Why Cybersecurity Acumen Matters in the C-Suite

COMMENTARY

With the mounting, competitive pressure to leverage generative artificial intelligence (GenAI), now is the time for CEOs to better understand the technology themselves.  

Cybersecurity deserves this same level of attention — and so does the discrepancy between C-level enthusiasm and skill level. Leveraging AI tools, cybercriminals and their attacks have become more sophisticated, and with this technology comes a swath of security concerns when used in a company environment. As GenAI use grows within organizations, so does tension across executive teams and in the boardroom, especially as the chief information security officer (CISO) role shifts in remit. We're also seeing significant spikes in data breaches. All of this coalesces to signal the need for more cybersecurity acumen across the C-suite in order to provide leadership and guidance to firms.  

Why? Because enduring companies understand how to navigate one of the most common and consequential risks in business.  

Improved Strategic Decision-Making, Resource Allocation, and Collaboration

Cybersecurity acumen at the top of the org chart can significantly impact the company's overall security posture and ability to manage risk. This, in turn, translates into several additional benefits for the company.  

For starters, companies can now integrate security into decision-making processes and strategic direction. This should never be an afterthought. Cyber-risk lurks everywhere and crops up in more decisions than people realize. It's not just in overly simple passwords or opening phishing emails; software-as-a-service (SaaS) tools can serve as an easy entry point for man-in-the-middle attacks that threaten businesses. 

Leaders in 2024 must recognize the need for security. While businesses have access to incredible levels of technology that can help a company thrive, so do malicious actors. Understanding the variety of sources a threat can stem from better equips a leader to make strategic choices that bolster the protection of data and intellectual property, rather than put it at further risk.  

That said, security is not always cheap, and finding qualified resources in an already scarce security and AI market is challenging at best. Resource allocation is critical in the decision-making process to balance both attention to threats and business costs. In today's economic climate, budgets are being heavily scrutinized for technology and business leaders. Those with a broader and deeper understanding of the risks that come with deprioritizing security are better prepared to make smart decisions about where to allocate investments.  

Furthermore, attaining that kind of security knowledge intrinsically improves leadership's ability to collaborate with all of the different internal teams. These conversations drive quicker, better decisions, especially during a crisis, while increasing the respect between the office of the chief information officer (CIO) and the chief security officer (CSO). Enabling that sort of alignment will also bring better, more articulate conversations with the board that protect businesses against risk.  

Attack surfaces continue to grow for businesses in every industry, which only makes transparency and collaboration more necessary. Regulators are rising to the challenge of finding ways to deal with this new cyber reality, and the pressure is mounting. You can see this in new rules and directives from the Securities and Exchange Commission, and in regulations like the General Data Protection Regulation (GDPR) and the Digital Operational Resilience Act (DORA), just to name a few. Noncompliance is costly both financially and in terms of losing an opportunity to defend against attackers. But compliance requires departments and leaders to communicate in order to create and execute new strategies and policies.  

However, the burden of proof still falls to top leadership to make this happen. It's in the C-suite's best interest and within its responsibilities to protect data and assets as best it can for customers and the firm. Financial and reputational impacts due to cyberattacks are a consideration that must be recognized in all major decisions at the board level. The rising threat landscape creates a perfect storm that, if left unchecked, leaves businesses vulnerable to major loss.  

Credibility Allows Senior Leaders to Perform Better on the Job

Cybersecurity is a critical topic on every board's agenda as we continue to see stories about threats sneaking through technological infrastructure and impacting the customer experience on at scale. Leaders need the kind of "street cred" to effectively lead a dynamic, smart organization of technologists and operations professionals. Few have the kind of pointed knowledge to recommend, lead, or drive change toward a more secure work culture — only making it that much more critical.  

Those who can think technically while still demonstrating a business mindset will be best positioned to help their organizations succeed. Some of the strongest leaders and executives I have encountered are those who not only know what they're talking about, but also have a keen ability to explain the "why" of what they're talking about in terms that resonate with those who are unfamiliar with the subject matter.  It is time for experts to direct the action instead of "actors."  

In the words of one of my mentors: "Leaders have followers. Managers just tell people what to do in a hierarchy." It's not enough to just know your stuff; you need to be able to equip others with that knowledge as well. That's what makes you indispensable as a leader. And with the average tenure of most cyber leaders at less than a year and a half, those of us in these positions can't afford to ignore that kind of reality. Commanding the space rather than putting yourself in a situation where you're forced to react isn't just good for the business but good for the leader, too.  

Leaders Can't Afford to Ignore the Need for This Kind of Knowledge

Cybersecurity acumen is no longer specialized or reserved for only the educated few. This was reflected in a recent decision by the Securities and Exchange Commission requiring companies to report a material breach within four days of occurrence. While it did not specifically call for cybersecurity expertise in the boardroom for public companies, it has long been highlighted that only a small percentage of publicly traded companies have such expertise. Although the mandate ultimately didn't pass, this is a proof point of how seriously agencies and regulatory bodies are taking cybersecurity, and it is only a matter of time before this becomes the official guidance.  

Prioritizing risk management and assessment must come from the top down. Until CEOs and boards have prioritized learning more about these threats and how to mitigate them, organizations are leaving themselves and their businesses open to the potential for disaster. But the leaders who spend the time and effort to study the game, the players, and the playbook toward better threat protection will see the dividends for years to come.