Willis Towers Watson examines what we’re really learning from cyber mistakes

It seems many firms aren’t learning enough...

Willis Towers Watson examines what we’re really learning from cyber mistakes


By Ryan Smith

Most executives around the world feel that their organisations aren’t learning enough from their past cyber mistakes, according to a new survey.

The survey, conducted by The Economist Intelligence Unit (EIU) and Willis Towers Watson, polled more than 450 companies globally about their strategies and challenges in building a cyber resilient organisation. The survey found that most companies feel they’re doing well when it comes to incident response – but only 13% said they were above average in incorporating lessons from cyber incidents into their resilience strategies.

The survey found little consensus on cyber resilience planning, with boards and executives differing on where to allocate funds and what areas of their organisation were most at risk.

Other key findings of the report include:

  • The average corporate resilience spend was about 1.7% of revenue – which 96% of board members believe isn’t enough
  • North America spent the highest on cyber resilience as a percent of revenue (2%-3%). Other regions spent 1%-2% or less.
  • There was little consensus among executives on how to allocate cyber budgets, but very close responses were given between “technology to harden cyber defences” and “IT talent acquisition, skills training/development.”
  • Three out of four global regions believed that the “board as a whole” should oversee cyber risk, while Europe said the responsibility should fall to a dedicated cyber group.

“It’s important for companies to understand that achieving cyber resiliency is a company-wide imperative, one that shouldn’t be sequestered to certain roles or functions,” said Anthony Dagostino, global head of cyber risk for Willis Towers Watson. “Boards should emphasise the need for a strategic framework, and the C-suite should set the tone within their organisations by empowering stakeholders, such as IT, risk, HR, legal and compliance to drive an integrated risk management and resiliency strategy. While technology will remain a crucial defence, more than half of cyber incidents are attributable to employee behaviour and talent deficits in cyber roles, so investing in other areas such as human capital solutions and cyber insurance have to become part of regular board and C-suite conversations.”



Keep up with the latest news and events

Join our mailing list, it’s free!