request our brochure

CEOs and the cyber risk: secret fears, uncertainty and discomfort

April 28, 2023

CEOs, regardless of their education, must become significantly more cyber-literate, like it or not. So said  Fortune’s senior editor Geoff Colvin, analyzing the outcome of the late report from ISTARI, a global cybersecurity firm established by Temasek, the Singapore state investment company.

The study, prepared in collaboration with the University of Oxford’s Said Business School, shares insights from thirty-seven, one-hour-long face-to-face interviews with American, Asian and European CEOs whose businesses’ average annual revenue is $12 billion, employing an average of 40,000 employees. Nine of the CEOs interviewed had guided their company through a serious cyberattack.

Under the condition of anonymity, the CEOs spoke with remarkable honesty about their feelings, frustrations and regrets about cyber threats and security. The majority (72%) said they were uncomfortable making decisions about it, often leading them to delegate responsibility for, and understanding of, cybersecurity to their technology teams, which can jeopardize resilience.

“Many CEOs we spoke with highlighted the agonies of having to make existential decisions on imperfect information under extreme pressure in an area they lack familiarity and intuition.”, co-author of the report, Dr. Manuel Hepfer, Head of Knowledge and Insights at ISTARI and a Research Affiliate at Saïd Business School, said.

The study outlines four mindsets CEOs should adopt to build cyber resilience:


“All CEOs interviewed said they feel accountable for cybersecurity. However, a parallel ISTARI survey of Chief Information Security Officers (CISOs) found one in two European (50%) and almost a third of US (30%) CISOs did not believe that their CEOs feel accountable. This gap in perception, according to the research, lies partly in the meaning of accountability: instead of seeing themselves as accountable – being the face of the mistake – CEOs should assume co-responsibility for cyber resilience together with their CISO.”

Informed trust 

“CEOs should stay away from blindly trusting their technology teams. Instead, they should move to a state of informed trust about their enterprise’s cyber resilience maturity.”

Preparedness paradox

“CEOs should embrace what the authors call the ‘preparedness paradox’: an inverse relationship between the perception of preparedness and resilience – the better-prepared CEOs think their organization is for a serious cyberattack, the less resilient their organization likely is, in reality.”


“CEOs should adapt their communication styles to regulate pressure from external stakeholders who have different and sometimes conflicting demands. Depending on the stakeholder and the situation, CEOs should either be a transmitter, filter, absorber or amplifier of pressure.”

Source: ISTARI | Saïd Business School