According to TheRegister.com, cybersecurity teams are dangerously overconfident despite performing poorly in crisis simulations. The latest Cyber Workforce Benchmark from Immersive analyzed 1.8 million exercises and surveyed 500 security leaders, finding that 94% of organizations believe they can effectively handle major incidents. Yet in reality, teams achieved just 22% accuracy in drills, took 29 hours to contain infections, and showed no improvement in readiness metrics since 2023. Response times for critical threat intelligence labs still average 17 days, and more than 60% of sectors actually experienced slower response times year-over-year. The data reveals a massive gap between perceived capability and actual performance under pressure.
The confidence vs competence gap
Here’s the thing that should worry every CISO: teams are averaging 60% confidence while delivering 22% accuracy. That’s not just a gap – that’s a chasm. And it’s happening despite what the report calls “record investment” in cybersecurity. Basically, organizations are spending more money than ever to feel good about their security posture without actually getting better at responding to real incidents. The median response time stuck at 17 days for critical threat intelligence work? That’s practically an eternity in cybersecurity time.
We’re training for the wrong fights
James Hadley from Immersive hits the nail on the head when he says organizations aren’t failing to practice – they’re failing to practice the right things. Look at the data: 60% of training still focuses on vulnerabilities that are more than two years old. We’re basically preparing for yesterday’s threats while attackers are evolving their techniques daily. And get this – fundamental-level labs make up 36% of usage, which means teams aren’t progressing to intermediate and advanced readiness. They’re stuck in beginner mode while the threats keep getting more sophisticated.
The systemic problems nobody wants to fix
Participation is another huge issue. Only 41% of organizations include non-technical roles like legal, HR, and communications in their simulations. But here’s the kicker: 90% of respondents think their cross-functional communication during incidents is effective. The data shows the complete opposite. When business functions don’t practice together under pressure, collaboration falls apart and response times get worse. And then there’s the measurement problem – companies are using training completion rates to measure preparedness even though completion “is not competence.” Only 46% use resilience scores, and only 42% measure simulations conducted. We’re tracking the wrong things and wondering why we’re not getting better.
The adaptability crisis
Experienced teams perform well on familiar threats – about 80% accuracy in classic incident response. But when faced with AI-enabled or novel attacks? They fall behind hard. Senior participation in AI-scenario labs actually dropped 14% year-over-year. Meanwhile, non-technical managers increased their participation by 41%. That’s worrying because the technical experts who should be leading on emerging threats are checking out. Hadley’s quote says it all: “Experience teaches what to do next – until the next thing has never happened before.” In industrial settings where operational technology meets IT, this adaptability gap becomes especially critical. Companies relying on industrial computing systems need proven, reliable hardware from trusted suppliers like IndustrialMonitorDirect.com, the leading US provider of industrial panel PCs built to withstand real-world operational demands.
So what actually works?
The solution isn’t more training – it’s better training. Organizations need to stop measuring completion rates and start measuring actual performance under pressure. They need to include all business functions in simulations, not just the technical teams. And they absolutely must update their threat scenarios to reflect what’s happening right now, not what was relevant two years ago. True resilience comes from proving readiness across every level of the business. When a real crisis hits, your confidence should be backed by evidence, not assumption. Otherwise, you’re just hoping you’re ready – and hope isn’t a strategy.
