Are you Experiencing
a Cyber Resilience Hallucination?

Executive Summary

True cyber resilience is not a purely technical pursuit. It is a strategic discipline that protects reputation and profitability – giving businesses the confidence to invest in growth. Boards recognise this. We all do.

In fact, our research with 500 IT and cybersecurity leaders reveals that resilience ranks within the top five business priorities for 95% of organisations.

But as the threat landscape intensifies, corporate reporting is suffering from a security hallucination.
In artificial intelligence, hallucinations sometimes happen when a model, lacking real-time data or ground truth, fills the gaps with a highly confident, mathematically plausible guess. It looks entirely correct on the surface, but is completely disconnected from reality.

Corporate cybersecurity is tracking the same pattern.

What we discovered is that organisations need to get better at translating technical information into business risk. At creating a common executive language for describing resilience. And improving data-driven governance and prioritisation. In short, they need a continuous, consistent and comparable way to measure cyber resilience.

As regulatory and board scrutiny deepens, we wanted to understand where this doubt is coming from. Where are we seeing similar discrepancies and hallucinations? And what does this tell us about the current state of cybersecurity and resilience reporting?

Key Findings

• 95% of companies state that cybersecurity is one of their top five priorities.
• However, 74% of cybersecurity investment is driven merely by reactive compliance or regulatory requirements.
• Only 28% of companies feel their resilience reporting across people, process and technology is totally complete.
• Only 30% have actually conducted a formal cybersecurity vulnerability audit in the past 12 months.
• And 27% are only reporting operational KPIs like patch rates or RAG statuses.