10 Reasons Why CEOs Should Care About Cybersecurity

  • By Tim Sadler
  • 25 November 2020

Cybersecurity is a team sport. And for strategies to be truly effective, security leaders and business leaders have to work together

In fewer words: Cybersecurity should be on the CEO’s agenda.

So, to help bridge the gap and to really highlight why privacy and data protection matter now, I put together this list of reasons why CEOs should care about cybersecurity.

Here are 10 reasons why CEOs should care about cybersecurity.

“You’re only going to win more work if you’re reputable. And you’re only going to be reputable if you demonstrate you have a strong information security framework.”
Mark Parr Global Director at HFW

1. Cybersecurity is a competitive differentiator

Today, customers and clients don’t just care about privacy, they expect it. That means that a strong cybersecurity culture can actually enable businesses.

At our first Human Layer Security Summit of 2020, Mark Parr, Global Director at HFW, summed it up nicely, saying You’re only going to win more work if you’re reputable. And you’re only going to be reputable if you demonstrate you have a strong information security framework.”

He’s not alone in thinking this. According to Cisco’s global survey of security professionals and business leaders, 41% of survey respondents said “competitive advantage” was a benefit of their privacy investment. 

2. The biggest consequence of a data breach is lost customer trust

Earlier this year, we asked security leaders what the biggest consequence of a data breach would be. The #1 answer?

Not lost data. Not regulatory fines or revenue loss.

Lost customer trust.

Breaches damage your brand and it can be very hard to win back customers’, clients’, and even the public’s trust. That’s why organizations see (on average) 3.9% customer churn after a data breach. 

3. You will inevitably empower your people to do their best work

Prioritizing cybersecurity isn’t just good for the business. It’s great for your people. 

Here’s why: 90% of breaches are caused by human error. But people aren’t intentionally making these errors, they’re moving fast to get their job done. Security just isn’t top of mind for them. 

So, it’s our job to set them up for success and empower them to do their best work securely. How do you do that? By removing the sharp objects. 

At Tessian’s second Human Layer Security Summit, Bobby Ford, Vice President and Global CISO at Unilever put this into perspective with an example from his own life.  

When you’re a parent helping your son or daughter learn how to walk, what do you do? Child-proof the house and get outta the way!

4. Privacy investment can help reduce delays in sales processes and improve operational efficiency

Remember that Cisco global survey I mentioned earlier? “Competitive advantage” wasn’t the only benefit security professionals and business leaders experienced as a result of their investment in privacy and cybersecurity.

41% achieved operational efficiency from having data organized and cataloged and 37% saw a reduction in sales delays due to privacy concerns from customers and prospects.

It makes sense. Data protection, privacy, and cybersecurity force businesses to be more transparent. That transparency fosters customer loyalty and increases organizational alignment.  

“If we’re talking about the ROI of cybersecurity, the cost of non-compliance is actually 2.71 times higher than the cost of compliance. ”

5. The average data breach costs $3.86 million

While most security leaders agree that the biggest consequence of a breach is lost customer trust and damaged reputation, we can’t ignore the financial implications.

In IBM’s latest Cost of a Data Breach report, they found the average data breach costs $3.86 million. This figure includes costs associated with:

  1. Detection and Escalation
  2. Notification 
  3. Lost Business
  4. Ex-post response.

And this doesn’t even account for the potential fines from regulators. 

Why does this matter? If we’re talking about the ROI of cybersecurity, the cost of non-compliance is actually 2.71 times higher than the cost of compliance.

Translation: Prevention is better than cure. 

6. The investigation and remediation of breaches disrupts productivity

On average, it takes companies 197 days to identify and 69 days to contain a breach. And this process of investigating and remediating requires time and resources from plenty of departments, teams, and people outside of IT.

Legal, compliance, executive, marketing, HR, and people teams will get pulled in. Spokespeople will be appointed. External security/IT support will have to be hired and onboarded.

The bottom line: you hired great people to do great things. Post-breach activities pull them away from their day-to-work, disrupt their flow and productivity, and distract them from the business’ larger mission.

7. Data protection laws are only going to get more strict 

On the topic of compliance, it’s important to point out that data protection laws are only going to get more strict and enforcement agencies are only going to be given more resources to enforce data requirements.

That means organizations around the world and across industries won’t just benefit from strong cybersecurity programs, but they’ll be obligated to have one. 

Top tip: Industries like financial services tend to be 5+ years ahead in cybersecurity maturity. If you don’t operate in these industries, it’s worth taking note of what’s top-of-mind for the business and security leaders that do. 

8. Security culture is built from the top down

Just like company culture, the C-suite sets the tone for security culture and therefore must lead by example. 

It’s especially important that the CEO plays an active role in not just creating the overall security strategy, but actually rolling it out. Why? The CEO can connect cybersecurity to business objectives and help employees understand what it’s such a critical component in enabling the company to achieve its mission.

“To be successful in implementing security change, you have to bring the larger organization along on the journey. How do you get them to believe in the mission? How do you communicate the criticality? How do you win the hearts and minds of the people? CISOs no longer live in the back office and address just tech aspects. It’s about being a leader and using security to drive value.”
KEVIN STORLI Global CTO and UK CISO at PwC

But business leaders will soon have no choice but to actively contribute to their organization’s security culture….

9. By 2024, CEOs could be held personally liable for data breaches

As I’ve said, cybersecurity is mission critical. But, for now, it’s security and IT teams who shoulder the responsibility. In a few years, this could change. 

According to Gartner, CEO’s will be held personally liable for data breaches by 2024.

10. You owe it to your customers

We mentioned earlier that strong cybersecurity can help businesses win new customers. But it’s not just about winning new customers. It’s also about supporting the ones you have. 

This is one of Tessian’s core values: Customer-Centricity.

Your customers entrust you with their data, their intellectual property, their secrets. You have to keep it safe. That’s why we believe that – as a cybersecurity vendor – it’s our mission to protect every other business’ mission.

If you’re looking for more insights into how security and business leaders can work together, check out our latest eBook: CEO’s Guide to Data Protection and Compliance

Tim Sadler co-founder and Chief Executive Officer