Close
result
INSIGHT
Partner in resilience
Partner in resilience
Caroline Scotter Mainprize
6 min read
Caroline Scotter Mainprize reviews research from cyber resilience company ISTARI to suggest how a chief of staff can best help their CEO principal lead the organisation to anticipate, withstand, respond, and adapt to cyberattacks.
Cybercrime is a top-of-mind issue of the world’s CEOs. And no wonder: cyber risks are increasing; and CEOs are formally, and in some jurisdictions legally, responsible for the cyber security of their organisations. Yet, as research from ISTARI and Saïd Business School, University of Oxford, found, the majority are not comfortable making decisions in this area, and many prefer to delegate responsibility for cybersecurity to their technology teams.
This, as the interviewees who had experienced a cyberattack would tell you, is a mistake. The CEO plays a vital role in leading the organisational response to cybersecurity risk. What is more, they are absolutely crucial in moving the organisation beyond simply strengthening their defences to creating cyber resilience: the ability to anticipate, withstand, respond, and adapt to cyberattacks to minimise impact, expedite recovery, and emerge stronger.
As with so many other aspects of the CEO job, though, they cannot do it alone. Any CEO with a chief of staff will be leaning heavily on them to pick up the pieces that they do not have time or headspace for. The ISTARI/Oxford research revealed two important areas in which the chief of staff can play a pivotal role in building and maintaining the organisation’s cyber resilience. The first is in supporting the CEO in adapting their communication style to respond to pressure from different stakeholders. The second is in creating and maintaining a psychologically safe culture.
CEO communications
CEO communications
Dealing with different and sometimes competing stakeholder expectations is part of the job of CEO – and, by extension, of their chief of staff.
But in the context of cyber resilience, and certainly in the midst of a cyberattack, this even more challenging. This is partly due to the high stakes involved: a major cyberattack is costly, disruptive, and can inflict significant reputational damage. Companies can find themselves paying ransoms to cybercriminals and fines to regulators as well as rebuilding their IT infrastructure, running PR damage limitation, and convincing employees, customers, and suppliers to stick with them.
Even more difficult is the intrinsically fast changing and covert nature of cyber-threats and the lack of familiarity with cybersecurity on the part of CEOs and other executives. It is by no means easy to communicate in a reassuring and authoritative way if you do not know what is going on (the first thing some of the interviewees knew about a cyberattack was when all the screens suddenly went blank), you do not know how it started (cybercriminals target weak points that may not even be in your own organisation but somewhere in your supply chain), and you have absolutely no idea at all how you are going to get out of it (few CEOs have the necessary technical knowledge of IT and cybersecurity).
The research identified four roles that the CEO can adopt in order to regulate pressure from stakeholders, such as the board, shareholders, regulators, customers and suppliers.
Transmitter
Transmitter
The CEO transmits pressure and demands to the organisation without any barrier. The transmitter is the most passive role that also feels the most comfortable to adopt. Many CEOs intuitively take on this position, delegating pressure, demands, understanding and responsibility on cyber to their organisation.
What the chief of staff can do
The transmitter role makes the most sense when in the middle of a cyber-attack: the CEO does not want to waste time trying to understand technical issues or softening and spinning directives when urgent action is needed. The danger that the chief of staff must guard against is the CEO’s being perceived as not taking responsibility for steering the organisation through the cyberattack and loading everything on to the IT department.
Amplifier
Amplifier
The CEO amplifies the power of messages and information. This is especially important in times when pressure from other stakeholders is low during day-to-day operations, or when new risks emerge. By amplifying these lower levels of pressure, CEOs can create a sense of urgency.
What the chief of staff can do
The amplifier style is important but should be used sparingly: too many messages directly from the CEO and employees will stop paying attention. The role of chief of staff is to judge when the CEO should put their own name to an announcement or when it is better seen as a technical or leadership communication from someone else.
Filter
Filter
The CEO judges what kind of pressure to transmit or to absorb. In doing that, the CEO decides who needs to receive what information and distributes it. This role is crucial to helping people and teams maintain focus, especially in the aftermath of an attack, when uncertainty and a stream of new information can cause people to become distracted.
What the chief of staff can do
This communication style is right in the chief of staff’s wheelhouse and where they can really help the CEO through discussion and coaching – who needs to know what? How is the information best communicated? When should it be communicated?
Absorber
Absorber
The CEO does not pass on stakeholder pressure but absorbs it. This role is particularly important during a crisis, when emotions and anxiety are high. Interviewees described being a shield for their organisation, absorbing panic from the board and acting to reassure both internal and external stakeholders while not feeling confident themselves.
What the chief of staff can do
Here, the role of the chief of staff is to act as the absorber for the absorber – be the one person with whom the CEO can let down their guard and discuss their worries and uncertainties, relieving pressure and sharing the load.
Psychologically safe culture
Psychologically safe culture
Cyberattacks are often the result of human error. CEO interviewees were unanimous in believing that guarding against them and building cyber resilience is a whole-organisation effort.
Doing that requires battling against two very human emotions: ignorance and fear. No one likes to admit that they really don’t understand the intricacies of IT and how cyber-criminals operate. Neither do they want to call attention to having done something silly, such as nearly falling for a phishing email or mixing up business and personal accounts and potentially opening the doors to a cybercriminal. Even IT specialists try to conceal the fact that they do not have all the answers. Interviewees described IT departments over-promising or remaining tight-lipped during an attack, too frightened or proud to tell the CEO the whole truth.
But one CEO described how, after suffering an attack, they introduced a regular session with the Board, during which they could ask ‘stupid’ questions and learn more about cyber security and cyber resilience. This is an idea that could be replicated throughout organisations, under the aegis of the chief of staff, to accustom staff to asking questions and sharing experiences with no fear that they would be humiliated or blamed.
Other ideas that chiefs of staff could use to build psychologically safe cultures within organisations include facilitating or rewarding people for speaking up; and openly discussing and learning from ‘near misses’.
Cyber crime may have its roots in technology, but cyber resilience is a people issue. Chiefs of staff, with their broad perspective, ease with their own lack of specialist expertise, and social capital, are best placed to work with CEOs to maintain cyber resilience within their organisations.
Author Bio
Caroline Scotter Mainprize
Chief Editor
Caroline is a writer, editor, and communications advisor, working mostly for organisations involved in research and education. Clients have included Oxford University Press, Saïd Business School, Bayes Business School, and the international development and publishing organisation CABI. She has edited a number of books, annual reports, and journals, and written practitioner-focused research reports, including Oxford’s The Museum Leaders Report and Understanding Chief Digital Officers.Before freelancing she was responsible for the corporate communications at Oxford University Press. She had previously worked for a London PR consultancy and as a journalist on a business newspaper.