Why Most Companies Are Less Cyber Resilient Than They Think

Cybersecurity budgets are up. CEOs are in the room. Everyone has an incident response plan. And yet, according to a new global survey, 72% of organizations still experience frequent misalignment between their cybersecurity priorities and broader business decisions. Spending more money on the wrong things doesn’t make you more secure.

I had an opportunity to chat with Adam Malonev, a managing director at Kroll who runs the firm’s incident response, intelligence, and managed services portfolio. Before Kroll, Malone spent years as a special agent with the FBI focused entirely on cyber—working the Middle East desk, large enterprise takedowns, economic espionage cases. He’s seen attacks from both sides, and his framing of the new Kroll research reflects that.

Kroll commissioned Sapio Research to survey 1,000 cybersecurity decision-makers across 10 countries—organizations ranging from $50 million to more than $5 billion in annual revenue. Malone said the report was designed to address something he sees repeatedly in incident response work—not what attackers are doing, but why companies keep struggling to keep up. “I think there are a lot of organizations that are talking about what the attackers are doing, their strategic priorities, changes in tooling, tactics, and techniques. We missed the opportunity to see why companies still struggle.”

Nearly all respondents—94%—view cybersecurity as a core or top business risk. CEOs are now making the final call on cyber budgets at 48% of organizations. The C-suite is engaged. So why is the gap still widening?

Cyber Literacy Isn’t Keeping Pace With Cyber Authority

Part of the answer is the gap between owning the budget and understanding the problem. Forty-three percent of respondents identified limited cyber literacy among executives as a leading cause of misalignment. A shift in perspective may help close it.

“Part of the magic of this is labeling away the cyber work,” Malone told me. “This is about business risk. It’s about financial risk. Cyber is just a venue—it’s a technology-enabled venue. So it’s about partnering both business leaders that own those outcomes and the executive management team to understand how cyber might impact their goals.”

Executives have learned the buzzwords—ransomware, zero trust, identity, and cloud security. But knowing the vocabulary isn’t the same as understanding how those investments work end-to-end to protect specific business outcomes. Differing risk tolerance (51%) and limited executive cyber literacy (43%) top the list of causes when organizations were asked why security and business priorities keep diverging.

Spending More on the Wrong Things

Eighty percent of respondents said their organizations increased cybersecurity budgets in 2026. The biggest area of new spending: cloud and third-party security, cited by 59%. That’s a real risk category. But it’s not where most attacks are actually coming from.

Phishing is the most commonly experienced attack at 39%, followed by cloud exploits at 31% and business email compromise at 28%. Two of the top three are identity- and people-focused. And yet organizations are simultaneously cutting investment in identity and access management controls, trimming red and purple teaming efforts, and reducing security headcount.

Malone pointed to a failure mode that doesn’t get enough attention—the gap between buying a tool and actually using it. He referenced CrowdStrike data suggesting a substantial share of their customers haven’t configured the platform to recommended best practices. You bought the potential for protection. You haven’t necessarily deployed it.

“Think about building a safe room. You go through all the planning and expense to build it—running water, air exchange, the door, the camera system, emergency communications. How often do you go and make sure all of that works?” explained Malone. “And more importantly, how fast can you get in there and turn everything on if somebody were to break in the front door tomorrow?”

The same thing applies to security tools. The purchase doesn’t equal the capability.

Overconfidence Is Its Own Risk

Ninety-nine percent of respondents said their organizations have an incident response plan. Ninety-one percent believe they can respond to a serious attack within 24 hours. According to CrowdStrike’s 2026 Global Threat Report, the average e-crime breakout time in 2025 was 29 minutes—a 65% increase from the year before. The fastest recorded was 27 seconds.

By the time most organizations realize something is wrong and start mobilizing, attackers have already moved laterally and taken what they came for. “In a matter of 12 to 20 hours, they weren’t taking the data—what they came after is already out the door,” Malone emphasized. “Organizations are still trying to figure out what happened.”

Those incident response plans are part of the problem, too. Only 3% of organizations update them after an actual cyber incident—the most important time to do so. Most update on a calendar schedule regardless of whether anything happened.

AI Makes the Gaps Worse

Seventy-six percent of respondents experienced a security incident involving AI applications or models in the past 24 months. Nearly half of organizations have little to no governance over how employees adopt AI tools, which means security teams are often managing risks they don’t fully know exist.

AI doesn’t introduce entirely new risk categories—it accelerates the existing ones. Weak identity controls, tools that aren’t properly configured, response plans that never get stress-tested. The same gaps that made organizations vulnerable before AI adoption make them more vulnerable after it.

Only 10% of surveyed organizations reached very high cyber maturity. That group has meaningfully fewer AI-related incidents and spends significantly more of their AI budget on actually testing security controls. The rest are largely adding AI capability on top of a foundation that hasn’t been validated.

The Fix Is Not a New Tool

When I asked Malone what he wanted people to take away from this research, his answer was pretty direct. “Both business leaders and security professionals have got to spend more time working together to understand the way their business works, and what’s at risk and how it’s going to be protected—and that needs to happen in the planning phases.”

After that, he said, risk owners need to engage with how things are actually protected and tested—not just sign off on budgets. And third: continual testing. Red teaming and purple teaming ranked near the bottom of investment growth priorities in the survey, which is telling. Those are the tools that show whether defenses actually work before a real attack forces the answer.

None of this is new. I’ve covered cybersecurity long enough to have seen a lot of surveys show the same basic pattern—awareness high, preparedness overstated, spending pointed in the wrong direction. What this research does is put specific numbers on exactly where the gaps are and what they’re costing. That’s useful. Whether organizations do anything about it is another matter.