Information Security Management

Cyber Security Survey 2026

Everything you always wanted to know but didn’t DARE to ask.

This survey is designed to get beneath the surface of polite answers and really find out what people are thinking about security and what they are doing about it.

An anonymous survey. One goal: To find out what’s actually happening inside organisations – not what gets said at conferences.

3 minutes max.

If you want the overall results emailed to you when they are collated in June 2026, leave your address at the end of the survey.

What's your role?

Founder / CEO / MD
CISO / Head of Security
IT leadership (CTO, IT Director, Head of IT)
Security practitioner (analyst, engineer, consultant)
Compliance / risk / audit
Other leadership (CFO, COO, etc.)
Individual contributor (non-security)

Be honest, how seriously does your organisation take cybersecurity?

It’s firmly embedded in how we operate
Seriously enough, but there are gaps we haven’t filled
In name only – policies exist but aren’t really followed
It often feels like security theatre – more talk than action

Has a security concern at your company ever been quietly swept under the carpet?

Yes – and I was involved in sweeping it there
Yes – but it was downplayed rather than ignored
Yes – I tried to raise it and got nowhere
Probably, but I’m not close enough to know
Not that I’m aware of

Has anyone at your company ever seriously downplayed or hidden a security incident?

Yes, I know of specific cases
Probably – but nothing official was ever said
I don’t believe so
Yes – and honestly it was the right call at the time

Have you ever told a client or prospect your security was better than it actually is?

Yes, deliberately
Yes, but more through framing and wording
No, never
I’ve been pressured to

Have you ever recommended or signed off on a security control you didn't personally believe was necessary?

Yes – because the auditor or client required it
Yes – to cover myself politically
No, I push back when I disagree
I’m not in a position where this comes up

What proportion of your security spend exists primarily to satisfy auditors, certifications, or client requirements rather than reduce actual risk?

When a security policy conflicts with getting work done, which wins?

Security, always – we hold the line
Work, usually – people find workarounds
Work, always – nobody really enforces the policies
We don’t have policies worth conflicting with

What's really going on with your employees and AI tools?

We have clear policies and people follow them
We have policies but I know people are using AI tools on the side
We don’t really have policies – it’s the Wild West
AI tools are actively encouraged, no restrictions

Complete your submit

Do you believe your organisation is too small or obscure to be a real target?

Yes
I used to – not anymore
No, never believed that
I know it’s irrational, but yes

How vulnerable does your business feel right now?

Very – I worry about it
Somewhat – there are things I know we should fix
About average – no more exposed than anyone else
We’ve got it handled – I’m comfortable with our posture

Complete the sentence: "The person most likely to cause a breach at my company is…"

The CEO or senior leadership
A well-meaning employee having a bad day
A disgruntled ex-employee
Me, if I’m being honest

When you read about a breach in the news, what's your honest first reaction?

“That really could have been us”
“Amateurs – we’d never let that happen”
“I wonder what they’re not telling us”
“I barely register them anymore”

Honestly, what's your biggest security risk right now?

Your own employees (not malicious – just human)
Leadership who think they’re exempt from the rules
Third-party suppliers you don’t really control
Outdated technology nobody wants to pay to replace
Lack of resources/funding
The organisation simply doesn’t value it

If ransomware hit you tomorrow, are you prepared?

Yes. Fully. Ready and waiting.
I think so, but not fully confirmed
I’m not at all sure
I know for a fact we aren’t ready

Do your leadership team take an active role in security?

Actively involved – set direction, fund it, and are held accountable
Supportive, but mostly hands-off
Only engage after incidents or pressure
Largely disengaged

Do you actively track and manage risks?

Yes sir, we are all over them.
Occasionally we’ll look at risks as a team.
Only informally and infrequently
Never, or almost never – always reactive.

What security tools do you genuinely recommend to others? (Free text)

What's the most dangerous thing you witnessed in security

If you would like to see the overall results of the survey when completed, please submit your email (it will not sign you up to any lists or be shared)