Cyber resilience captains of industry survey 2021
Published 15 November 2021
© Crown copyright 2021
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/captains-of-industry-cyber-resilience-research-2021/cyber-resilience-captains-of-industry-survey-2021
Executive summary
Britain’s business elite share their views on cyber security
A large majority of ‘Captains of Industry’ say that the board in their organisation considers cyber threats to be high risk in comparison to all risks the company faces, and that they are well informed to make decisions about cyber resilience. However more can still be done, with board members still requiring further awareness raising and targeted training to improve their decision making abilities regarding cyber resilience.
Board engagement with cyber security risk
-
Nine in ten Captains say that cyber threats are considered as a very high or high risk by the board. The proportion of Captains who say this has seen a slight increase compared with 2020 (from 84% to 91%).
-
Most Captains (77%) reported that the board received updates or had discussions about cyber security on at least a quarterly basis over the last 12 months. This includes 26% who say they did so monthly or more often.
-
The vast majority (92%) of Captains agree that the board integrates cyber risk considerations into wider business areas with slightly fewer (83%) Captains saying their board is well informed to make decisions about cyber resilience.
-
However, Captains still feel there is more that can be done to equip Board members to deal with Cyber threats. Captains most commonly mentioned awareness raising among board members and targeted training (34%) when asked about what support their board needs to make better decisions about cyber resilience.
Strategy and documentation
-
The majority of Captains (between 95% and 98%) stated that they have documentation in place to manage their cyber security including a Business Continuity plan that includes cyber security, risk register, identification of critical assets and a written list of vulnerabilities.
-
However, fewer (77%) had documentation outlining the cyber risk the organisation is willing to accept i.e. documentation about the organisation’s risk posture or risk appetite.
Supply chains
-
Seven in ten Captains (69%) suggest that their organisation actively manages supply chain risks.
-
A similar proportion (68%) say that cyber risks in the supply chain are part of the written documents that help manage cyber security risks.
1: Introduction
Background
Publication date: 15th November 2021
Geographic coverage: United Kingdom
Methodology
The Ipsos MORI Captains of Industry survey is a telephone/ video conferencing survey which comprises approximately 100 interviews annually with participants (Chairmen, Chief Executive Officers, Managing Directors/Chief Operating Officers, Financial Directors or other executive board directors). The average interview length was 50 to 60 minutes.
Companies included are from the Top 500 industrials in the UK by turnover; and Top 100 financial companies by capital employed.
-
In 2020, interviews were conducted with 102 Captains of Industry. Fieldwork took place between February and July 2020.
-
In 2021, Interviews were conducted with 107 Captains of Industry. Fieldwork took place between May and August 2021.
In both the 2020 and 2021 surveys, DCMS commissioned Ipsos MORI to include a small number of questions relating to cyber resilience and the experiences and expertise of boards dealing with cyber security issues in these organisations.
As a thank you for participation Ipsos MORI donated £100 for every interview to Macmillan Cancer Support or another charity chosen by the respondent.
Unless otherwise stated, each question is based on all Captains of Industry answering. Where results do not sum to 100%, this may be due to computer rounding, multiple responses or the exclusion of don’t know or no opinion categories.
2: Key findings
2.1 Cyber security strategy and documentation
In 2020, nearly all Captains (99%) reported that their organisation had a cyber security strategy, with almost three fifths (58%) of Captains reporting that the strategy is aligned with their business objectives (Figure 1). For those with a strategy, the majority of Captains (86%) said their organisation had a dedicated budget associated with this strategy.
Figure 1 Description of cyber security strategy
| Description of cyber security strategy | 2020 |
|---|---|
| We have a dedicated cyber security strategy aligned with business objectives | 58% |
| We have a dedicated cyber security strategy, but it is largely focused on technology improvements and implementation | 22% |
| We have a cyber security strategy as part of our IT strategy | 20% |
Base: All respondents with a cyber security strategy in 2020 (102)
Question: Which of the following, if any, best describes your cyber security strategy?
In 2021, the survey went a step further to ask Captains what specific documentation their organisations have in place to manage their cyber security risks (Figure 2).
Figure 2 Documentation organisations have in place to help manage cyber security risks
| Documentation organisations have in place | Yes | No | Don’t know | Refused |
|---|---|---|---|---|
| A risk register that covers cyber security | 98% | 1% | 0% | 1% |
| A Business Continuity Plan that covers cyber security | 97% | 2% | 0% | 1% |
| Any documentation that identifies the most critical assets that organisation wants to protect | 95% | 1% | 3% | 1% |
| A written list of organisation’s IT estate and vulnerabilities | 95% | 2% | 2% | 1% |
| Any documentation that outlines how much cyber risk organisation is willing to accept | 77% | 20% | 3% | 1% |
Base: All respondents in 2021 (107)
Question: Does your organisation have any of the following documentation in place to help manage cyber security risks?
Almost all (between 95% and 98%) stated that they have documentation including a Business Continuity plan, risk register, identification of critical assets and a written list of vulnerabilities. However, a lower proportion (77%) have documentation outlining the cyber risk the organisation is willing to accept i.e. documentation about the organisation’s risk posture or risk appetite.
2.2 Board engagement
In 2021, nine in ten Captains (91%) reported that cyber threats are considered as high risk or very high risk by the board, as shown in Figure 3. The proportion of Captains who say this has increased from 84% in the previous year, largely due to respondents moving from ‘medium’ to ‘high’ risk, showing a change in how cyber security is being perceived by senior leaders.
Figure 3 Importance of cyber threats as a risk, as considered by the board in comparison to all risks the company faces
| Importance of cyber threats as a risk | 2020 | 2021 |
|---|---|---|
| Very high risk | 47% | 48% |
| High risk | 37% | 43% |
| Medium risk | 13% | 7% |
| Low risk | 3% | 2% |
| Very low risk | 0% | 1% |
Base: All respondents in 2021 (107), All respondents in 2020 (102)
Question: For the Board, how important a risk are cyber threats considered to be in comparison to all risks the company faces, where risk is a product of likelihood and impact?
In 2020, Captains were asked how risk governance is handled by the board in their organisation (Figure 4).
Figure 4: How cyber risk governance is handled by the board
| How cyber risk governance is handled by the board | 2020 |
|---|---|
| The board reviews cyber risk information | 67% |
| The board challenges the cyber risk information it receives | 64% |
| The board is enabled to make decisions to adapt the cyber risk profile | 51% |
Base: All respondents in 2020 (101)
Question: Which of the following applies to how cyber risk governance is handled by the board in your organisation?
In 2020, approximately two-thirds of Captains reported their company board reviews (67%) or challenges (64%) cyber risk information it receives but only half (51%) said they are enabled to make decisions to adapt the cyber risk profile. This may suggest that expertise within organisations is not necessarily present at the board level. This was further explored in the questions asked to Captains in 2021.
In 2021, 92% of Captains agreed that the board in their organisation integrates cyber risks considerations into their wider business areas, however only half (53%) strongly agreed with this statement (Figure 5).
Figure 5: Level of agreement that the board integrates cyber risk considerations into wider business areas
| Agreement that the board integrates cyber risk considerations into wider business areas | 2021 |
|---|---|
| Strongly agree | 52% |
| Tend to agree | 39% |
| Neither agree nor disagree | 3% |
| Tend to disagree | 4% |
| Strongly disagree | 1% |
| Refused | 1% |
Base: All respondents in 2021 (107)
Question: This question is about how your board typically engages with any information on the cyber security risks your organisation faces. How much would you agree or disagree with the following statement? The board integrates cyber risk considerations into wider business areas.
Figure 6 shows how frequently the board discusses or receives updates on the organisation’s cyber security.
Figure 6: Frequency of board discussing or receiving updates on organisation’s cyber security in the last 12 months
| Frequency of board discussing or receiving updates on organisation’s cyber security in the last 12 months | 2021 |
|---|---|
| Daily | 1% |
| Weekly | 5% |
| Monthly | 20% |
| Quarterly | 51% |
| Once every 6 months | 19% |
| Once a year | 4% |
| Never | 1% |
Base: All respondents in 2021 (107)
Question: Over the last 12 months, roughly how often, if at all, has your board discussed or received updates on your organisation’s cyber security? Is it …
The majority (77%) of Captains stated that the board discusses or receives updates on the organisation’s cyber security on at least a quarterly basis, with a quarter (26%) saying this is monthly or more frequently.
In 2021, Captains were asked how well informed the board are to make decisions about cyber resilience (shown in Figure 7).
Figure 7: How informed the board are to make decisions about cyber resilience
| How informed the board are to make decisions about cyber resilience | 2021 |
|---|---|
| Very informed | 24% |
| Fairly informed | 59% |
| Neither informed nor uninformed | 4% |
| Fairly uninformed | 11% |
| Very uninformed | 2% |
Base: All respondents in 2021 (107)
Question: How well informed are the board to make decisions about cyber resilience?
Most Captains reported that the board in their organisation are informed to make decisions about cyber resilience (83% stated that the board were either fairly informed or very informed), however only a quarter (24%) think they are very informed.
Figure 8 Support needed for the board to be able to make better decisions about cyber resilience
| Support needed for the board to be able to make better decisions about cyber resilience | 2021 |
|---|---|
| Awareness raising / education / training for board members | 34% |
| Engagement with third party experts | 24% |
| Provision of regular updates / reports | 21% |
| Engagement with internal/company experts (e.g. IT department) | 13% |
| Information from simulation exercises / penetration tests | 11% |
| None / no support / we have a good level of support already | 16% |
Base: All respondents in 2021 (107)
Question: What support, if any, do the board need in order to be able to make better decisions about cyber resilience?
A third of Captains (34%) say that further support could be provided to the board in the form of more training and education about cyber security in order to enable them to make better decisions about cyber resilience. Other suggestions included engagement with third party experts, provision of regular updates, internal engagement with experts within the organisation and information from cyber security testing.
2.3 Supply chain risk management
In 2020, most Captains reported that their Chief Information Security Officer is the person in their organisation mainly responsible for overseeing and reporting to senior management about all supply chain risks. In 2021, a further question was asked to look at elements of supply chain risk management (Figure 9).
Figure 9 Agreement with statements about supply chain risk management
| Agreement with statements about supply chain risk management | Strongly agree | Somewhat agree | Neither agree nor disagree | Somewhat disagree | Strongly disagree | Don’t know | Refused |
|---|---|---|---|---|---|---|---|
| Cyber risks in the supply chain are part of the written document(s) that help manage cyber security risks (105) | 32% | 36% | 11% | 14% | 3% | 2% | 1% |
| Our organisation actively manages cyber risks in our supply chain (107) | 28% | 41% | 13% | 13% | 4% | 0% | 1% |
| The board are kept informed of cyber risks in our supply chain (106) | 21% | 44% | 9% | 21% | 5% | 0% | 0% |
Base: All respondents in 2021
Question: To what extent do you agree or disagree with the following statements?
Seven in ten Captains agree that their organisation actively manages cyber risks in their supply chain (69%) and that cyber risks in the supply chain are part of the written documentation that help manage cyber security risks (68%). Two thirds (65%) say that the board is kept informed of cyber risks in the supply chain.
Annex 1: Composition of sample
Where a category applies to fewer than five organisations, we have suppressed the figure to prevent the data from being disclosive. This is marked by ‘*’.
| Sector | 2020 | 2021 |
|---|---|---|
| Utilities | 9 | 9 |
| Mining/Minerals/Natural Resources | 1 | * |
| Technology/Media/Telecoms | 9 | 12 |
| Construction | 7 | 6 |
| Manufacturing | 7 | 15 |
| Transport/Distribution | 8 | 5 |
| Services/Retailing | 27 | 30 |
| Financial/Banking/Insurance | 21 | 17 |
| Other | 13 | 11 |
| Employees | 2020 | 2021 |
|---|---|---|
| 1-999 | 17 | 25 |
| 1000-4,999 | 39 | 43 |
| 5,000+ | 44 | 39 |
| Job Title | 2020 | 2021 |
|---|---|---|
| Chief Executive | 31 | 50 |
| Chairman | 27 | 20 |
| Chief Financial Officer | 17 | 17 |
| Managing Director | 5 | 5 |
| Finance Director | 6 | * |
| Chief Operating Officer | 3 | * |
| Chief Information Officer | 1 | * |
| Public Relations/Corporate Affairs Director | 6 | * |
| Other | 9 | 6 |
| FTSE | 2020 | 2021 |
|---|---|---|
| FTSE 100 | 16 | 15 |
| FTSE 250 | 22 | 23 |
| Other listed and Private | 64 | 69 |
Annex 2: Interpretation of findings and statistical reliability
The survey results are estimates and subject to margins of error, which vary with the size of the sample and the percentage figure concerned.
Only a sample of the ‘population’ has been interviewed so we cannot be certain that the figures obtained are exactly those we would have found, had everybody been interviewed (the ‘true’ values).
For any percentage given, however, we can estimate ‘confidence intervals’ within which the true values are likely to fall. For example, if 19% of Captains say their business will improve in the next 12 months we can be 95% sure that the ‘true’ value for the population would be between 11 and 27, i.e. a margin of 8 percentage points on each side.
Similar margins for other percentages and sub-groups of the respondents are given in the following tables. It should be remembered that, in any case, the ‘true’ finding is much more likely to be towards the centre of the possible range of responses than towards the margins.
For similar reasons, apparent differences in results relating to sub groups may, if small, not necessarily reflect genuine attitudinal differences. We can be 95% sure that differences exceeding those in the second table are genuine, or ‘significant’ differences.
Similar margins for other percentages and sub-groups of the respondents are given in the following tables. It should be remembered that, in any case, the ‘true’ finding is much more likely to be towards the centre of the possible range of responses than towards the margins.
For similar reasons, apparent differences in results relating to sub groups may, if small, not necessarily reflect genuine attitudinal differences. We can be 95% sure that differences exceeding those in the second table are genuine, or ‘significant’ differences.
Examples of statistical reliability
| 95% Confidence Interval | |||||
|---|---|---|---|---|---|
| Sample size | 10% or 90% | 20% or 80% | 30% or 70% | 40% or 60% | 50% |
| ± | ± | ± | ± | ± | |
| c.100 (all Captains) | 6 | 8 | 9 | 10 | 10 |
| c.80 (example subgroup) | 7 | 9 | 10 | 11 | 11 |
| c.50 (example subgroup) | 8 | 11 | 13 | 14 | 14 |
Further information
The Department for Digital, Culture, Media & Sport would like to thank Ipsos MORI for its work in developing the survey and carrying out the fieldwork.
For general enquiries contact:
Department for Digital, Culture, Media & Sport
100 Parliament Street
London
SW1A 2BQ
Telephone: 020 7211 6000
Email: enquiries@dcms.gov.uk