Most executives around the world feel that their organizations aren’t learning enough from their past cyber mistakes, according to a new survey.
The survey, conducted by The Economist Intelligence Unit (EIU) and Willis Towers Watson, polled more than 450 companies globally about their strategies and challenges in building a cyber resilient organization. The survey found that most companies feel they’re doing well when it comes to incident response – but only 13% said they were above average in incorporating lessons from cyber incidents into their resilience strategies.
The survey found little consensus on cyber resilience planning, with boards and executives differing on where to allocate funds and what areas of their organization were most at risk.
Other key findings of the report include:
- The average corporate resilience spend was about 1.7% of revenue – which 96% of board members believe isn’t enough
- North America spent the highest on cyber resilience as a percent of revenue (2%-3%). Other regions spent 1%-2% or less.
- There was little consensus among executives on how to allocate cyber budgets, but very close responses were given between “technology to harden cyber defenses” and “IT talent acquisition, skills training/development.”
- Three out of four global regions believed that the “board as a whole” should oversee cyber risk, while Europe said the responsibility should fall to a dedicated cyber group.
“It’s important for companies to understand that achieving cyber resiliency is a company-wide imperative, one that shouldn’t be sequestered to certain roles or functions,” said Anthony Dagostino, global head of cyber risk for Willis Towers Watson. “Boards should emphasize the need for a strategic framework, and the C-suite should set the tone within their organizations by empowering stakeholders, such as IT, risk, HR, legal and compliance to drive an integrated risk management and resiliency strategy. While technology will remain a crucial defense, more than half of cyber incidents are attributable to employee behavior and talent deficits in cyber roles, so investing in other areas such as human capital solutions and cyber insurance have to become part of regular board and C-suite conversations.”