The scope of a CEO’s job is wide, to be sure, but as data privacy and cybersecurity continue to come to the fore, a group of experts from FTI Consulting argue: Top leaders need to make talking about infosec one of their biggest priorities.
Jamie Singer, Alexandra Priola, Kelly Miller, James Condon and Clare Marshall co-authored this article.
It is a massive understatement to say that CEOs have a lot on their plates. From inflationary pressures to ESG issues to talent retention, the list is long. Perhaps, unexpectedly, another topic rising to the top of the CEO public communications agenda is cybersecurity and data privacy.
According to FTI Consulting’s recent “2023 CEO Leadership Redefined” report, 73% of investors and 63% of employees want to see CEOs engage publicly on the topic of data privacy. Notably, data privacy ranks ahead of other critical issues, such as supply chain disruptions and bringing manufacturing jobs back to the U.S. The issue of cybersecurity also rises to the top of this list, with 58% employees agreeing CEOs should publicly engage on cybersecurity issues.
It is with good reason these issues should be top of mind for members of the C-suite. Today, organizations face privacy issues of all kinds — misuse of online tracking technologies, reputational damage from an incident targeting personally identifiable information, new SEC regulation requiring reporting of cybersecurity incidents by publicly traded companies, changing consumer sentiment on the way personal data is handled and more.
On the cybersecurity front, the threat landscape continues to evolve and intensify. Ransomware incidents still plague organizations; according to IBM’s “Cost of a Data Breach” report, the average cost of a ransomware attack in 2023 is more than $5 million, a 13% increase from last year. Moreover, recent third-party incidents targeting service providers in the file transfer industry are having significant downstream effects on organizations large and small.
At the same time, not all CEOs may be fully prepared or equipped to speak effectively on these issues. According to results from FTI Consulting’s proprietary survey used to develop the 2023 “CEO Leadership Redefined” report, when CEOs do speak out on data privacy and cybersecurity issues, only half of employees “approve” of the way CEOs address these topics.
Here are some key considerations to enable CEOs to address this communications gap:
1. Develop a clear privacy narrative.
Before CEOs can communicate effectively on these topics, it is important to have a clear privacy narrative that outlines the organization’s priorities, initiatives and proof points in the areas of data security and privacy. This privacy narrative should draw a clear connection to the organization’s vision, purpose and values. By establishing and communicating a privacy narrative to stakeholders — in a way that is familiar and consistent — and before a data privacy or cybersecurity crisis occurs, CEOs can help to store reputational credits in the bank.
2. Participate in cybersecurity and data privacy communications training.
While they are not expected to be technical experts, CEOs do need to speak credibly at a high level to their companies’ data privacy and cybersecurity programs. Whether with employees, customers or investors, CEOs must have their talking points at the ready to provide assurance and demonstrate security readiness. According to our proprietary research, investors are also paying close attention to these topics; about three-quarters agree CEOs should speak out on data privacy and cybersecurity. Executive-level communications and messaging trainings and workshops are key to bolstering CEOs’ comfort with these topics.
3. Establish strong internal relationships with privacy and infosec leaders.
Key to a CEO’s ability to communicate effectively on these topics is having strong internal relationships with the privacy office, CISO and other infosec leaders who can help to translate technical topics into C-suite speak. In fact, an FTI Consulting survey from 2022 found that 79%of CISOs feel heightened scrutiny from senior leadership and 58% revealed a struggle to articulate technical information and effectively communicate cyber risk in a manner that the board and senior leadership can understand. Privacy officers can face equally complex issues and risks to articulate. Clear alignment with internal experts helps to validate the content with all stakeholders while also elevating this topic onto the organization’s main stage. Convene these leaders regularly and with intention to tackle some of these trickier topics.
4. Make data privacy and cybersecurity about more than just training for employees: Incorporate it into relevant experiences.
Greater awareness and understanding around important topics like these have a positive correlation to compliance, advocacy and action among employees. To help build connectivity among employees, it should be spotlighted in trainings but also woven into dialogue opportunities, town hall meetings, as well as experiences like onboarding and even rewards and recognition. And our proprietary research revealed employees are asking to hear more from their CEOs on data privacy and cybersecurity, demonstrating a growing interest and desire to learn and be involved. Organizations that seize on this captive audience can embed data privacy and cybersecurity into the fabric of their culture, helping to mitigate further risks.
5. Invest in data privacy and cybersecurity crisis preparedness.
The data privacy and cybersecurity landscape is constantly changing. This requires companies to assess and address new risks, manage and mitigate challenges as they occur, and build preparedness and resiliency into systems and culture. Organizations need a comprehensive data privacy program and crisis response plan that facilitates diligent, forward thinking privacy governance, scenario planning, communications strategy and tabletop exercises to stay ahead of the ever-evolving threat environment.
Data privacy and cybersecurity have moved from the backroom to the boardroom. CEOs must emerge from the shadows to be front-facing on these issues with employees, investors and other stakeholders.