Nearly 40% of global IT decision-makers think so.

Is this 40% good news or bad? One could argue that this is decent news – as this implies that 60% of CEOs aren’t a weak link! Until you read on in a recent Mimecast survey of IT decision makers to find that 40% is up from nearly 30% in a year-over-year comparison in this same Mimecast survey question. The perceived problem is getting worse, not better. So, let’s take 40% as bad news.

4 Reasons Why CEOs Need More Cybersecurity Understanding

Why might CEOs be a key security weak link? Here are some thoughts drawn from my own experiences:

  • CEOs are generally busy, non-technical people. And much of cybersecurity gets presented to them as technologies (UTM, Network Monitoring, MFA, SIEMs, Machine Learning….) – with uncertain security efficacy—that often add friction to doing business.
  • CEOs, like everyone else, are just trying to get their job done and aren’t always as suspicious as security people. They often trust that delivered emails are what they appear to be. Not understanding that cybercriminals have a lot more control then they think.
  • CEOs have access to more sensitive information than pretty much anyone else at the company. And not only that, they can direct the release of funds or other sensitive information with just a flick of the mouse.
  • Importantly and finally – CEOs often are highly visible and thus highly targeted by CEO fraud attackers. Impersonation data from the Mimecast Grids show that the C-level title is one of the most targeted and spoofed titles at organizations we protect.

Are CEOs really unaware of the cybersecurity risks that are out there? I think they are aware, they just don’t often understand what to do about them and can’t separate the “somewhat bad” from the “very bad.” The general news, while often wrong on the severity, importance, and technical details of cyberattacks, are, to their credit, reporting on them regularly and helping to reach a more non-technical audience – including CEOs!

How Do We Close the C-Level Cybersecurity Gap?

What to do about this? To help close this understanding gap it is incumbent on senior security and IT professionals to talk about their security program in terms of risk and risk reduction, not in terms of technology. Security technology, after all, is a means to an end. That end is cyber risk management and reduction. That end is reducing the probability of occurrence and the impact of a security incident.


CEOs understand risk and risk reduction. That, in a word, is their day job. They make and authorize business investments that contain risk. They decide when to launch new products, weighing the risk of being too early or too late. They weigh the risk inherent in legal decisions, acquisitions, hiring, and in entering new geographies.

I think you get my point. If you can frame your security program in terms of risk, risk reduction, risk management, and risk acceptance, I think there is an excellent opportunity to bring that 40% “weak link” number down—way down.

You may also like:

How Lack of Training is Hurting Your Cyber Resilience Strategy

Get the facts about the lack of training…

Get the facts about the lack of training around cybersecurit… Read More >

Bob Adams

by Bob Adams

Product Marketing Manager - Security

Posted Aug 15, 2018

Two Major Reasons We’re Failing at Cybersecurity

Good enough security is good enough no l…

Good enough security is good enough no longer. You use emai… Read More >

Jake O'Donnell

by Jake O'Donnell

Global Editorial Content Manager

Posted Jul 24, 2018

Blocking Impersonation, Phishing and Malware Attacks with DMARC

Combine DMARC Analyzer’s email channel v…

Combine DMARC Analyzer’s email channel visibility and report… Read More >

Dan Sloshberg

by Dan Sloshberg

Product Marketing Director

Posted Jul 11, 2018