Research and analysis

Cyber resilience captains of industry survey 2021

Published 15 November 2021

This was published under the 2019 to 2022 Johnson Conservative government

Executive summary

Britain’s business elite share their views on cyber security

A large majority of ‘Captains of Industry’ say that the board in their organisation considers cyber threats to be high risk in comparison to all risks the company faces, and that they are well informed to make decisions about cyber resilience. However more can still be done, with board members still requiring further awareness raising and targeted training to improve their decision making abilities regarding cyber resilience.

Board engagement with cyber security risk

  • Nine in ten Captains say that cyber threats are considered as a very high or high risk by the board. The proportion of Captains who say this has seen a slight increase compared with 2020 (from 84% to 91%).

  • Most Captains (77%) reported that the board received updates or had discussions about cyber security on at least a quarterly basis over the last 12 months. This includes 26% who say they did so monthly or more often.

  • The vast majority (92%) of Captains agree that the board integrates cyber risk considerations into wider business areas with slightly fewer (83%) Captains saying their board is well informed to make decisions about cyber resilience.

  • However, Captains still feel there is more that can be done to equip Board members to deal with Cyber threats. Captains most commonly mentioned awareness raising among board members and targeted training (34%) when asked about what support their board needs to make better decisions about cyber resilience.

Strategy and documentation

  • The majority of Captains (between 95% and 98%) stated that they have documentation in place to manage their cyber security including a Business Continuity plan that includes cyber security, risk register, identification of critical assets and a written list of vulnerabilities.

  • However, fewer (77%) had documentation outlining the cyber risk the organisation is willing to accept i.e. documentation about the organisation’s risk posture or risk appetite.

Supply chains

  • Seven in ten Captains (69%) suggest that their organisation actively manages supply chain risks.

  • A similar proportion (68%) say that cyber risks in the supply chain are part of the written documents that help manage cyber security risks.

1: Introduction

Background

Publication date: 15th November 2021

Geographic coverage: United Kingdom

Methodology

The Ipsos MORI Captains of Industry survey is a telephone/ video conferencing survey which comprises approximately 100 interviews annually with participants (Chairmen, Chief Executive Officers, Managing Directors/Chief Operating Officers, Financial Directors or other executive board directors). The average interview length was 50 to 60 minutes.

Companies included are from the Top 500 industrials in the UK by turnover; and Top 100 financial companies by capital employed.

  • In 2020, interviews were conducted with 102 Captains of Industry. Fieldwork took place between February and July 2020.

  • In 2021, Interviews were conducted with 107 Captains of Industry. Fieldwork took place between May and August 2021.

In both the 2020 and 2021 surveys, DCMS commissioned Ipsos MORI to include a small number of questions relating to cyber resilience and the experiences and expertise of boards dealing with cyber security issues in these organisations.

As a thank you for participation Ipsos MORI donated £100 for every interview to Macmillan Cancer Support or another charity chosen by the respondent.

Unless otherwise stated, each question is based on all Captains of Industry answering. Where results do not sum to 100%, this may be due to computer rounding, multiple responses or the exclusion of don’t know or no opinion categories.

2: Key findings

2.1 Cyber security strategy and documentation

In 2020, nearly all Captains (99%) reported that their organisation had a cyber security strategy, with almost three fifths (58%) of Captains reporting that the strategy is aligned with their business objectives (Figure 1). For those with a strategy, the majority of Captains (86%) said their organisation had a dedicated budget associated with this strategy.

Figure 1 Description of cyber security strategy

Description of cyber security strategy 2020
We have a dedicated cyber security strategy aligned with business objectives 58%
We have a dedicated cyber security strategy, but it is largely focused on technology improvements and implementation 22%
We have a cyber security strategy as part of our IT strategy 20%

Base: All respondents with a cyber security strategy in 2020 (102)

Question: Which of the following, if any, best describes your cyber security strategy?

In 2021, the survey went a step further to ask Captains what specific documentation their organisations have in place to manage their cyber security risks (Figure 2).

Figure 2 Documentation organisations have in place to help manage cyber security risks

Documentation organisations have in place Yes No Don’t know Refused
A risk register that covers cyber security 98% 1% 0% 1%
A Business Continuity Plan that covers cyber security 97% 2% 0% 1%
Any documentation that identifies the most critical assets that organisation wants to protect 95% 1% 3% 1%
A written list of organisation’s IT estate and vulnerabilities 95% 2% 2% 1%
Any documentation that outlines how much cyber risk organisation is willing to accept 77% 20% 3% 1%

Base: All respondents in 2021 (107)

Question: Does your organisation have any of the following documentation in place to help manage cyber security risks?

Almost all (between 95% and 98%) stated that they have documentation including a Business Continuity plan, risk register, identification of critical assets and a written list of vulnerabilities. However, a lower proportion (77%) have documentation outlining the cyber risk the organisation is willing to accept i.e. documentation about the organisation’s risk posture or risk appetite.

2.2 Board engagement

In 2021, nine in ten Captains (91%) reported that cyber threats are considered as high risk or very high risk by the board, as shown in Figure 3. The proportion of Captains who say this has increased from 84% in the previous year, largely due to respondents moving from ‘medium’ to ‘high’ risk, showing a change in how cyber security is being perceived by senior leaders.

Figure 3 Importance of cyber threats as a risk, as considered by the board in comparison to all risks the company faces

Importance of cyber threats as a risk 2020 2021
Very high risk 47% 48%
High risk 37% 43%
Medium risk 13% 7%
Low risk 3% 2%
Very low risk 0% 1%

Base: All respondents in 2021 (107), All respondents in 2020 (102)

Question: For the Board, how important a risk are cyber threats considered to be in comparison to all risks the company faces, where risk is a product of likelihood and impact?

In 2020, Captains were asked how risk governance is handled by the board in their organisation (Figure 4).

Figure 4: How cyber risk governance is handled by the board

How cyber risk governance is handled by the board 2020
The board reviews cyber risk information 67%
The board challenges the cyber risk information it receives 64%
The board is enabled to make decisions to adapt the cyber risk profile 51%

Base: All respondents in 2020 (101)

Question: Which of the following applies to how cyber risk governance is handled by the board in your organisation?

In 2020, approximately two-thirds of Captains reported their company board reviews (67%) or challenges (64%) cyber risk information it receives but only half (51%) said they are enabled to make decisions to adapt the cyber risk profile. This may suggest that expertise within organisations is not necessarily present at the board level. This was further explored in the questions asked to Captains in 2021.

In 2021, 92% of Captains agreed that the board in their organisation integrates cyber risks considerations into their wider business areas, however only half (53%) strongly agreed with this statement (Figure 5).

Figure 5: Level of agreement that the board integrates cyber risk considerations into wider business areas

Agreement that the board integrates cyber risk considerations into wider business areas 2021
Strongly agree 52%
Tend to agree 39%
Neither agree nor disagree 3%
Tend to disagree 4%
Strongly disagree 1%
Refused 1%

Base: All respondents in 2021 (107)

Question: This question is about how your board typically engages with any information on the cyber security risks your organisation faces. How much would you agree or disagree with the following statement? The board integrates cyber risk considerations into wider business areas.

Figure 6 shows how frequently the board discusses or receives updates on the organisation’s cyber security.

Figure 6: Frequency of board discussing or receiving updates on organisation’s cyber security in the last 12 months

Frequency of board discussing or receiving updates on organisation’s cyber security in the last 12 months 2021
Daily 1%
Weekly 5%
Monthly 20%
Quarterly 51%
Once every 6 months 19%
Once a year 4%
Never 1%

Base: All respondents in 2021 (107)

Question: Over the last 12 months, roughly how often, if at all, has your board discussed or received updates on your organisation’s cyber security? Is it …

The majority (77%) of Captains stated that the board discusses or receives updates on the organisation’s cyber security on at least a quarterly basis, with a quarter (26%) saying this is monthly or more frequently.

In 2021, Captains were asked how well informed the board are to make decisions about cyber resilience (shown in Figure 7).

Figure 7: How informed the board are to make decisions about cyber resilience

How informed the board are to make decisions about cyber resilience 2021
Very informed 24%
Fairly informed 59%
Neither informed nor uninformed 4%
Fairly uninformed 11%
Very uninformed 2%

Base: All respondents in 2021 (107)

Question: How well informed are the board to make decisions about cyber resilience?

Most Captains reported that the board in their organisation are informed to make decisions about cyber resilience (83% stated that the board were either fairly informed or very informed), however only a quarter (24%) think they are very informed.

Figure 8 Support needed for the board to be able to make better decisions about cyber resilience

Support needed for the board to be able to make better decisions about cyber resilience 2021
Awareness raising / education / training for board members 34%
Engagement with third party experts 24%
Provision of regular updates / reports 21%
Engagement with internal/company experts (e.g. IT department) 13%
Information from simulation exercises / penetration tests 11%
None / no support / we have a good level of support already 16%

Base: All respondents in 2021 (107)

Question: What support, if any, do the board need in order to be able to make better decisions about cyber resilience?

A third of Captains (34%) say that further support could be provided to the board in the form of more training and education about cyber security in order to enable them to make better decisions about cyber resilience. Other suggestions included engagement with third party experts, provision of regular updates, internal engagement with experts within the organisation and information from cyber security testing.

2.3 Supply chain risk management

In 2020, most Captains reported that their Chief Information Security Officer is the person in their organisation mainly responsible for overseeing and reporting to senior management about all supply chain risks. In 2021, a further question was asked to look at elements of supply chain risk management (Figure 9).

Figure 9 Agreement with statements about supply chain risk management

Agreement with statements about supply chain risk management Strongly agree Somewhat agree Neither agree nor disagree Somewhat disagree Strongly disagree Don’t know Refused
Cyber risks in the supply chain are part of the written document(s) that help manage cyber security risks (105) 32% 36% 11% 14% 3% 2% 1%
Our organisation actively manages cyber risks in our supply chain (107) 28% 41% 13% 13% 4% 0% 1%
The board are kept informed of cyber risks in our supply chain (106) 21% 44% 9% 21% 5% 0% 0%

Base: All respondents in 2021

Question: To what extent do you agree or disagree with the following statements?

Seven in ten Captains agree that their organisation actively manages cyber risks in their supply chain (69%) and that cyber risks in the supply chain are part of the written documentation that help manage cyber security risks (68%). Two thirds (65%) say that the board is kept informed of cyber risks in the supply chain.

Annex 1: Composition of sample

Where a category applies to fewer than five organisations, we have suppressed the figure to prevent the data from being disclosive. This is marked by ‘*’.

Sector 2020 2021
Utilities 9 9
Mining/Minerals/Natural Resources 1 *
Technology/Media/Telecoms 9 12
Construction 7 6
Manufacturing 7 15
Transport/Distribution 8 5
Services/Retailing 27 30
Financial/Banking/Insurance 21 17
Other 13 11
Employees 2020 2021
1-999 17 25
1000-4,999 39 43
5,000+ 44 39
Job Title 2020 2021
Chief Executive 31 50
Chairman 27 20
Chief Financial Officer 17 17
Managing Director 5 5
Finance Director 6 *
Chief Operating Officer 3 *
Chief Information Officer 1 *
Public Relations/Corporate Affairs Director 6 *
Other 9 6
FTSE 2020 2021
FTSE 100 16 15
FTSE 250 22 23
Other listed and Private 64 69

Annex 2: Interpretation of findings and statistical reliability

The survey results are estimates and subject to margins of error, which vary with the size of the sample and the percentage figure concerned.

Only a sample of the ‘population’ has been interviewed so we cannot be certain that the figures obtained are exactly those we would have found, had everybody been interviewed (the ‘true’ values).

For any percentage given, however, we can estimate ‘confidence intervals’ within which the true values are likely to fall. For example, if 19% of Captains say their business will improve in the next 12 months we can be 95% sure that the ‘true’ value for the population would be between 11 and 27, i.e. a margin of 8 percentage points on each side.

Similar margins for other percentages and sub-groups of the respondents are given in the following tables. It should be remembered that, in any case, the ‘true’ finding is much more likely to be towards the centre of the possible range of responses than towards the margins.

For similar reasons, apparent differences in results relating to sub groups may, if small, not necessarily reflect genuine attitudinal differences. We can be 95% sure that differences exceeding those in the second table are genuine, or ‘significant’ differences.

Similar margins for other percentages and sub-groups of the respondents are given in the following tables. It should be remembered that, in any case, the ‘true’ finding is much more likely to be towards the centre of the possible range of responses than towards the margins.

For similar reasons, apparent differences in results relating to sub groups may, if small, not necessarily reflect genuine attitudinal differences. We can be 95% sure that differences exceeding those in the second table are genuine, or ‘significant’ differences.

Examples of statistical reliability

95% Confidence Interval
Sample size 10% or 90% 20% or 80% 30% or 70% 40% or 60% 50%
  ± ± ± ± ±
c.100 (all Captains) 6 8 9 10 10
c.80 (example subgroup) 7 9 10 11 11
c.50 (example subgroup) 8 11 13 14 14

Further information

The Department for Digital, Culture, Media & Sport would like to thank Ipsos MORI for its work in developing the survey and carrying out the fieldwork.

For general enquiries contact:

Department for Digital, Culture, Media & Sport
100 Parliament Street
London
SW1A 2BQ
Telephone: 020 7211 6000

Email: [email protected]