Cybersecurity Preparedness Lags Despite Leaders’ Confidence

Security leaders often express confidence in their organizations’ readiness for significant cyber incidents, yet performance data reveals a starkly different reality. According to the latest findings from the Cyber Workforce Benchmark Report by Immersive, many teams are failing to execute essential steps during practice scenarios, leading to a widening gap between perceived preparedness and actual capability.

Despite claims of mature readiness programs, organizations are not seeing the expected improvements in cyber performance. Security teams report high participation rates in training activities, and boards receive regular updates, creating an illusion of progress. However, key metrics related to readiness have remained flat. Response times have not seen improvement, and decision-making accuracy during critical incidents is still alarmingly low. Teams often struggle in fast-paced scenarios that require quick action from both technical and business roles.

A significant issue contributing to this disconnect is that many organizations prioritize tracking activity over capability. While metrics like completion rates and attendance figures may suggest maturity, they do not accurately reflect how teams perform under pressure. As confidence in these numbers rises, actual performance does not follow suit.

Key Factors Impeding Progress

The report highlights several underlying causes for the stagnation in cybersecurity readiness. A major concern is the focus of training exercises, which often revolve around familiar threats. Many practice scenarios still target older attack types, reinforcing basic skills but failing to address the evolving tactics used by today’s cyber attackers. As a result, teams are preparing for past incidents while new techniques continue to emerge.

Furthermore, many organizations limit their training to early-stage skills, neglecting intermediate and advanced topics. This narrow focus hampers the development of essential capabilities, leaving teams unable to adapt to more complex threats. For instance, while incidents can impact various business functions—such as legal, communications, human resources, and finance—these groups are frequently excluded from simulations. The absence of practiced coordination slows down overall response efforts when real incidents occur, as technical teams cannot compensate for unprepared business roles.

Another issue arises from the misalignment of training frameworks with actual attack behaviors. Often, organizations adhere strictly to compliance frameworks, which may fulfill audit requirements but do not accurately reflect how attackers operate. Teams tend to concentrate on the initial phases of an intrusion while spending little time on critical later stages, such as lateral movement, collection, or exfiltration. These gaps remain unnoticed until an attacker exploits them.

As cyber threats evolve, security leaders anticipate a rise in AI-driven attacks, including synthetic media and adaptive phishing techniques. The report indicates uneven participation in AI-focused exercises, with senior technical staff often less engaged than their non-technical counterparts. This imbalance can introduce additional risk, as experience with familiar threats may limit adaptability in the face of new challenges.

Shifting the Focus for Effective Training

To improve readiness, teams must engage in practice that challenges ingrained patterns and prepares them for unfamiliar scenarios. Without this shift, organizations risk falling behind in their responses to AI-driven incidents. James Hadley, Chief Innovation Officer at Immersive, emphasizes that “readiness isn’t a box to tick; it’s a skill that’s earned under pressure.”

Boards of directors often receive positive updates based on metrics that teams track, such as participation or policy completion. When organizations focus solely on easy-to-measure statistics, they create a misleading narrative of progress that does not reflect true capability. This cycle leads to increased investment and confidence despite stagnant performance.

While security leaders may recognize existing gaps, the lack of concrete performance data hampers efforts to initiate necessary changes. Without a clear understanding of actual capabilities, perceptions will continue to outpace reality, leaving organizations vulnerable to evolving cyber threats.