The Future of Cybersecurity Lies With the CEO

“Moving from interest to action” has been a rallying cry for better oversight of numerous board-level issues over the past few years, including diversity, equity, and inclusion and climate change. For Ryan LaSalle, the motto also aptly applies to the current state of cyber-risk oversight. 

Increasing costs of cyberattacks to companies, as well as elevated regulatory pressure on businesses to be more transparent about such attacks, are just two factors behind this mind-set shift. LaSalle, senior managing director and North America lead of Accenture Security, spoke to NACD in March to offer insight into where cybersecurity stands now and how cybersecurity practices must evolve in this environment and for the future. Select questions and answers from the interview are included below.

Are there discrepancies between how companies today plan and execute cybersecurity strategies?

A big challenge businesses face is being able to understand their risk appetite and how much they need to invest to properly secure their companies. It's hard to articulate and understand what you're willing to risk to achieve your business outcomes. Once you understand your risk appetite, then you can define what it is going to take from a cybersecurity perspective to position your business for success. Cybersecurity best practices shouldn't prevent business progress but should be a business enabler. Having a shared understanding of risk appetite between business executives and the cybersecurity team is critical.

How should the next iteration of cybersecurity be viewed, planned, and executed in a way that is different than what the board and C-suite are currently doing?

Only in the last five years has the chief information security officer (CISO) really joined the other leaders of the organization at the table where strategic business decisions are made. They have a seat at the table where they can help inform a business on the risks they're taking, and how cybersecurity technology and policy, as well as other parts of the business can help mitigate those risks. They're much more relevant to the rest of the C-suite as an equal member. That's the journey we've been on. To move to the next level of cybersecurity, there needs to be shared accountability with business unit leads for securing the business. This is where the CISO can coach them. Business leaders have a belief in the actions and risks worth taking, whether that's to expand into new markets or adopt new technologies. By collaborating with the CISO, business unit leads can take action with the knowledge and the solutions to do so securely. If the business makes decisions that disregard risk and CISO counsel, then the CISO can't be accountable for defending the whole business. The next version of cybersecurity needs more accountability from business leadership. That's one of the reasons why we believe CEOs have such an important role to play in activating organizational behavior change. It is a mind-set shift in how to balance business growth and risk.

How should the board help the CEO going forward, especially if the CEO has no experience in technology or cybersecurity?

One of the things that distinguishes CEOs is intellectual curiosity. They can't lead their business if they're not tracking and consuming a ton of input to be able to contextualize where they're taking the business. Boards can help provide input from the other boards they sit on, offering a perspective of how other organizations are managing technology risk and cybersecurity. They can also introduce CEOs to other networks that may be further ahead in how they think about cybersecurity or how they drive change. The CISO should also be providing input and the CEO should seek out peers who can offer insight. Cybersecurity is not going to drive business disruption; it's going to enable it. The CEO can make that happen by talking about it—or they can stop it from happening by thinking about it as a background function. Boards can help CEOs put cybersecurity in the heart of the strategy.

What is the difference between creating and maintaining stakeholder trust when it comes to cybersecurity?

The most important thing you can do to create trust is to be transparent with your stakeholders about how important cybersecurity is to your organization. It not only protects the organization, but it also yields value over the long term. When you're creating trust, there's an inclination to promote the effectiveness of your cybersecurity program. That's probably not an effective strategy for lots of reasons. In particular, you may put a target on your chest. Being transparent with your stakeholders about how you're taking their cyber safety seriously is good for establishing trust. It’s an important way to help them understand what you're doing for them. Consistently deliver on your promises but be transparent when you experience a vulnerability, because it’s bound to happen at some point. It’s about how you sustain and maintain trust for the long haul. Bring your stakeholders along on the journey. I've seen companies whose brand reputations rose among their customers after an incident because they kept them informed about how they were mitigating the incident.

It's harder to sustain trust. It's easy to say, but it's hard to do every day.