Leadership Is Still Washing Their Hands of


             Cyber Risk


             By John A. Smith, CEO of Conversant Group




            Where it comes to owning responsibility for cyber risk, executive leadership has moved in and out of the
            spotlight like character actors in a play for over a decade. Circa 15 years ago, most IT teams went it
            alone, working to “keep the lights on” while also attempting to secure the enterprise against threats. Once
            cyberattacks and related global headlines became too voluminous to ignore, we (rightly) began hearing
            calls for CEOs and boards of directors to get involved—these attacks had become too catastrophic for
            senior leadership to defer awareness, decision-making, and blame. As breach damages soared, several
            CEOs  were  ousted.  Finally,  many  executives  answered  the  call,  briefly  taking  the  stage  in  security
            operations.

            But it didn’t last long; companies worldwide found a loophole enabling them to defer risk back to IT in the
            form of an organizational change—the appointment of a Chief Information Security Officer (CISO)—
            offering  up  a  technical  leader  with  a  high  enough  title  that  CEOs  could  move  quietly  back  into  the
            shadows. Exit, stage right. As an unsurprising aside, it was a series of cyberattacks by Russian hackers
            that inspired the appointment of the very first CISO ever—Steve Katz--by Citicorp in 1994. However, it










































                                                                                                             132