Misalignment and Risk Tolerance Gaps Undermine Business Resilience, Kroll Study Finds

PR Newswire

Wed, March 18, 2026 at 4:00 AM EDT 5 min read

Key Takeaways

• Cyber risk is widely acknowledged, but alignment is lacking. While 94% of organizations view cybersecurity as a primary business risk, 72% report frequent misalignment between cybersecurity efforts and broader business priorities.

• Budget decisions are increasingly centralized, despite a knowledge gap. Nearly half of businesses (48%) say the CEO now makes the final decision on cyber budgets, however 43% reported limited cyber literacy amongst executives.

• Investment in cloud and third-party security is set to rise by 59%, yet there are no planned increases, and in some cases declines, in funding for the most frequent and fastest-growing areas of risk: people and identity.

, /PRNewswire/ -- Kroll, the leading independent provider of global financial and risk advisory solutions, today released global cyber resilience research findings revealing a critical gap between organizations' perception of their cyber preparedness and their actual capability to defend against, and recover from, sophisticated attacks. This gap is being driven by misalignment between the C-suite and cyber decision-makers. This disconnect is costly, as organizations face a yearly average of $2.2 million in recovery costs and downtime from cyber incidents.

The Misalignment Problem: Strategy vs. Execution

Investment in cybersecurity is rising across the board as the majority (80%) of organizations have increased budgets in 2026. However, the bulk of the investment is not set to prioritize the technology that will protect against the most common attack vectors which target people, credentials and internal processes.

• 59% of organizations are increasing spending on cloud and third-party security. Yet identity-based tactics like phishing (39%) and business email compromise (28%) are experienced most by businesses.

• Crucial proactive security measures appear to be dropping in the order of priority with organizations cutting, or not investing further budget, in red and purple teaming (55%), identity access management (IAM) controls and zero-trust architecture (52%).

• Nearly half (48%) of businesses say the CEO now makes the final decision on cyber budgets. However, limited cyber literacy among executives (43%) is reported as a barrier for aligning business strategy with cyber priorities.

Overestimation of Resilience

While most organizations believe they are prepared for cyber threats, their actions tell a different story:

• While 99% of organizations have an incident response plan, 3% only update them after a cyber incident. Plans become static documents, not living tools refined by experience.

• Only 10% of organizations have achieved "very high" cyber maturity. However, those with higher maturity experience 50% less financial impact per dollar of revenue when cyber incidents occur.

• 36% of organizations acknowledge gaps in how threats are prioritized, with differing risk tolerance (51%) cited as the leading cause.

• 72% of organizations believe they can respond to an incident within 1-24 hours. Independent research from CrowdStrike shows that attackers establish a foothold in just 29 minutes. By the time most organizations mobilize a response, attackers have already moved laterally through the network.