Could complacency, lack of communication and skills-shortage prevent organisations from tackling cyber attacks?

Key findings from IT Governance’s 2014 Boardroom Cyber Watch Survey

This week IT Governance revealed the findings from its ‘2014 Boardroom Cyber Watch Survey’ which is the second annual survey we have undertaken.


As someone closely involved in the project, I am delighted that 240 respondents took part in the survey, representing a wide variety of industry sectors and an international sample of countries. I am also grateful to all those chief executives, board directors and IT professionals who took the time to share their views and experience.

The key findings below reveal some of the cyber security issues organisations continue to face, and I hope that our 2014 Boardroom Cyber Watch Report provides some guidance as to how these can be addressed.

  • Organisations remain complacent about the risks

73% of our respondents believe they are capable of repelling cyber attacks, but recent attacks on Target, eBay and AOL, the discovery of the Heartbleed vulnerability and the spread of malicious software like GameOver ZeuS paint a very different picture. This complacency may be based on an underestimation of the current cyber threat landscape and/or an overestimation of existing cyber security measures.

  • Cyber security breaches can go undetected

Partly contradicting the above confidence, almost 36% of respondents believe their company was probably subject to undetected cyber attack in the past year, while almost 21% did not know.

  • The IT function and the board don’t communicate

A large proportion of boards are still in the dark about the current state of their companies’ cyber defences: 32.5% of respondents say their boards receive no regular reports on this topic.

Worryingly, almost a third of respondents (29%) believe that fear of retribution might be discouraging the IT department from fully disclosing details of cyber breaches to top management.

  • Lack of cyber security knowledge in the boardroom

30% of respondents say that their boards lack the knowledge and qualifications to exercise effective governance in this area, and 19% don’t know.

  • Cyber resilience is replacing cyber security

51% of those surveyed now accept the inevitability that some attacks will be successful and are more pragmatic, stating their objective as ‘cyber resilience’ – the ability to minimise successful attacks and to recover quickly when breaches are suffered.

  • Growing customer demands for assurance

55% of respondents say that their customers enquired about their information security credentials in the past 12 months. This represents an increase from 50% in our 2013 study, and indicates a rising level of demand for best-practice standards such as ISO/IEC 27001.

Download the full report here: