Good morning. Fortune senior editor at large Geoff Colvin here, filling in for Alan,
For CEOs in eternal combat against cybercriminals—that is, all CEOs—it seems a day that had to come has finally arrived. Being accountable for cyber, erecting the mightiest defenses, trusting fully in world-class experts—none of that is good enough anymore.
So says a new report from ISTARI, a global cybersecurity firm established by Temasek, the Singapore state investment company. The document, “The CEO Report on Cyber Resilience,” was prepared in collaboration with the University of Oxford’s Said Business School.
What strikes me most strongly is the message that CEOs, regardless of their education, must become significantly more cyber-literate, like it or not. They don’t have to go to coding school or learn to banter about post-exascale high-performance computing, but they can’t regard the cyber world as a jungle impenetrable by all except lifelong techies. As the report says, CEOs (and by implication those who report to CEOs) must “move from blind trust to informed trust.” They must understand a new language.
The authors reached their conclusions by conducting 37 interviews with anonymized CEOs of global corporations. Some of their stories are striking. “The CIO came to present at an executive meeting and asked us how many servers we thought the company had,” one CEO said. “The lowest estimate in the room was four. The highest was 250. The reality was more than 4,000. That was an incentive for all of us to understand more. We realized we spend millions each year on this technology but don’t really understand it.”
The researchers also discovered, surprisingly, that many CEOs still rely far too heavily on prevention. It’s surprising because cybersecurity experts have been telling executives for years there are just two kinds of companies: those that know they’ve been broken into and those that don’t know. A U.S. CEO told the researchers, “We were all into prevention and not enough into resilience, and that's the mistake we made.”
A European CEO related his painfully-won lesson: "I learned the clear truth that all CEOs must know: You can never stop a cyberattack, you just do your best to limit the damage. The idea that you could ever actually stop it is nonsense because sooner or later, something will get through." Not a cheery message, but then we’re talking about dealing with criminals. This new report is a CEO-level guide to having more successes and fewer mistakes in dealing with a hard 21st-century reality.
Geoff Colvin
geoff.colvin@fortune.com
