Internal chaos hinders cybersecurity response more than hackers

Cytactic has published its 2025 State of Cybersecurity Incident Response Management (CIRM) Report, highlighting significant ongoing challenges in incident response readiness among senior security leaders.

The research, carried out by TrendCandy through an online survey of 480 senior United States-based cybersecurity leaders, including 165 chief information security officers, illustrates persistent gaps in organisational response to cyber incidents, even among experienced firms that have made sizeable investments in security tools and talent.

Internal misalignment

Among the key findings, 70% of security leaders indicated that chaos induced by internal misalignment during cyber incidents was more severe than that caused by the threat actor itself. Respondents cited breakdowns in authority, poor coordination, and a lack of clear decision-making as contributing factors that led to paralysis at critical moments.

The report highlighted that 73% of respondents experienced tension between the chief information security officer and the chief executive officer during an incident, often compounding the complexity of response efforts. More than half stated that ownership of key decisions had shifted mid-incident, resulting in further delays, while 41% reported delays in critical actions due to a lack of clarity on who held final authority.

Preparedness and simulation

Another area of concern is readiness for previously unrehearsed scenarios. Fifty-seven percent of leaders admitted to having faced a major incident for which they had not practised a response. However, 80% reported that realistic incident simulations significantly improved organisational readiness, though only a quarter felt fully confident deploying crisis technology during an actual event - even though 94% aimed to move towards a more proactive approach to incident response.

Technology challenges

Disjointed or overly complex incident management tools posed additional barriers, with 67% of leaders saying these slowed their response. Interest in artificial intelligence-powered solutions is high, with 93% believing that AI-driven assistance could have prevented at least one major error during a previous incident. Almost all respondents (95%) reported plans to invest in AI-based simulation tools to bolster readiness.

Communication breakdowns

The survey revealed that 86% of security leaders encountered delays due to "translation time" - the lag between legal, communications, and technical teams as they interpreted information and coordinated action. Around a quarter of those surveyed noted that non-technical leaders struggled to interpret incident dashboards without additional support.

There was also evidence of a disconnect at board level. Eighty-three percent said company boards underestimated the speed and complexity required to respond to a cyber breach, and 78% reported that boards regularly requested updates without providing clear guidance on incident priorities.

Sector voices

"To move from this chaotic reality to strategic incident response management, organizations must embrace disruptive, AI-powered technologies to minimize damage when cyber incidents strike," said Nimrod Kozlovski, Founder and CEO of Cytactic. "The report makes it clear: preparing before and executing well at the time of an incident is critical to lessening the brand and financial damage of a cyber attack. With the vast majority of security leaders citing internal chaos due to lack of authority, clarity, and coordination under pressure, causing more chaos than the threat actor itself, the need for structured, well-orchestrated tools is undeniable."

"Today, the CISO's role becomes more critical than ever. We must anticipate evolving threats, foster resilience, and lead dynamic response strategies to stay ahead of attackers," said Tim Brown, CISO of SolarWinds and Board Advisor at Cytactic. "It is clear that organizations need technological tools to fill the critical gap in incident response management. Automation, predefined plans, and AI tools will reduce that dependency on human improvisation during incidents and will allow teams to focus on managing the incident rather than improvising. The key is using technology tools to practice, prepare, plan, and use these practices to manage both minor and major incidents."

Pathways for improvement

When security leaders were asked what single change they would make to enhance incident response management using a "magic wand," the most popular suggestions were real-time AI-generated decision guidance (65%), more frequent and realistic simulations (52%), faster alignment between legal and communications departments (47%), and seamless cross-functional coordination (46%).

The survey indicates that progress in breach readiness relies on a unified, orchestrated approach that brings together cross-functional stakeholders and decision-makers. Operational clarity, effective tools, and preparedness - supported by AI-powered assistance - were cited as essential components for addressing these challenges in the coming year.

The survey respondents came from organisations with staff sizes ranging from 100 to over 10,000 employees and represented sectors including manufacturing, healthcare, education, retail, software, hardware, financial services, business services, telecommunications, and consumer products.