A majority of executives around the world feel their organizations can do better when it comes to learning from their past cyber mistakes, according to the results of a global survey conducted by The Economist Intelligence Unit (EIU) and Willis Towers Watson.

In the past year, one-third of the companies surveyed experienced a serious cyber incident—one that disrupted operations, impaired financials and damaged reputations—and most placed high odds on another one in the next 12 months, said the survey report titled “How boards can lead the cyber-resilient organization.”

While most organizations regard themselves as doing a good job on incident response, only 13 percent said they were above average in incorporating learnings from cyber incidents into resilience strategies, the report added.

The survey found little consensus among boards and executives on cyber resiliency planning, including the deployment of strategies across the organization, where to allocate funds and what areas of the organization are most at risk.

The split in cyber preparedness was also apparent across geographies, as North American companies contrast strongly with their peers in Asia and, to some extent, the EU on issues such as expectations for frequency and impact of cyber attacks and confidence in their ability to recover from a breach.

Interestingly, of the four regions surveyed (North America, the UK, Europe and Asia), the UK had the highest rate of perceived cyber resiliency at 21 percent.

Other key findings of the report include:

  • The average corporate cyber resilience spend was about 1.7 percent of revenue, and 96 percent of board members believe that isn’t enough.
  • Many companies lack confidence in their ability to source talent and develop a cyber-savvy workforce.
  • Executives cite the size of the financial and reputational risk as the most important reason for board oversight.
  • North America spent the highest on cyber resilience as a percent of revenue (2-3 percent), whereas the other regions spent between 1-2 percent or less.
  • Among executives, there is little consensus on how to allocate cyber budgets, but very close responses were given between “technology to harden cyber defenses” and “IT talent acquisition, skills training/development.”
  • Most regions (three out of the four regions) believe that the board should oversee cyber risk, while Europe disagreed, saying it should be a dedicated cyber group.

“It’s important for companies to understand that achieving cyber resiliency is a companywide imperative—one that shouldn’t be sequestered to certain roles or functions,” said Anthony Dagostino, global head of cyber risk with Willis Towers Watson.

“Boards should emphasize the need for a strategic framework, and the C-suite should set the tone within their organizations by empowering stakeholders such as IT, risk, HR, legal and compliance to drive an integrated risk management and resiliency strategy,” he added.

“While technology will remain a crucial defense, more than half of cyber incidents are attributable to employee behavior and talent deficits in cybersecurity roles, so investing in other areas such as human capital solutions and cyber insurance have to become part of regular board and C-suite conversations,” Dagostino explained.


The EIU surveyed more than 450 companies across the globe about their strategies and the challenges they face in building cyber-resilient organizations.

Source: Willis Towers Watson