• Free for qualified executives and consultants to industry

  • Receive quarterly issues of Area Development Magazine and special market report and directory issues


In Focus: CEOs Are Underprepared for Cyber Threats

New regulations to expand cybersecurity expertise and reporting requirements can only help to eliminate the very real threats companies are facing on a daily basis.

Q1 2023
What do IT systems and water have in common? Do you know the connection? You will find the answer at the end of this article.

According to the most recent Marcum-Hofstra CEO Survey published in December, less than one third (31.8 percent) of CEOs said their company is well-prepared for any cybersecurity threat they might face in the foreseeable future. That’s a staggering and sobering message. If you look at how other risks are managed, such as supply chain, market conditions, or higher financial interest rates, there is a much greater degree of focus and success.

It’s difficult to imagine that most CEOs are unaware of cyber threats. You can’t go a day without seeing an article about the latest sensational cybersecurity incident. And none of these attacks are limited to a particular size or type of company. Attacks are impactful and pervasive.

You can’t go a day without seeing an article about the latest sensational cybersecurity incident. Risks due to cyber threats continue to be treated differently than all other types of organizational risks despite clear evidence that cyber losses can include millions of dollars, penalties, and fines; class-action lawsuits; reputational damage; and lost opportunities. Don’t forget employee attrition — who wants to work for the latest firm to become a media headliner for all the wrong reasons?

A Business Survival Imperative
Even within many large organizations, cybersecurity departments still report into IT, as if security were an IT function (spoiler alert: it’s not an IT problem; it’s a business survival imperative). Cybersecurity needs an equal place in the C-suite. Accept the reality that IT and security have very different focuses, agendas, and KPIs. Recognize the differences, celebrate them, and place security equal to the IT function.

CEOs don’t entirely own this problem. There are many boards of directors with no significant cybersecurity expertise. Where are the board members who were former CISOs and lived through a major security breach? They are the leaders who really know how painful and expensive it is to survive one, and they have the lessons learned under their belts.

In 2022 the Securities & Exchange Commission proposed new regulations that would greatly expand the cybersecurity expertise and reporting required of public company boards. If approved, there will be a scramble for talent with experience focusing on operating risks, strategic and practical elements of meeting existing and coming regulations, as well as future opportunities that a great cyber posture can provide. This is not to be feared — it will be a good opportunity for forward-acting organizations to get ahead.

Accept the reality that IT and security have very different focuses, agendas, and KPIs. Still wondering about the connection between IT systems and water? In 1908, Jersey City, N.J., became the first U.S. city to begin routine disinfection of community drinking water. Other municipalities quickly followed suit. Until then, citizens contracted water-borne illnesses regularly.

A strong cybersecurity capability is the disinfectant all organizations need now. Some day we will look back and shake our heads at the unbelievably slow progress of providing basic sanitation and protection to our IT capabilities, particularly given how dependent we are on them. Elevate your organization’s cybersecurity capability now, and we can all raise a cold glass of clean water to that future.

Exclusive Research