Research and Reports
Starkhorn publishes original, anonymised research drawn from the assessment suite completed by leaders across UK mid-market businesses and not-for-profit organisations. No surveys, no vendor spin: just aggregated findings from real organisations doing the work.
Starkhorn publishes original, anonymised research drawn from the assessment suite completed by leaders across UK mid-market businesses and not-for-profit organisations. No surveys, no vendor spin: just aggregated findings from real organisations doing the work.
This is an emerging research programme. Findings are published only when the dataset supports reliable conclusions, and never before. What follows explains where the data comes from, which assessments contribute, and what will be published as the dataset grows.
Every free assessment on this site produces a scored result for the organisation that completes it. With participant consent, those responses feed an anonymised, aggregated dataset. No organisation is identifiable. No individual response is shared. The dataset grows continuously as more leaders complete assessments across the catalogue.
As the dataset reaches statistically meaningful volume for each instrument, Starkhorn will publish findings. We will not publish until the data supports reliable conclusions.
Board-level accountability, oversight and readiness for cyber risk.
Presence, capability and seniority of technology leadership in the organisation.
Operational health of IT systems, processes and governance.
Organisational and governance readiness to adopt AI responsibly.
Alignment with NCSC Cyber Essentials baseline controls.
Readiness for independent Cyber Essentials Plus verification.
Alignment of controls and documentation with insurer requirements.
Maturity and consistency of core IT and operational processes.
The first Starkhorn research report, working title State of UK Board Cyber Governance, draws on aggregated responses to the Board Cyber Governance assessment.
The report will examine how UK boards across mid-market and not-for-profit organisations are engaging with cyber risk: where governance is maturing, where structural gaps remain, and what distinguishes organisations that are genuinely prepared from those that believe they are.
It will cover board-level ownership and accountability for cyber risk, the gap between policy existence and operational effectiveness, cyber incident response readiness at board level, how preparedness varies by organisation size, sector and governance model, and what good looks like, drawn from the highest-scoring cohort in the dataset.
The report publishes when the dataset is large enough to draw reliable conclusions. Register below to be notified on publication.
Most published research on technology leadership and cyber governance comes from software vendors, consultancies with something to sell, or global surveys that flatten regional and sector nuance beyond usefulness.
The data is generated by practitioners completing structured self-assessments, not by survey respondents answering abstract questions. The dataset reflects UK organisations in the 100 to 5,000 employee range and the GBP 30m to GBP 4bn turnover band, the segment that is consistently underserved by published research.
Findings include privately-owned businesses, PE-backed portfolio companies and not-for-profit organisations, so the picture is sector-balanced rather than enterprise-skewed. Starkhorn has no software to sell and takes no referral fees, so there is no commercial incentive to shape findings toward a product outcome.
The methodology is straightforward: structured instruments, consistent scoring, anonymised aggregation, findings published when the dataset is sufficient.
Each Starkhorn assessment is a standalone diagnostic. Leaders use them to benchmark their organisation and identify priority actions. The same structured responses, pooled and anonymised, form the research dataset.
All assessments in the live catalogue are free, ungated and available now. You can explore the full range from the Free Tools hub. Roadmap instruments will join the dataset as they launch.
No individual response is ever published or shared. No organisation is identified in any published finding. Data is aggregated only; findings describe patterns across the cohort, not any single case.
Participants can opt out of the research dataset at any time by contacting Starkhorn directly. No third party receives access to assessment response data.
Research findings will be published in plain language. Where the data does not support a conclusion, Starkhorn will say so rather than speculate.
| Assessment | What It Measures | Research Status |
|---|---|---|
| Board Cyber Governance | Board-level accountability, oversight and readiness for cyber risk | Contributing to dataset now |
| Technology Leadership Gap | Presence, capability and seniority of technology leadership in the organisation | Contributing to dataset now |
| Technology Health Check | Operational health of IT systems, processes and governance | Contributing to dataset now |
| AI Readiness Check | Organisational and governance readiness to adopt AI responsibly | Contributing to dataset now |
| Cyber Essentials Readiness | Alignment with NCSC Cyber Essentials baseline controls | Contributing to dataset now |
| Cyber Essentials Plus Readiness | Readiness for independent Cyber Essentials Plus verification | Contributing to dataset now |
| Cyber Insurance Readiness | Alignment of controls and documentation with insurer requirements | Contributing to dataset now |
| Process Maturity Assessment | Maturity and consistency of core IT and operational processes | Contributing to dataset now |
| AI Governance and EU AI Act Readiness | Governance frameworks and compliance posture for EU AI Act obligations | Roadmap |
| Cyber Security Risk Assessment | Structured risk identification and scoring across the cyber threat landscape | Roadmap |
| ISO 27001 Gap Analysis | Gap between current controls and ISO 27001 certification requirements | Roadmap |
| Ransomware Readiness Assessment | Detection, containment and recovery capability against ransomware threats | Roadmap |
| IT Operating Model Scorecard | Fitness of the IT operating model for the organisation’s size and ambition | Roadmap |
When will the first report be published?
The State of UK Board Cyber Governance report publishes when the Board Cyber Governance dataset reaches the volume needed to draw reliable conclusions. We are not publishing to a fixed calendar date. Register to be notified and you will hear as soon as the report is ready.
Will my organisation’s responses be identifiable in any published findings?
No. All research findings are anonymised and aggregated. No organisation name, sector label or any other identifying detail appears in published research. If you have specific concerns about your data, contact Starkhorn directly.
Are the assessments themselves free to complete?
Yes. Every live assessment in the Starkhorn catalogue is free and ungated. You do not need to provide payment details or speak to anyone to get your results.
Who is the research intended for?
The research is aimed at technology and business leaders in UK organisations with 100 to 5,000 employees and turnover between GBP 30m and GBP 4bn, spanning privately-owned businesses, PE-backed portfolio companies and not-for-profit and charitable organisations. These are the organisations the assessments are built for and the cohort the dataset reflects.
How is Starkhorn’s research different from vendor-published reports?
Starkhorn has no software product and takes no referral fees or broker commissions. There is no commercial incentive to skew findings toward a particular technology category or vendor. The data comes from structured assessments completed by practitioners, not from abstract survey questions, and reflects a UK mid-market and non-profit cohort that larger research programmes routinely underserve.
Can I use Starkhorn research findings in my own board reporting?
Published Starkhorn research is free to reference and cite, provided Starkhorn is credited as the source. If you are using findings for a specific governance or regulatory purpose and need clarification on the methodology, contact Starkhorn directly.
What happens to data from roadmap assessments that are not yet live?
Roadmap assessments are not yet live and therefore not yet collecting data. Once they launch and begin generating responses, they will be added to the research dataset on the same terms as the live catalogue.
Be First to Receive the Findings