Key Takeaways
- UK CEOs demand extremely rapid cyber attack notification, with 66% expecting alerts within 30 minutes and 19% within just 5 minutes.
- Recovery expectations are equally aggressive: 38% anticipate basic operations restored within a day, and 14% within an hour, though only 11% consider a week reasonable.
- Despite high leadership demands, actual recovery performance is often stronger than expected, with 87% of businesses restoring operations within 24 hours per government surveys.
- Significant confusion exists over accountability: no clear consensus exists on who should notify leadership (25% security advisory board, 21% each CTO/CISO) or decide restoration priorities (23% entire board, 21% CTO, 20% CEO).
- AI governance fragmentation exacerbates challenges, with ownership of AI security split across multiple roles (CTO 40%, CISO 31%, CIO 29%, CSO 26%, CAIO 22%), and restoration responsibility often differing from day-to-day governance.
- Experts emphasize that defining "Minimum Viable Company" upfront, assigning unambiguous decision rights, and treating recovery as a rehearsed operational discipline—not just a technical task—are critical for effective cyber resilience.
CEO Expectations for Rapid Cyber Attack Response
UK business leaders are imposing increasingly stringent timelines on cybersecurity teams following a breach. Cohesity’s research reveals that two-thirds (66%) of UK CEOs expect to be notified of a cyber attack within 30 minutes, with a notable 19% demanding alerting within just five minutes. This pressure extends to recovery speed, where 38% anticipate having basic business operations restored within a single day, and 14% believe this should occur within one hour. Only a small minority (11%) considered a week-long recovery period reasonable. These expectations place immense strain on security professionals, who must balance technical complexities with leadership’s demand for near-instantaneous transparency and action. The findings highlight a growing perception among executives that cyber incidents directly impact organizational performance and require immediate executive-level attention.
Reality Check: Actual Recovery Times vs. Leadership Demands
Despite the aggressive timelines set by CEOs, empirical data suggests actual recovery capabilities often exceed leadership pessimism. The UK government’s Cyber Security Breaches Survey, referenced in the Cohesity report, indicates that the "vast majority" of businesses (87%) successfully restore operations within 24 hours. Furthermore, more than seven-in-ten businesses (72%) and charities (76%) reported that recovery took "no time at all" to achieve. This discrepancy reveals a potential misalignment between leadership perceptions of cyber risk and the practical effectiveness of existing incident response measures. While CEOs push for sub-hour notification and same-day restoration, many organizations already demonstrate robust recovery abilities within standard business cycles. This gap may stem from either overly optimistic executive expectations or insufficient communication between technical teams and leadership about what constitutes feasible recovery timelines during active incidents.
The Responsibility Gap: Who Owns Cyber Incident Response?
A critical vulnerability exposed by the research is the lack of clarity regarding accountability during cyber incidents. CEOs are split on who should notify them of a breach: 25% favor the security advisory board, while 21% each point to the CTO and CISO as the primary owners of this duty. This ambiguity extends to recovery decisions, where no single entity holds clear authority over determining what systems or data get restored first to resume basic operations. Responsibility is diffused across the organization: 23% believe the entire board should decide, 21% assign this to the CTO, 20% to the CEO personally, and only 14% to the security advisory board. As Fraser Hutchison, VP UKI at Cohesity, warned, this fragmentation risks turning critical recovery decisions into points of contention "in the heat of the moment," ultimately slowing down response efforts. Without a pre-established chain of command, organizations face delays in initiating notifications, assessing impact, and executing recovery steps—precisely when speed is most vital.
AI Governance Fragmentation Complicates Recovery Efforts
The growing integration of artificial intelligence introduces additional complexity to cyber recovery planning, primarily due to diffuse ownership of AI-related security responsibilities. Cohesity found that AI cybersecurity accountability is scattered across multiple executive roles: 40% of respondents identified the CTO as responsible, followed by the CISO (31%), CIO (29%), CSO (26%), and CAIO (22%). This distribution means many organizations lack a single owner for AI security, with multiple executives holding partial stakes. Compounding this issue, the individual overseeing AI system restoration after an attack frequently differs from the one governing AI policy during normal operations. For instance, while the CIO leads AI policy at 30% of businesses, the CTO leads AI cybersecurity at 41%. Furthermore, 20% of companies have felt compelled to create entirely new roles to manage AI policy, and 11% report having no designated owner or being uncertain about accountability. As James Blake, Cohesity’s global VP of cyber resilience, noted, this fragmentation undermines confidence in recovery efforts—speed without clear ownership and validated restoration processes can transform a cyber incident into a prolonged business crisis, especially as AI accelerates operational expectations across the enterprise.
Building Resilience: Clear Planning and Defined Roles Are Critical
To bridge the gap between leadership expectations and operational reality, experts stress that proactive preparation is non-negotiable. Organizations must move beyond treating recovery as a purely technical exercise and instead embed it as a disciplined, rehearsed operational process. Central to this approach is the upfront definition of a "Minimum Viable Company"—a clear, agreed-upon baseline of essential functions, data, and systems that must be restored first to sustain core operations following an attack. Equally important is assigning unambiguous decision rights: specifying exactly who has the authority to notify leadership, declare an incident, prioritize restoration efforts, and approve recovery actions. Crucially, these plans must be tested regularly through tabletop exercises and simulations to ensure teams can execute them swiftly and confidently under pressure. As Hutchison emphasized, cyber attack recovery has unequivocally become a board-level issue, demanding the same rigor and pre-planning as financial or operational risk management. Organizations that institutionalize clear ownership, rehearse recovery protocols, and align leadership expectations with realistic capabilities will be best positioned to minimize downtime, preserve trust, and maintain resilience in an increasingly threat-laden landscape.