According to Infosecurity Magazine, cyber readiness progress has completely stalled despite organizations feeling more confident than ever. The 2025 Cyber Workforce Benchmark Report from Immersive reveals that 91% of leaders now believe their organizations could handle a major incident, but resilience scores have remained flat since 2023. The median response time to complete critical security exercises is still stuck at 17 days, and when running the “Orchid Corp” crisis scenario, participants averaged just 22% decision accuracy while taking 29 hours to reach containment. Part of the problem is that only 41% of organizations include non-technical roles in their simulations, and 60% of training focuses on vulnerabilities that are more than two years old.
The Dangerous Confidence Gap
Here’s the thing about that 91% confidence number – it’s basically meaningless when you look at the actual performance data. Organizations are spending more money, doing more training, and feeling better about their capabilities, but they’re not actually getting any better at responding to real crises. The fact that decision accuracy sits at just 22% during simulated incidents should be absolutely terrifying for anyone responsible for cybersecurity. I mean, think about that – you’ve got teams making wrong decisions nearly 80% of the time when under pressure, but leadership thinks everything’s fine? That’s a recipe for disaster waiting to happen.
What’s Actually Going Wrong With Training
So why is this happening? Well, the report points to some pretty fundamental flaws in how organizations approach cyber readiness. First, they’re mostly training technical staff while leaving business decision-makers out of the loop. When you’ve got HR, legal, and executive teams who’ve never practiced making crisis decisions, they’re going to freeze or make bad calls when real incidents hit. Second, training on two-year-old vulnerabilities is like preparing for last year’s weather – it might look similar, but the actual threats have moved on. Organizations need to recognize that industrial panel PCs and other critical infrastructure components face constantly evolving threats that require up-to-the-minute readiness.
What Real Resilience Actually Looks Like
James Hadley from Immersive nailed it when he said “readiness isn’t a box to tick, it’s a skill that’s earned under pressure.” That’s the core issue here – too many organizations treat cybersecurity as a compliance exercise rather than building actual capability. They’re checking boxes, running the same old simulations, and patting themselves on the back while their actual response times and decision quality stagnate. Real resilience means constantly testing across every business function, not just the IT department. It means practicing with current threats, not historical ones. And it means being honest about performance gaps instead of relying on confidence surveys that clearly don’t reflect reality.
