Cybersecurity C-Suite Report. PHOTO: Cybercrime Magazine.

The Number One Cybersecurity Statistic That C-Suite Executives Should Know

CEOs should not be in the dark about cybercrime

Steve Morgan, Editor-in-Chief

Northport, N.Y. – Jan. 21, 2020

For years now CEOs and board members have been flunking their cybersecurity exams. That’s because there are far too many vendor (and analyst) reports that fail to use easy-to-understand language, and concepts, for C-suite executives.

Do CEOs need to enroll into cybersecurity school? We don’t think so. Instead, they need better reading material from our community. And it starts with some language re-programming.

Our colleague and thought leader, Ann Johnson, corporate vice president for Microsoft’s Cybersecurity Solutions Group (CSG), and a member of the board of advisors for Cybersecurity Ventures, hits the nail on the head: “We should all be able to speak the language of cybersecurity.”

Johnson provides examples such as sandboxing, detonation chamber, whitelists, and blacklists, that all too often show up in C-suite reports. Those words, and other technical terms, are a sure-fire way to stump the CEO.

How about context-aware and solid identity security programs, multi-factor authentication, threat modeling, log ingestion, and security orchestration automation and response (SOAR) … in a report for the C-Suite? Yup.

One cybersecurity vendor report aimed at CEOs explains how to block evolving threats with innovative technologies such as identity and access management, threat analytics, virtualization, and incident response. Hmm.

Whether vendors want to believe it or not, the CEO of a major enterprise is not going to be discussing public key infrastructure (PKI) in the boardroom. A worthy topic for sure. But a bilingual cybersecurity expert — who speaks Geek and English — will have to be present in order to translate.

Cybersecurity Ventures strives to speak in plain English and simple business terms to Fortune 500 and Global 2000 corporate leaders. Not an easy thing to do. And we certainly misfire sometimes.

There is one cybersecurity statistic that is well understood by CEOs, and frequently shared by them: Cybercrime damages are predicted to cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. The meaning is unmistakable. Although it’s a good example of getting through to C-suite executives, that is not the number one cybersecurity statistic for them to know about.

Global spending on cybersecurity products and services is predicted to be $1 trillion cumulatively for the 5 year period from 2017 to 2021. That too is an easy one to grasp. But it’s not the number one statistic either.

We’re making some progress here. Hopefully, Johnson will approve.

Perhaps an employment statistic is number one. There will be 3.5 million unfilled cybersecurity jobs by 2021, up from 1 million positions in 2014. Compelling. And very important to know about. But nope, it’s not number one for CEOs. We are however getting warmer.

If you’re a CEO and still reading this, then we apologize for the delay in providing you with the number statistic that you should know about. But, the fact that you’re still reading underscores the importance of speaking your language. We’re trying here!

All right, we appreciate your patience and here it is — number one (and it’s not that every company has been or will be hacked):

Cybersecurity Ventures forecasts that 100 percent of large corporations (Fortune 500, Global 2000) globally will have a CISO or equivalent position by 2021 (up from 70 percent in 2018), although many of them will be unfilled due to a lack of experienced candidates.

The latter part of the statistic is most important. Many large corporations will be unable to hire a CISO due to a shortage of qualified talent.

Why is that? And what can be done about it? And what are the consequences of an unfilled CISO position?

If you don’t have a cybersecurity head honcho in place, then is that really your biggest digital problem?

Stay tuned. Cybersecurity Ventures will be publishing a report near the end of Q1 2020 with facts, figures, predictions, and statistics about hiring and compensating CISOs. We promise that CEOs and C-suite executives will be able to understand every word of it!

We’ll be following that up in late spring with the “CISO 500,” our first-ever demographic study on CISOs at Fortune 500 and Global 2000 corporations. That will shed more light on the problem, and potential solutions.

By the way, did we say that CISO stands for chief information security officer? Oops, sorry for that.

Steve Morgan is founder and Editor-in-Chief at Cybersecurity Ventures.

Go here to read all of my blogs and articles covering cybersecurity. Go here to send me story tips, feedback and suggestions.