Skip to main content Skip to footer
PULSE SURVEY 10-MINUTE READ

Redefining Cyber Resilience

June 30, 2026

CEOs and CISOs are split on resilience. Closing that gap is how they survive disruption.

As cyber attacks become more frequent and harder to stop, cyber resilience should be central to every company’s strategy. But leaders are split on what resilience actually is and who owns it. To survive constant disruption, organizations must align: shifting from protection-only thinking to prioritizing how they recover.

Cyber disruption is no longer an exception, it’s an operational reality.

More vulnerabilities, added complexity and compressed attack timelines are making recovery more difficult.

87%

of organizations see cyber disruption as a recurring operating reality.

72%

say preventing all cyber disruption is no longer realistic given today’s complex technology ecosystem.

89%

year-over-year increase in AI-enabled cyberattacks in 2025.1

83%

first attempt success rate by frontier AI models at finding and exploiting vulnerabilities.2 This was previously near zero.

With frontier AI models, the cost of discovering vulnerabilities has collapsed to near-zero, and the gap between discovery, weaponization and exploitation has narrowed from weeks to hours.

In today’s complex digital ecosystem, organizations will need to operate under continuous disruption.

Growing adoption of cloud, AI, platforms and partners creates deep dependencies that make disruption difficult to isolate.

69%

of organizations say their operations are increasingly dependent on complex internal and third-party digital ecosystems.

61%

report that their ability to sustain critical business operations is influenced by external dependencies.

29 mins

is the average breakout time for attackers to spread beyond the initial entry point.3

81%

of leaders say managing cyber disruption involves operating under degraded system conditions.

Most leaders say they understand resilience, but their assumptions tell a different story.

Many leaders base their understanding on protection, compliance and stable-system assumptions.

54%

of executives believe that strong protection controls are enough to ensure business continuity after an attack.

136%

CEOs are 136% more likely than CISOs to say regulatory compliance ensures cyber resilience.

Prevention-focused security doesn’t account for operational continuity, recovery speed, value prioritization or leadership responsibility: true measures of cyber resilience.

Across the organization, recovery expectations do not reflect shifting realities.

81%

of executives assume critical IT downtime will be 10 days or less in a serious incident. In reality, recovery averages three to six months.

64%

design, govern, and measure technology assuming systems are generally stable and fully available (despite 8 in 10 expecting degraded operations during disruption).

A false consensus: CEOs and CISOs have different ideas of about resilience.

Research reveals gaps in how leaders view prevention and recovery, and the CISOs role.

Bar chart comparing CEO and CISO perspectives shows consistent gaps, with CISOs more likely than CEOs to recognize declining effectiveness of control-based security, highlighting a misalignment between CEOs and CISOs on cyber resilience priorities and responsibilities.
Bar chart comparing CEO and CISO perspectives shows consistent gaps, with CISOs more likely than CEOs to recognize declining effectiveness of control-based security, highlighting a misalignment between CEOs and CISOs on cyber resilience priorities and responsibilities.

This is not a knowledge gap, it’s a structural misalignment, where leaders assume agreement but act on incompatible assumptions.

Meanwhile, ownership and accountability for cyber resilience is unclear.

Stacked bar chart shows cyber resilience responsibilities are largely owned or co-owned by CISOs, with CEOs holding a smaller share and significant joint ownership across roles. Overall, accountability is distributed across the C‑suite but unevenly concentrated with the CISO.
Stacked bar chart shows cyber resilience responsibilities are largely owned or co-owned by CISOs, with CEOs holding a smaller share and significant joint ownership across roles. Overall, accountability is distributed across the C‑suite but unevenly concentrated with the CISO.

Fragmented accountability creates blind spots and stalls recovery. This can turn a contained incident into a prolonged, business-wide disruption. 

The difference between protection and resilience.

Protection lowers the probability of disruption. Cyber resilience is the ability to sustain and rapidly restore critical operations during disruption to protect
business value. 

Side‑by‑side chart shows a shift from control‑based security to resilience, moving from preventing attacks and compliance to assuming disruption and prioritizing continuity, recovery, and enterprise-wide responsibility.
Side‑by‑side chart shows a shift from control‑based security to resilience, moving from preventing attacks and compliance to assuming disruption and prioritizing continuity, recovery, and enterprise-wide responsibility.

Addressing six myths can clear the path to cyber resilience 

Organizations that can debunk these common arguments will be better equipped to steer their businesses through disruption.
01

Myth: "We’re compliant, so we’re protected."

Reality: Compliance proves you follow the rules. It doesn't ensure you can keep running when disruption hits.

87%

of organizations believe regulatory compliance ensures cyber resilience.

Only 35%

regularly test resilience through real recovery and continuity exercises—not just audits.

The Fix: Prove resilience through exercised recovery, not audits. 

02

Myth: "We’re protected, so we can recover."

Reality: Protection reduces the likelihood of failure. Resilience determines whether the business keeps running when the inevitable strikes.

87%

of organizations trust security controls to sustain critical operations during major cyber disruption.

Only 11%

strongly agree that predict‑and‑control security is becoming less effective in complex systems.

The Fix: Design for survival, assuming controls will fail. 

03

Myth: "Third parties are responsible for securing themselves."

Reality: Your partners may be contractually accountable, but contracts won’t mitigate shared operational outcomes.

61%

of organizations say their ability to sustain critical operations depends on external partners.

Only 38%

have a clear view of their value chain and its most critical dependencies.

The Fix: Extend resilience across your value chain, not just within your walls. 

04

Myth: "We have incident response, so we’re resilient."

Reality: Incident response runs cleanup on the disruption event itself. Resilience determines how the business runs and recovers during and after.

98%

of organizations believe rapid detection and containment signal operational resilience.

Only 40%

have predefined and tested recovery paths for critical systems.

The Fix: Engineer the ability to absorb shock, not just respond to it. 

05

Myth: "Cyber insurance will cover the impact."

Reality: Insurance may offset some financial loss, but it cannot restore operations, customer trust or market position.

60%

of organizations rely on cyber insurance as a substitute for cyber resilience rather than a financial backstop.

10X

is how much total disruption costs can exceed insurance payouts once downtime, lost revenue and reputational damage are accounted for.

The Fix: Build continuity rather than insure fragility. 

06

Myth: "Cyber resilience is the security team’s problem."

Reality: Cyber disruption impacts operating models, decision rights, incentives and third-parties. Responsibility should be shared accordingly.

74%

of organizations report cyber resilience is primarily a security or IT responsibility.

Only 43%

fully govern cyber resilience as a business outcome shared across enterprise leadership.

The Fix: Make resilience a shared enterprise responsibility, not an IT silo.

How leaders can align to keep the business online during disruption

Cyber disruption can have far-reaching business impact—especially in today’s connected environments. That’s why it’s important for the CEO and CISO to be on the same page when it comes to resilience. Together, they can develop a clear plan to keep the business running when it happens.

This starts with a key decision: What is the smallest set of operations you must protect and recover first, so the business can keep running through disruption? From there, stabilize what the business can’t afford to lose, sustain core operations, and recover with confidence into a trusted environment.

5 priority actions

1.

Identify the functions that matter most and map their dependencies across the value chain.

2.

Predefine recovery decisions—sequencing, authority, triggers, and trade-offs—before disruption, not during it.

3.

Build a recovery environment that can operate under hostile conditions, stocked with the artifacts essential to rebuilding.

4.

Automate the reconstitution to further minimize impact, reducing recovery time from weeks to hours.

5.

Test under real scenarios and reassess continuously as the business evolves.

The payoff: Organizations that choose cyber resilience pull ahead

Today’s cyber resilient leaders are not stopping at protection, they're building recovery into their strategies to sustain business value.

The result is much more than peace of mind. Organizations with mature resilience capabilities see improved financial and operational performance.

Optimized spend by balancing investments across protective and resilience controls. 

Right-sized cyber investments built on a clear view of what matters most. 

Lower compliance costs due to clearer ownership, better control mapping and less duplicated effort. 

Cyber resilient organizations survive to thrive in an ever-changing threat landscape.

 

Acknowledgements

Thank you to all who leant their expertise and insights to this research. 

Authors: Harpreet Sidhu, Jason Lewkowicz, Charlie Hosner and Yusof Seedat.

Contributors: Vikram Desai, Rouzbeh Hashemi and Lachlan George.

Sources

1. CrowdStrike Global Threat Report, 2026

2. CyberGym Vulnerability Reproduction Benchmark

3. CrowdStrike Global Threat Report, 2026

 

About the research

Accenture conducted a global survey of 1,000 C-suite between February and March 2026. Respondents included 505 CEO or equivalent leaders and 495 CISO or equivalent leaders from across various industries.

  • Chief Executive Officer (CEO)
  • Country/Region/Dept. CEO
  • CEO or Dept/Agency Head
  • Chief Information Security Officer (CISO)
  • Director of Information Security
  • Australia
  • Brazil
  • Canada
  • France
  • Germany
  • Italy
  • Japan
  • Kingdom of Saudi Arabia (KSA)
  • Singapore
  • Spain
  • United Arab Emirates (UAE)
  • United Kingdom
  • United States
  • Aerospace and defense
  • Automotive
  • Banking
  • Capital markets
  • Chemicals
  • Communications and media
  • Consumer goods and services
  • Energy
  • Health
  • High tech
  • Industrial equipment
  • Insurance
  • Life sciences
  • Natural resources
  • Public service
  • Retail
  • Software and platforms
  • Travel
  • Utilities