News and Analysis

UK CEOs are placing huge demands on security professionals, with most now expecting to be notified of a cyber attack within half an hour – they even want basic operations back up and running within a day.That’s according to new research from Cohesity, which found two-third expect to be notified within 30 minutes, and 19% within just five. Meanwhile, 14% think they should have basic business operations restored within an hour and 38% within a day; only 11% thought a week was reasonable. These high expectations are placing significant pressure on cybersecurity teams, the study noted, but the figures do track with the UK government’s recent Cyber security breaches survey.The report noted that the “vast majority” of businesses (87%) reported being able to restore their operations within just 24 hours. “More than seven-in-ten businesses (72%) and charities (76%) said it took ‘no time at all’ to recover,” the report said. Some are taking a more conservative approach to long-term recovery timelines, however. Around 15% said they expect to be fully operational in the wake of an attack within a few weeks. Who’s responsible for cyber attack recovery?Crucially, the Cohesity report found executives aren’t aligned on who should be notifying them about a breach and managing the recovery. A quarter told researchers that it should be the security advisory board, with 21% citing the CTO and the same number the CISO.The same pattern appears when CEOs are asked who decides what gets restored first in order to resume basic business operations. Responsibility is spread across the entire board, at 23%, the CTO at 21%, the CEO personally at 20%, and the security advisory board at 14%. “CEOs are signaling that cyber incidents now come with performance consequences. With expectations this high, organizations need a clear chain of command in place, so decisions are made quickly and confidently,” said Fraser Hutchison, VP UKI at Cohesity.“Cyber attack recovery is now a board-level issue. CEOs expect to restore basic business operations fast, but many organizations still haven’t defined who alerts leadership, who decides what ‘minimum viable’ means, or what gets restored first.”Hutchison warned that without a “clear plan agreed in advance”, critical decisions can be “contested in the heat of the moment”. This, the report noted, ultimately slows down recovery. AI throws a spanner in the worksDecisions around recovery are being made more difficult by the fractured state of AI governance across large UK businesses, according to Cohesity, with ownership of AI security distributed across as many as five different executive roles. Four-in-ten survey respondents said the CTO was responsible for AI cybersecurity, followed by the CISO (31%), CIO (29%), CSO (26%), and CAIO (22%). Researchers said this means that in many organizations, multiple executives hold a partial stake in AI security with no single owner. Meanwhile, the person responsible for restoring AI systems after an attack is often not the same person who governs them day to day: the CIO leads on AI policy at 30% of businesses, while the CTO leads AI cybersecurity at 41%. A further 20% of businesses have had to create an entirely new role to own AI policy at all, and 11% have no owner or are unsure.“AI is accelerating how organizations run, and it’s raising expectations for speed everywhere including recovery from a cyber attack. But speed without clear ownership, and confidence in what you’re restoring can turn a cyber incident into a prolonged business crisis,” said James Blake, Cohesity global vice president of cyber resilience and consultancy strategy. “The organizations that recover best are the ones that define Minimum Viable Company upfront, assign clear decision rights, and rehearse recovery as an operational discipline, not just a technical process.”FOLLOW US ON SOCIAL MEDIA