As CEO, make sure you 'feel good' about your cybersecurity

Gerwin Naber Partner, PwC Netherlands 17/01/22

In five steps well prepared for cyber attacks

A company is down for days because of a ransomware attack or theft of important technological concepts. These are nightmare scenarios, but at the same time harsh realities that regularly make the news. Therefore, it is not surprising that CEOs are very concerned about a possible cyber attack, as our 25th CEO Survey shows. In the world we live in, the question is not if it happens, but when it happens. The question for CEOs

Cyber attacks can cause major damage to all kinds of business processes, but they can also seriously damage confidence in organisations. As CEO, you want to feel that your organisation is well prepared. For example with the recent Log4j threat. So that you can confidently show supervisors, customers and other stakeholders that your organisation is as well protected as possible against damage.

In this context, being well-prepared means that there is a good chance that those responsible within your organisation will discover a hack quickly and they will act appropriately to plug leaks and prevent further damage. To ensure this, the following five steps are important:


  • Define an unambiguous strategy
    Policy starts with a clear dot on the horizon: the ambition when it comes to cybersecurity. Where do we want to stand as an organisation in relation to our peers and to what norms and standards do we want to conform? This is a topic that obviously does not stand alone, but must be seen as part of the organisation's overall digital strategy. 
  • Organise governance with ‘checks and balances’ and different ‘lines of defense’
    In this context, good governance does not mean entrusting the subject to one person or department. Compare it to financial management: this is not only done by controllers who report to the CFO. There are also 'extra eyes' involved, such as risk management and the internal audit department, which have their own reporting lines. Such checks and balances and different lines of defense are also needed in the governance of cybersecurity. External assessments of the processes and systems are also part of this: a fresh look often discovers further possibilities for improvement.
  • Encourage a culture where people hold each other accountable
    People are the biggest security risk. They make mistakes and errors. No one wants to click on a link in a suspicious email, but it sometimes happens anyway. You can secure everything in the office, but if someone leaves a laptop in the car that is then stolen, it immediately creates a security risk. It is extremely important that people are open about this. That the culture is so safe that they immediately report these mistakes or other risky situations. And that they hold each other accountable for it.
  • Integrate cybersecurity into all processes
    I often see organisations working in silos. As a result, cybersecurity is on the agenda of the IT department, but not, for example, on the agenda of the people involved in product development or the internal business processes. Collaboration between different departments ensures that digital resilience is on everyone's agenda and contributes to processes and products that are 'secure by design'. With this, organisations can really distinguish themselves.

    Breaking through silos in this area also prevents IT departments from coming up with technological security solutions that are so user-unfriendly that no one wants or will use them.
  • Test your cybersecurity regularly
    Make sure that cybersecurity is tested regularly, that simulations are done on your systems. Hackers are constantly innovating. Moreover, an IT infrastructure changes after, for example, the introduction of a new system or an acquisition, when existing systems are connected to each other. Also consider the connections to other, new parties such as suppliers. So simulate a crisis and see if you are able to respond adequately. Not just from a technical point of view: ultimately this is teamwork and by training well, your organisation will be much better prepared.


The five points above have one common denominator: cybersecurity is not the problem of one department, but of the entire organisation. And when the whole organisation cooperates on digital security, the CEO gets more context and more grip as well as more comfort in being able to answer the question: are we doing the right things and are we doing them well enough? It also ultimately leads to better decisions on all digital investments where security is integrated from the very beginning.

CEOs are most concerned about cyber risks 

According to PwC's 25th CEO Survey, 58 percent of CEOs surveyed consider cyber attacks to be a very big threat to business operations. 

To put this percentage in perspective, 33 percent of CEOs see climate change and 26 percent health risks as very big threats. When a cyber attack occurs, CEOs expect the most impact on the delivery of products and services and innovative processes.

Read more

Contact us

Gerwin Naber

Gerwin Naber

Partner, PwC Netherlands

Tel: +31 (0)65 150 75 75

Follow us