After 20 years in the industry and witnessing the explosive growth of the cybersecurity sector, I can say with confidence that the world has a CTO problem. But maybe not in the way you’re thinking. Major brands like Dell, AT&T, and Ascension Healthcare have all recently suffered significant cyberattacks, despite their large security budgets & well-staffed teams – highlighting just how pervasive this issue is.
Many CTOs are unaware or uneducated about the specifics of cybersecurity. It’s a reality I've come to accept in recent years. After 15 years leading an Ethical Hacking firm and having countless conversations with CTOs from all over the world, I stand by this observation. I've seen it firsthand and I want to help.
A Chief Technology Officer is expected to be knowledgeable about all aspects of technology – not necessarily as a practitioner (though that would be ideal), but at least with an executive-level understanding. So why are some CTOs still falling short when it comes to cybersecurity? Especially since cybersecurity is the one area that can halt business operations within minutes.
To put it simply, most CTOs are overwhelmed by scope creep, unrealistic expectations, and budgets that don’t match their needs.
The Overloaded CTO
Here’s a glimpse of the many areas a CTO is responsible for:
Governance, Risk, and Compliance
Business KPIs
Security KPIs
Mentoring their team
Training employees on operational tech and security threats
Managing vendors and third parties securely
Staying up-to-date with the latest technology advancements
Creating and managing policies and procedures
Overseeing Artificial Intelligence initiatives
Balancing business initiatives with a limited budget
Professional development across various industries and technologies
Cybersecurity
Executive management
Attending trade shows and educational events
Vetting vendor presentations and solutions
It’s not exactly a “cushy” job with so many responsibilities to juggle. It’s even more challenging when done right, leading us to the core issue: CTO overload.
The Unique Threat of Cybersecurity
CTOs are tasked with too much. Ideally, a CTO should have a support structure that includes a CISO, CSO, or at least a couple of dedicated security professionals. But the world isn’t perfect, and these responsibilities often fall on the CTO, who might not get the budget they need to do their job effectively.
So what should a CTO do in this situation? The short answer is: prioritize. Every responsibility listed above is important, but cybersecurity is the one area that can cripple a company in minutes or a single day.
Cybersecurity often gets pushed to the bottom of the priority list because there isn't always an immediate issue. With so many other demands, CTOs and their teams don’t always get back to addressing security concerns. I've heard this repeatedly from CTOs in industries like Healthcare, Finance and SaaS. This becomes a significant problem when a breach occurs due to those neglected security projects.
Consequences of Neglecting Cybersecurity
The problem with such breaches is they could have been prevented. The problem with such breaches is they SHOULD have been prevented. The problem with such breaches is they can cost the CTO their job and reputation. The problem with such breaches is that 60% of companies that experience a breach are out of business within six months. The problem with such breaches is it can cost upwards of $4.5 million (2023 numbers from IBM) to remediate, recover, and bolster security measures. The problem with such breaches is the CTO was set up for failure.
And this all falls on the CTO. Is it fair? I’ll let you decide. CTOs are generally well-compensated (with an average salary range of $230k-$390k according to salary.com). However, from my daily experience in this field, it’s unrealistic to expect the CTO to deliver on every task without the necessary support system.
Support Systems for CTOs
Here’s what I wish CTOs, Executive Management, Shareholders, Board Members, and employees understood:
CTOs need a dedicated security team.
CTOs need an operational team.
CTOs need support from Directors.
CTOs need a sufficient budget.
CTOs need time and space to think and strategize.
Actionable Steps for CTOs
If you’re a CTO, my message to you is this: Hang in there, advocate for yourself and your team, seek out vendors or team members who can fill your knowledge gaps, and most importantly, prioritize cybersecurity in your operations.
At every product or project meeting, ask this simple question: “How and where does security fit into this plan?” That simple phrase can help an overburdened CTO inject cybersecurity into their and their team’s daily thought processes and workflows.
By elevating cybersecurity within your organization, you set yourself, your company, your team, and your clients up for success. Understand why it’s so crucial.
There are many more CTOs to talk to, much more education to provide, and a lot of cybercrime to prevent.
Stay Secure,
Patrick Wright
Co-Founder, CTO, CISO at STP Ventures LLC
Cybersecurity Strategist, Evangelist, and Educator
Comments