Cyber readiness is stalling as over-confident teams ignore the reality that incident response times have not improved despite more spending and oversight, according to Immersive.
The cyber-training vendor’s Cyber Workforce Benchmark Report 2025 is based on anonymized data collected from the Immersive One platform, simulated exercises across technical and business functions, and a readiness perception survey.
A resilience score quantifies organizational readiness across skills, practices, decision-making performance, framework coverage and adaptability to new threats.
The study found that, while 91% of leaders now say their organization could handle a major incident, resilience scores have remained flat since 2023, and the median response time to complete critical “labs” or exercises remains 17 days.
Read more on cyber readiness: #Infosec2024: Cyber Resilience Means Being Willing to Learn From a Crisis
When running Immersive’s “Orchid Corp” crisis scenario, participants averaged just 22% decision accuracy and took 29 hours to containment.
Part of the reason for the lack of progress on cyber readiness is that only two-fifths (41%) of organizations include non-technical roles in their simulations, meaning critical business decisions go untested until the real thing, Immersive claimed.
The firm added that 60% of training activity focuses on vulnerabilities that are more than two years old, meaning teams are unprepared to deal with today’s threats.
How to Improve Cyber Readiness
The Immersive report had several recommendations for improving cyber resilience and readiness.
It urged organizations to:
- Establish regular readiness training and rotate scenario types
- Ensure training is fully completed and not just attempted
- Involve senior leadership directly, through executive simulations, readiness briefings and the appointment of a readiness oversight sponsor
- Expand readiness efforts beyond IT to include representatives from legal, comms, HR and elsewhere
- Focus on current CVEs and integrate threat intelligence feeds into the training roadmap
- Focus readiness efforts on the three pillars of: “prove, improve, report”
“Readiness isn’t a box to tick, it’s a skill that’s earned under pressure,” said James Hadley, founder of Immersive.
“Organizations aren’t failing to practice; they’re failing to practice the right things. True resilience comes from continuously proving and improving readiness across every level of the business, so when a real crisis hits, your confidence is backed by evidence, not assumption.”
