The CEO Report on Cyber Resilience


CEOs and Cyber Resilience: Risk to Preparedness

Executive Summary

With the ever-increasing threat of cyberattacks, cybersecurity risk has become a top concern for business leaders. Despite increasing spending on cybersecurity, the number of serious incidents continues to rise, and even large companies are not immune.    

This requires CEOs to shift their mindset. Recognising they need to prepare for when - not if - an attack happens their focus broadens from cybersecurity to cyber resilience. How do they    anticipate, withstand, respond and adapt to cyberattacks, minimise impact, expedite recovery, and emerge stronger. These are questions, CEOs cannot leave entirely to their CIOs or CISOs. They must make them top of their own agenda.  

Saïd Business School and ISTARI, a Temasek-founded global cybersecurity firm, conducted in depth interviews with 37 CEOs for this first-of-its-kind study about cyber risk. The CEO Report on Cyber Resilience explores the need for a shift beyond cybersecurity defence to creating cyber resilience.


CEOs interviewed

$12 billion

Average company revenue


Average number of employees


CEOs who endured cyberattacks

Many CEOs we spoke with highlighted the agonies of having to make existential decisions on imperfect information under extreme pressure in an area they lack familiarity and intuition.

Dr Manuel Hepfer

Co-author, Head of Knowledge and Insights at ISTARI and a Research Affiliate at Saïd Business School

Four mindsets every CEO should adopt

  • Be co-responsible, not just accountable
  • Move from blind trust to informed trust
  • Embrace the preparedness paradox
  • Adapt your communication style to regulate stakeholder pressure

The fact that all CEOs in our study felt accountable for cybersecurity, but less than 1/3 felt comfortable making decisions in that area reveals an alarming gap. To build cyber resilience, CEOs must close that gap. This report offers a first playbook

Michael Smets

Co-author and Professor of Management, Saïd Business School

Building Cyber Resilience

CEOs playbook outline

Building on our insights we developed a playbook which presents a comprehensive guide for CEOs to build more cyber-resilient organisations covering tactical, operational, and strategic best practices. Drawing from the rich, lived experiences of CEOs, the playbook distils actionable insights within each of the four stages of cyber resilience noted below: anticipate, withstand, respond, and adapt.


Revisit existing approaches


Act swiftly


Reinvent the organisation


Capture opportunities

From these candid conversations, we can better answer what a CEO’s role should be in the event of a cyberattack and fill the gap in what CEOs need to do to build and command cyber resilient organisations.

Rashmy Chatterjee

Co-author and CEO of ISTARI