The CEO Report on Cyber Resilience
CEOs and Cyber Resilience: Risk to Preparedness
Executive Summary
With the ever-increasing threat of cyberattacks, cybersecurity risk has become a top concern for business leaders. Despite increasing spending on cybersecurity, the number of serious incidents continues to rise, and even large companies are not immune.
This requires CEOs to shift their mindset. Recognising they need to prepare for when - not if - an attack happens their focus broadens from cybersecurity to cyber resilience. How do they anticipate, withstand, respond and adapt to cyberattacks, minimise impact, expedite recovery, and emerge stronger. These are questions, CEOs cannot leave entirely to their CIOs or CISOs. They must make them top of their own agenda.
Saïd Business School and ISTARI, a Temasek-founded global cybersecurity firm, conducted in depth interviews with 37 CEOs for this first-of-its-kind study about cyber risk. The CEO Report on Cyber Resilience explores the need for a shift beyond cybersecurity defence to creating cyber resilience.
37
CEOs interviewed
$12 billion
Average company revenue
40,000
Average number of employees
9
CEOs who endured cyberattacks
Many CEOs we spoke with highlighted the agonies of having to make existential decisions on imperfect information under extreme pressure in an area they lack familiarity and intuition.
Four mindsets every CEO should adopt
- Be co-responsible, not just accountable
- Move from blind trust to informed trust
- Embrace the preparedness paradox
- Adapt your communication style to regulate stakeholder pressure
The fact that all CEOs in our study felt accountable for cybersecurity, but less than 1/3 felt comfortable making decisions in that area reveals an alarming gap. To build cyber resilience, CEOs must close that gap. This report offers a first playbook
Building Cyber Resilience
CEOs playbook outline
Building on our insights we developed a playbook which presents a comprehensive guide for CEOs to build more cyber-resilient organisations covering tactical, operational, and strategic best practices. Drawing from the rich, lived experiences of CEOs, the playbook distils actionable insights within each of the four stages of cyber resilience noted below: anticipate, withstand, respond, and adapt.
Anticipate
Revisit existing approaches
Withstand
Act swiftly
Respond
Reinvent the organisation
Adapt
Capture opportunities
From these candid conversations, we can better answer what a CEO’s role should be in the event of a cyberattack and fill the gap in what CEOs need to do to build and command cyber resilient organisations.