Where do CEOs come from? What roads led them to their exalted and all-powerful roles? In a world of sprinting technology, internet-enabled systems across every enterprise and increasing cybersecurity threats, this is an unexpected but existentially relevant question to ask.
According to a recent Forbes article, 75% of Fortune 100 CEOs come from operational backgrounds, and 32% were also CFOs at one point. These ladders to the top are long-established, but I’d like to pose this provocative question: Are we in a new era where CTOs should have a path to top-dog status?
The recent news stories about threats to the enterprise frame up the argument in compelling and dramatic terms.
Would a CTO as CEO have saved Equifax?
There are guarantees. But there’s no doubt that someone with a deep and current cyberbackground would not have allowed the porosity, sloppiness and defenselessness that led to the Equifax breach and its far-reaching implications. Given the impact of the hack and its cascade of consequences affecting more than 100 million Americans, the inadequacy and emptiness of the response of the former CEO, Richard Smith, make clear that traditionally trained CEOs are not up for the task of running a data-first organization.
And let me underscore “former.” Smith’s inadequate testimony, and his clear inability to run a company whose very existence is based on data security, led to his demise.
I believe that a talented, sophisticated and savvy CEO with a CTO background would have constructed and managed a more aware and resilient security apparatus than Equifax had. It would have known how to ask the probing questions and organize people and processes more strategically. Indeed, CEOs without a deep understanding of today’s cybersecurity challenges, complexities and demands are at a serious disadvantage.
In fact, the challenges are so great that even a technology-led company like Facebook can still fall victim to technology threats. While the abuse of the platform by Russia was not a hack, it used holes in the Facebook system in order to mask the actual sponsor of the ads. Imagine what might have happened if Facebook was led by someone who had run supply chain!
As the world becomes even more global and interconnected, future CEOs will be confronted with an armada of unforeseen issues and challenges. Consider the range of businesses whose strategic partnerships, consumer relationships, reputations and overall trust, as well as regulatory compliance, are contingent on cybersecurity.
Or more accurately stated: Which ones are not? Putting aside database businesses like Equifax, CEOs of companies in industries ranging from transportation to healthcare, e-commerce, software and infrastructure all require an in-depth security background. One which goes well beyond the check-the-box experience that is part of the typical CEO track. In all these cases, the CEO is responsible for data which, in hacked hands, can cause tremendous harm to the lives of millions.
IoT adds additional layers of complexity
Previously, I reviewed the importance of cybersecurity in medical devices, where an ineffective threat management platform can lead to murder. That’s just the start, though. Autonomous vehicles, for example, pose grave threats to personal safety and reputational security that can’t be pushed down to IT departments; the inadequate protections and procedures can be business-ending.
We need to have faith in the ability of our CEOs to guard the data they have been given responsibility for — meaning they need the chops to set in-depth briefings from their security IT personnel and, in turn, push back hard with pointed questions.
This is a complex mission for any CEO, who by definition needs to deal with so many different business operations simultaneously. We expect them to ask the right questions and understand and brief their board of directors, but in cybersecurity — perhaps more than in other technology-related areas — the devil is in the details (and the malware). Without a thorough understanding of the reality of today’s advanced targeted attacks and threat actors, a CEO cannot effectively frame the right questions and assess if the answers they get from their IT employees are good enough. These details are broad, related to not just the technologies their business relies on, but the entire architecture that their defenses rely on as well.
So, in this era of unprecedented cyberthreats, including the new risks attendant to IoT exposure, we need to create a new generation of CEOs who come from CTO and CISO backgrounds. This next generation can be accountable to shareholders, boards and the business community because their apposite backgrounds will liberate them from sole reliance on their IT departments.
From CTO to CEO
Of course, the era of the CTO-to-CEO track will not happen overnight. The reason that CEOs come from operational and finance backgrounds is that decades of management training are behind this process and trajectory. They are groomed for advancement early on, and are intentionally rotated through different functional areas to give them exposure to the breadth of experience that CEOs requires.
This is not happening with CISOs and CTOs. Their careers typically start and stop in the same department. There are no systems or processes in place to identify CEO prospects from the ranks of technology and IT, so until those mechanisms are put in place — requiring board-level recognition of the challenges I described earlier — it is unlikely that they will ascend to CEO status.
Until then, we will have to make do with the crop of CEOs and CEO successors we have. And they have big gaps in cyber-awareness to make up. Now, don’t get me wrong, I am not saying a CEO needs to understand all the details and be involved in the day-to-day evaluation of his defense architecture, of course. But they should have the ability to make wise decisions given today’s threat landscape and new technologies, which accelerate productivity, but also extend the threat surface of the company by creating weakness and vulnerabilities.
CEOs must rely on informed intuition, but because virtually 100% of them have had minimal exposure to cybersecurity — with some of it probably decades old — and as a result have a check-the-box approach to this existential threat, their intuition will be handicapped.
So, while we are waiting for the next generation of CTO/CEOs — which, in my view, cannot happen soon enough — we need current CEOs who push themselves to be educated about the complexities of today’s threats. This must be an on-going process; there is no “Cybersecurity for Dummies” silver bullet for CEOs. But as the Equifax disaster has shown us, a CEO who doesn’t full grasp cybersecurity might be soon changing their LinkedIn profile to “Former.”
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.