyber resilience in the business strategy from the start, establish shared cybersecurity accountability across the organisation, secure the digital core at the heart of the organisation, extend cyber resilience beyond organisational boundaries and silos, as well as embrace ongoing cyber resilience to stay ahead of the curve.
By applying all these actions, CEOs can shift from viewing cybersecurity as a purely technical function handled by IT alone, and elevate it to an organisation-wide priority, establishing processes for reporting and accountability from the C-suite to the board.