Misalignment and Risk Tolerance Gaps Undermine Business Resilience, Kroll Study Finds

Key Takeaways

• Cyber risk is widely acknowledged, but alignment is lacking. While 94% of organizations view cybersecurity as a primary business risk, 72% report frequent misalignment between cybersecurity efforts and broader business priorities
• Budget decisions are increasingly centralized, despite a knowledge gap. Nearly half of businesses (48%) say the CEO now makes the final decision on cyber budgets, however 43% reported limited cyber literacy amongst executives
• Investment in cloud and third-party security is set to rise by 59%, yet there are no planned increases, and in some cases declines, in funding for the most frequent and fastest-growing areas of risk: people and identity

New York, NY - Kroll, the leading independent provider of global financial and risk advisory solutions, today released global cyber resilience research findings revealing a critical gap between organizations' perception of their cyber preparedness and their actual capability to defend against, and recover from, sophisticated attacks. This gap is being driven by misalignment between the C-suite and cyber decision-makers. This disconnect is costly, as organizations face a yearly average of $2.2 million in recovery costs and downtime from cyber incidents.

The Misalignment Problem: Strategy vs. Execution

Investment in cybersecurity is rising across the board as the majority (80%) of organizations have increased budgets in 2026. However, the bulk of the investment is not set to prioritize the technology that will protect against the most common attack vectors which target people, credentials and internal processes.

• 59% of organizations are increasing spending on cloud and third-party security. Yet identity-based tactics like phishing (39%) and business email compromise (28%) are experienced most by businesses.
• Crucial proactive security measures appear to be dropping in the order of priority with organizations cutting, or not investing further budget, in red and purple teaming (55%), identity access management (IAM) controls and zero-trust architecture (52%).
• Nearly half (48%) of businesses say the CEO now makes the final decision on cyber budgets. However, limited cyber literacy among executives (43%) is reported as a barrier for aligning business strategy with cyber priorities.

Overestimation of Resilience

While most organizations believe they are prepared for cyber threats, their actions tell a different story:

• While 99% of organizations have an incident response plan, only 3% only update them after a cyber incident. Plans become static documents, not living tools refined by experience.
• Only 10% of organizations have achieved "very high" cyber maturity. However, those with higher maturity experience 50% less financial impact per dollar of revenue when cyber incidents occur.
• 36% of organizations acknowledge gaps in how threats are prioritized, with differing risk tolerance (51%) cited as the leading cause.
• 72% of organizations believe they can respond to an incident within 1-24 hours. Independent research from CrowdStrike shows that attackers establish a foothold in just 29 minutes. By the time most organizations mobilize a response, attackers have already moved laterally through the network.

Tiernan Connolly, Managing Director of Cyber and Data Resilience, Security Advisory at Kroll, says, "Board-level executives are often shocked by how one vulnerability or compromised system can cascade into a company-wide business interruption. They may understand the risk intellectually, but it rarely resonates operationally until they experience the impact firsthand. Until an actual incident forces that awareness, cyber budget line items tend to be treated as checking a box rather than being a strategic priority to protect, restore and maximize business value. Understanding business interruption as a core consequence, and directly linking it back to proactive controls, is how CISOs and security teams avoid reaching that costly breaking point."

Dave Burg, Global Group Head of Cyber and Data Resilience at Kroll, says, "In today's increasingly turbulent threat landscape, organizations face compounding cyber pressures, from more sophisticated threat actors to widening supply chain vulnerabilities. That pressure is amplified by geopolitical activity, such as the situation in the Middle East. Strategic decisions and execution realities can shift without warning. In an environment defined by uncertainty, businesses need to adapt quickly and confidently, even as the risk picture evolves in real time."

"Cyber resilience and security aren't simply technology challenges, they are fundamental to overall business resilience. Too often, cyber leaders are pulled between the drive to innovate and a hard truth: basic cyber hygiene failures remain the most common point of entry."

"Our strategic partner CrowdStrike reports an average breakout time of just 29 minutes for attackers to move from initial access to broader infiltration. Yet many companies are pouring investment into advanced tools and threat intelligence while underinvesting in identity management, effective threat prioritization, and incident response readiness - gaps that can significantly increase exposure. Organizations that strengthen their cyber foundations will be better positioned to align strategy with execution, focus investments where they matter most and deliver stronger, more consistent defense."

You can access the full report on the Kroll website.

About the Research
Kroll commissioned independent research firm Sapio Research to conduct a comprehensive study into cybersecurity resilience and risk alignment in enterprise organizations. The research surveyed 1,000 cybersecurity decision-makers at companies with annual revenues from $50 million to more than $5 billion across 10 countries: the United Kingdom and Ireland (150), Germany (50), Switzerland (50), the United States (450), Japan (125), Singapore (50), Australia (25), the United Arab Emirates (50) and Saudi Arabia (50). The survey was conducted in November and December 2025.

About Kroll
As the leading independent provider of financial and risk advisory solutions, Kroll leverages our unique insights, data and technology to help clients stay ahead of complex valuation demands. Kroll's team of more than 6,500 professionals worldwide continues the firm's nearly 100-year history of trusted expertise spanning risk, governance, transactions and valuation. Our advanced solutions and intelligence provide clients the foresight they need to create an enduring competitive advantage. At Kroll, our values define who we are and how we partner with clients and communities. Learn more at kroll.com.

For media inquiries, please contact:
Emma Thompson
[email protected]
+44 20 70295384
+44 7540 302090

Lori Feinsilver
[email protected]
+1 212 450 8155

[email protected]