Understanding the current state of cyber resilience is essential for guiding decision-makers and enabling organisations to improve resilience. The sophistication of cyber-attacks is increasing, driven by advanced technologies such as Artificial intelligence, increasing cyber warfare activity, and the world's growing connectivity. In 2024, legislation such as the Digital Operations Resilience Act (DORA) and the European Cyber Resilience Act were enacted to codify and enforce the embedding of cyber resilience into the fabric of organisational operations.

It is imperative to understand cyber resilience, how your organisation can measure it, and how to address the most common pitfalls. This research answers two questions.

This research surveyed 46 global partners of organisational leaders, ranging from management to C-Suite, to explore their organisations’ cyber resilience postures assessing organisational readiness across three phases of resilience—resistance, response, and recovery—while acknowledging that attempted cyber breaches are nearly inevitable and represent a constant risk to organisational security.

Four key impediments have been identified: limited reporting practices, challenges in building a resilient organisational culture, insufficient collaboration, and a lack of planning for compromise.

This research surveyed 46 global partners of organisational leaders, ranging from management to C-Suite, to explore their organisations’ cyber resilience postures.

The National Institute of Standards and technology defines cyber resilience as “The ability of systems, networks, and organisations to anticipate, withstand, recover from, and adapt to adverse cyber events”. In 2024, cyber resilience is crucial for a number of reasons.

In 2021 a Grant Thornton report into the economic cost of cybercrime stated “It is not a question of ‘if; but a question of ‘when’ an organisation will be a victim of a cyber attack”.

Cyber threats continue to evolve rapidly, with attackers employing more sophisticated techniques. Cyber resilience helps organisations adapt to these changes and stay ahead of potential threats​​.

As the world continues to rely on technology and the tools adapt and improve, CrowdStrike have stated in their 2024 Global Threat Report “Organisations cannot afford to fall behind, and the legacy technology of yesterday is no match for the speed and sophistication of the modern adversary”.

Ensuring that business operations can continue despite cyber incidents is vital. Cyber resilience focuses on maintaining functionality and minimising downtime, which is essential for sustaining business operations​​​. The ability to quickly respond to and recover from cyber incidents is a core aspect of cyber resilience. This ensures that businesses can restore systems and data to normal operations swiftly, minimising the impact of attacks​​​.

Comprehensive Security Strategy and Strategic Importance

Cyber resilience is a key component of a comprehensive cybersecurity strategy. It helps mitigate the impact of cyber attacks, protect sensitive information, and maintain trust with stakeholders​​.

Strategic Importance: In sectors like higher education, healthcare or critical services, cyber resilience is fundamental for future-proofing against cyber threats. It involves implementing strategies that are backed by Chief Information Security Officers (CISOs) to strengthen overall security posture​​.

Increasingly industries are subject to stringent regulations that mandate robust cybersecurity and cyber resiliency measures. Cyber resilience helps organizations comply with these regulations by ensuring they have the necessary processes in place to protect data and systems. Failure to comply can result in significant fines and legal repercussions.

By integrating cyber resilience into their operations, organisations not only protect themselves against cyber threats but also ensure compliance with legal and regulatory standards, thereby avoiding potential penalties and maintaining trust with customers and stakeholders.

According to IBMs 2024 The Cost of a Data Breach report the average cost of a data breach globally is 4.88 million dollars. The United States experiences the highest costs on average of 9.36 million dollars whereas large European countries such as Germany, France and the UK experience average costs between four and six million dollars.

Additionally costs stretch beyond dollar values into time spent on recovery and reputational damage. For example more than three quarters of respondents in the IBM study reported that it took more than 100 days to fully recover from the effects of a data breach.

Conclusions on the importance of cyber resilience in 2024

The partner group for this research exhibits several limitations and potential biases that may influence the findings.

41.3% of respondents represent organisations with fewer than 50 employees. While this provides valuable insights into small organisations' challenges, it underrepresents mid-sized organisations, particularly those with 201-500 employees (8.7%) and 501-1000 employees (2.17%). Furthermore, the significant representation of organisations with over 1,000 employees (26.09%) creates a bimodal distribution, potentially overshadowing the unique perspectives of medium-sized organisations.

50% of respondents are from Europe. Other regions, such as the USA (9.375%) and globally distributed organisations (9.375%), are underrepresented. Moreover, some areas, such as Asia, Africa, and South America, are minimally represented, limiting the global applicability of the findings. Additionally, the diversity of multi-regional organisations introduces complexity, making it difficult to isolate regional-specific challenges.

The technology sector dominates the dataset, accounting for 27 out of 42 respondents. While this provides robust insights into this industry, it creates a bias toward technology-centric perspectives on cyber resilience. Other critical industries, such as financial services, education, and government, are underrepresented, each comprising only a few respondents. This imbalance limits the generalizability of the findings to sectors with distinct cyber resilience challenges and practices.

The reliance on a survey over structured interviews introduces additional limitations. For instance, many respondents categorised their industry as "technology," which may reflect an oversimplification of their organisational context. Structured interviews could have allowed for deeper exploration and clarification of industry categorisation, leading to richer and more nuanced data. Additionally, surveys lack the flexibility to probe underlying reasons or complexities behind respondents' answers, further limiting the depth of insights compared to interviews.

Small organisations (< 50 employees) show significant variability in resilience capabilities. Ratings for sensing, resisting, and reacting to cyber threats range widely, with some organisations scoring near zero while others achieve perfect scores. This disparity highlights uneven levels of cybersecurity maturity among smaller organisations. While many small organisations describe themselves as "cybersecurity first," their resilience capabilities often do not align with this self-assessment. There is also variability in awareness of key frameworks such as the EU Cyber Resilience Act, with less frequent recognition of other frameworks like the Cyber Assessment Framework and the World Economic Forum Cyber Resilience Index.

Medium-sized organisations (51–200 employees & 201–500 employees) generally report more consistent resilience ratings than smaller organisations. These organisations demonstrate balanced capabilities in sensing, resisting, and reacting to threats. A primary focus of medium-sized organisations is integrated cyber security, and they frequently report having dedicated cybersecurity expertise. This group is more aware of frameworks such as the Cyber Assessment Framework and the EU Cyber Resilience Act, suggesting better alignment with industry standards.

Large organisations (501–1000 employees & > 1000 employees) consistently report high resilience ratings, particularly in sensing, resisting, and reacting to cyber threats. Many large organisations report near-perfect scores, reflecting confidence in their robust cybersecurity measures and resources. These organisations often have a global presence, which aligns with their adoption of multiple international frameworks, such as the Cyber Resilience Act and the Cyber Incident Reporting for Critical Infrastructure Act. Large organisations are also more likely to identify as "cybersecurity first" and possess specialised in-house expertise, showcasing significant investment in cybersecurity infrastructure.

Small organisations exhibit the widest variability in resilience scores, indicating uneven cybersecurity maturity levels. Large organisations consistently report higher scores, suggesting a strong correlation between size and advanced cybersecurity practices. Framework Awareness: Awareness of cybersecurity frameworks increases with organisational size. Large organisations are more likely to recognise and implement multiple frameworks, while smaller organisations show gaps. Cybersecurity Expertise: Larger organisations almost universally report having in-house cybersecurity expertise, whereas smaller ones often lack this resource, highlighting a significant disparity. Cybersecurity Focus: Many small organisations identify as "cybersecurity first," yet their reported resilience scores and framework awareness often lag behind those of their larger counterparts, indicating potential overconfidence in their cybersecurity posture.

The correlation between framework awareness and cybersecurity expertise is evident and significant, as larger organisations tend to exhibit higher levels of both. Organisations with dedicated cybersecurity expertise are more likely to be aware of and adopt relevant frameworks, as these professionals bring specialised knowledge that aligns organisational practices with industry standards. This synergy enhances cyber resilience, as frameworks provide structured approaches to managing risks while expertise ensures effective implementation. The alignment of these factors underscores the importance of investing in cybersecurity talent to facilitate comprehensive framework adoption and, consequently, robust organisational defences.

Europe Europe accounts for most respondents, reflecting strong representation in the dataset. European organisations report moderate to high resilience scores, focusing on sensing and resisting cyber threats. However, smaller European organisations exhibit more variability in their ability to react to cyber threats, indicating potential gaps in recovery capabilities. European organisations' awareness of the EU Cyber Resilience Act is exceptionally high, aligning with its regional relevance. Other frameworks, such as the Cyber Assessment Framework and the World Economic Forum Cyber Resilience Index, are also frequently recognised.

Organisations in the USA report consistent resilience scores across sensing, resisting, and reacting to threats, reflecting a balanced approach to cybersecurity preparedness. Awareness of frameworks like the Cyber Assessment Framework is notable, though recognition of the EU Cyber Resilience Act is less common than in European organisations. Many US-based organisations report having dedicated cybersecurity expertise, emphasising internal capacity-building efforts.

Canadian organisations generally report lower resilience scores than those in the USA and Europe, particularly in their ability to react to cyber threats. Awareness of cybersecurity frameworks is less prominent, suggesting potential gaps in aligning with global best practices.

Organisations based in China and India report mid-range resilience scores, with stronger performance in sensing and resisting threats than reacting to them. Awareness of frameworks like the EU Cyber Resilience Act and the Cyber Incident Reporting for Critical Infrastructure Act is limited, reflecting a regional focus and potential misalignment with global standards. However, note that these regions will have their variants of legislation that they must adhere to and are not obligated to adhere to EU or US standards. Additionally, only Western frameworks were addressed in the survey, resulting in a Western-centric response that under-represents the Eastern legislature. Other Regions The dataset underrepresents organisations categorised as "Other" or located in regions like the Middle East and Australia, limiting comprehensive insights into these areas. These organisations report the lowest resilience scores across sensing, resisting, and reacting, indicating potential resource gaps or a lack of strategic focus on cybersecurity.

Europe and the USA lead in resilience scores, likely due to stronger regulatory environments and higher adoption of cybersecurity frameworks. Regions such as Canada and other underrepresented areas report lower resilience capabilities, especially in reacting to threats. Framework Awareness: Framework awareness is highly regional. European organisations strongly align with the EU Cyber Resilience Act, while other regions show lower awareness of global standards. Cybersecurity Expertise: Dedicated cybersecurity expertise correlates with higher reported resilience scores, particularly in the USA and Europe, highlighting the importance of investing in internal capabilities to enhance cybersecurity preparedness.

This analysis outlines significant trends in advanced cybersecurity practices among leading organisations in developed regions, especially Europe and the USA. These organisations are committed to implementing comprehensive strategies and frameworks that enhance cyber resilience. Key practices identified include benchmarking activities, third-party assessments, governance structures, actionable roadmaps, collaboration, and the integration of metrics and reporting.

Benchmarking Activities - The analysis highlights critical trends in advanced cybersecurity practices exhibited by leading organisations in developed regions, mainly Europe and the USA. These organisations are committed to implementing comprehensive strategies and frameworks that significantly enhance their cyber resilience. The key practices identified include benchmarking activities, third-party assessments, governance structures, actionable roadmaps, collaboration, and integration of metrics and reporting.

Third-Party Assessments - Organisations in Europe and the USA frequently use third-party assessments to assess their compliance with established security frameworks and standards. These assessments objectively evaluate their cybersecurity posture, highlighting potential blind spots that internal evaluations might miss. However, such evaluations are less common in regions like China, India, and other underrepresented areas, possibly due to resource limitations or differing regulatory environments.

Governance Structures - Larger organisations typically establish formal governance structures focused on cyber resilience. These frameworks include accountable officers, regular reporting mechanisms to leadership, and integrating cybersecurity strategies into overall business objectives. In contrast, smaller organisations and those in less developed regions may lack these structured approaches, resulting in fragmented or reactive strategies for addressing cybersecurity threats.

Actionable Roadmaps - Organisations in developed regions are more likely to create clear and actionable roadmaps based on established security frameworks. These roadmaps guide the development of cyber resilience strategies and ensure compliance with regulatory requirements and industry standards. They also facilitate ongoing improvements, allowing organisations to adapt effectively to evolving threats and technological changes.

Collaboration and Information Sharing - Collaboration and information-sharing agreements are common among leading organisations in Europe and the USA. These practices enhance overall cyber resilience by enabling the sharing of threat intelligence, mitigation strategies, and recovery plans. However, smaller organisations and those in regions with fewer resources often lack these collaborative frameworks, limiting their ability to respond to large-scale or coordinated cyber threats.

Integration of Metrics and Reporting - Advanced organisations systematically track metrics to measure their cyber resilience culture, performance, and response to disruptions. These metrics, such as quarterly updates, are included in regular reports, which inform leadership decisions and guide strategic adjustments. In smaller organisations and less developed regions, such comprehensive reporting practices are rare, creating gaps in visibility and accountability.

Adopting these advanced practices creates a positive feedback loop for larger organisations and those in developed regions, significantly enhancing their cybersecurity posture. Conversely, the lack of such practices in smaller organisations and less developed areas introduces vulnerabilities that could have ripple effects within interconnected ecosystems. Addressing these disparities through education, resource allocation, and collaboration is crucial for achieving global cyber resilience.

The principle of cultivating a culture of resilience reveals an emphasis on leadership and training initiatives. Metrics tracking for resilience culture, with a median of 48.5, shows a foundational but underdeveloped area. Leadership's role in demonstrating cyber resilience and integrating this behaviour into the organisational ethos scores higher (Median: 62.5). Cyber-resilience training availability further strengthens these initiatives (Median: 63.5). At the same time, leadership-driven performance goals related to cyber resilience represent the most mature area in this principle, with a median score of 74. These trends suggest a growing prioritisation of leadership and employee-driven resilience practices.

This principle focuses on integrating resilience into organisational design through proactive measures. Tracking irregular inputs and disruptive events scores a median of 64, indicating the need for further development in this area. Cross-organisational resilience drills and reviews of people, processes, and technology score moderately high medians (66 and 73, respectively), reflecting progress in these practices. Actionable roadmaps derived from frameworks score a median of 74, representing the most mature aspect of design-focused resilience. These results emphasise coordination and planning for cyber resilience but underscore gaps in proactive disruption tracking.

Governance practices within this principle are characterised by high median scores, showcasing mature implementation. Assigning accountable 42 officers for resilience governance scores a median of 77.5 while establishing accountable groups achieves an even higher median of 86. These findings em- phasise the critical role of governance structures in attaining organisational resilience, with leadership and accountability mechanisms driving effective strategies. Five out of seven statements on the principle Incorporate Cyber Resilience Governance into Business Strategy outscore the overall self- evaluation average statement score of 66.28, as shown, and highlighting maturity across the principle.

The principle "Incorporate Cyber Resilience Governance into Business Strategy" demonstrates notable strengths, with the highest scoring statement, "A group is accountable for cyber-resilience oversight" (Median: 86), indicating that many organisations have established dedicated oversight groups to manage and enable cyber resilience efforts. However, the lowest scoring statement, "The accountable officer is empowered" (Median: 59), suggests a significant disconnect between accountability and authority. This disparity implies that oversight groups may lack the necessary support, decision-making authority, or resources to act effectively while oversight groups are in place. Such limitations could severely hinder the group's ability to implement or enforce resilience strategies, reducing their overall impact. Addressing this gap by empowering accountable officers with apparent authority and resources is critical to ensuring that governance structures function as intended and drive meaningful improvements in cyber resilience.

Collaboration practices within this principle demonstrate varied maturity levels. Defining collaboration governance and cadence scores a low median of 50.5, highlighting a need for more formalised structures. However, accountability for information sharing and establishing information-sharing agreements score higher medians (63 and 72, respectively), indicating progress in fostering ecosystem-wide collaboration. These findings suggest that while collaboration mechanisms are developing, more comprehensive governance and systematic efforts are required.

Cyber risk assessment practices show notable strengths and areas for improvement. Annual risk assessments achieve a median of 71, reflecting moderate maturity, while reporting mechanisms for these assessments score a higher median of 83, indicating a strong emphasis on structured reporting. These trends highlight the importance of consistent assessments and robust reporting mechanisms in managing cyber risks effectively. The statement “External Reporting on the state of cyber resilience” represents the weakest score of the statements relating to Regularly Assess and Prioritise Cyber Risk as shown. Furthermore, the statement “External Reporting on the state of cyber resilience” is one of the weakest scoring statements throughout the data. The statement scores below the average of the statement (66.28) by approximately 13 points, highlighting a significant weakness point and an area for improvement.

Security fundamentals are more developed in areas such as architecture configurations designed for minimal exposure (Median: 80) and performance reporting against criteria (Median: 70). However, tracking economic and performance progress scores lower, with a median of 61.5, suggesting a need for enhanced ongoing monitoring. These findings highlight strengths in specific security practices and gaps in continuous improvement processes, as highlighted, specifically tracking and reporting against key performance indica- tors, with the statement “Quarterly reports on key performance indicators” scoring approximately 13 points below the statement average.

Statements fall into four categories: very low (45-56), low (56-67), medium (67-75), and high (75-86) around the median statement score of 66.28. The “Very Low” and “Low” categories, with average scores ranging from 48.5 to 66.27, highlight collective trends across organisations where significant gaps remain in critical aspects of cyber resilience. These scores reflect areas for improvement in embedding a robust culture of resilience, enhancing collaboration and reporting frameworks, and adopting resilient paradigms such as the principle of “assume compromise.” Statements like “Metrics are tracked for the culture of resilience” (48.5) and “Cyber-resilience behaviour is defined and reinforced” (50.0) underscore the lack of a deeply ingrained culture that drives proactive resilience behaviours. Similarly, “Collaboration governance and cadence are defined” (50.5) and “External reporting on the state of cyber resilience” (53.0) high- light foundational yet insufficient approaches to fostering collaborative prac- tices and transparent reporting. In the “Low” category, statements such as 49 “The accountable officer is empowered” (59.0) and “Economic and perfor- mance progress are tracked” (61.5) suggest the presence of some governance and tracking mechanisms. Still, they fall short of operationalising resilient paradigms like “assume compromise,” which requires a shift toward proac- tive threat management and systemic preparedness. These areas collectively represent significant opportunities for organisations to strengthen their cyber resilience strategies. These trends suggest that organisations collectively struggle to prioritise and operationalise key areas of cyber resilience. Very low and low categories fall below the average self-evaluation index score of 66.28, whereas medium and high categories score higher than this value. The “High” scores reflect collective strengths across all surveyed organisations, demonstrating areas where mature and well-integrated cyber resilience practices are prevalent. Statements such as “A group receives regular briefs on cyber resilience” (75) and “Cohesive cyber-resilience strategy” (75) high- light strong trends toward structured governance and the implementation of comprehensive frameworks for managing resilience. Similarly, high scores for “The role of the accountable officer is formally defined” (77.5) and “Assets and operations are classified” (78) indicate that many organisations have established clear accountability and systematic ap- proaches to classifying and managing their assets. Trends like “The or- ganisation maintains a register” (80) and “Architecture configurations de- signed around least exposure” (80) suggest widespread adoption of advanced paradigms such as minimising exposure and improving visibility into criti- cal resources. These scores illustrate that, across organisations, these high- performing areas serve as benchmarks of resilience, driven by strong leader- ship, governance structures, and operational rigor, providing a solid founda- tion for responding to emerging cyber threats. The contrast between the high score, “A group is accountable for cyber- resilience oversight,” and the low score, “The accountable officer is empow- ered,” highlights a potential disconnect in organisational practices. Such trends between high and low scores can reveal critical problem areas, suggest- ing that while oversight structures may exist, the individuals responsible may lack the necessary authority or resources to drive effective cyber-resilience ini- tiatives. Identifying these gaps is essential for addressing systemic issues and fostering a more robust culture of cyber resilience.

The "Cultivate a Culture of Resilience" principle demonstrates significant gaps in fostering proactive resilience practices within organisations. With a median score of 48.5 for tracking metrics related to resilience culture, this area remains underdeveloped, indicating challenges in quantifying and embedding resilience behaviours across organisations. While leadership-driven initiatives such as demonstrating a resilience culture (Median: 62.5) and providing training (Median: 63.5) show moderate progress, they remain insufficiently integrated. The highest-scoring element in this principle, leadership performance goals related to cyber resilience (Median: 74), highlights the potential of leadership-driven efforts to bridge these gaps. However, this principle's low median score underlines the need for more structured cultural initiatives, particularly in metrics and employee engagement.

The principle of "Incorporate Cyber Resilience Governance into Business Strategy" emerges as the most developed area, with a median of 81.75. Organisations exhibit a strong commitment to embedding governance structures within their resilience strategies. Assigning accountable officers for resilience governance achieves a median of 77.5 while establishing oversight groups for cyber resilience scores an impressive median of 86. These findings underscore the pivotal role of leadership accountability and governance structures in driving comprehensive resilience efforts. This principle's high scores reflect its critical function as a foundation for other resilience practices, demonstrating the value of aligning resilience governance with broader organisational objectives. The success of this principle serves as a benchmark for different areas to emulate, particularly in fostering accountability and strategic integration.

Enhancing metrics and collaboration mechanisms is crucial to improving ecosystem-wide collaboration while refining metrics for resilience culture and disruptive event tracking. These practices lay the groundwork for broader strategic goals and enhanced partnerships. Designing for security should be prioritised by embedding security principles into organisational structures and processes. Conducting resilience drills, integrating disruptive event planning, and deriving actionable roadmaps from frameworks will ensure secure and adaptive systems. Lastly, cultivating a culture of resilience requires leadership-driven initiatives to embed resilience into organisational practices. Clear performance goals for leadership, engaging training programs, and effective communication of resilience objectives can strengthen these cultural foundations.

Analysis of cyber resilience trends by organisational position reveals distinct patterns in resilience awareness, implementation, and challenges. These trends provide insights into how different roles perceive and influence their organisation's cyber resilience posture. C-Suite members consistently demonstrate a strong focus on cybersecurity leadership, with reported resilience ratings often exceeding 90 in sensing, resisting, and reacting to cyber threats. These executives also report high levels of awareness regarding governance structures and frameworks, including the Cyber Assessment Framework and the EU Cyber Resilience Act. However, despite their strategic focus, some responses highlight a gap in the practical implementation of comprehensive training and resilience strategy execution, which could hinder the full realisation of their strategic objectives. Directors and senior directors often represent various industries, from technology to professional services, and report resilience scores in the mid-range (65-85). They emphasise the importance of collaboration mechanisms but rate the maturity of their implementation as needing improvement, with median scores hovering around 70. Many respondents from this group highlight the need for better measurement of effectiveness and embedding resilience practices into organisational goals, reflecting a strategic but sometimes underdeveloped approach to cyber resilience. Managers and senior managers rate their organisations lower than directors and C-Suite members in key resilience areas, particularly in sensing threats (50-65) and training metrics (50-60). Feedback from this group frequently points to operational challenges, such as limited integration of cyber resilience into daily workflows and a reactive approach to cybersecurity. These challenges suggest that mid-level managers may lack the resources or authority to implement resilience measures effectively. Respondents in technical roles, such as engineers, report specific operational gaps, including insufficient integration of security practices during the development phase and limited cross-functional collaboration. These issues highlight a disconnect between the strategic vision articulated by leadership and the practical implementation at the technical level. Engineers often emphasise the need for improved collaboration mechanisms and earlier integration of security measures into organisational processes to prevent vulnerabilities. The data underscores a need to align leadership's strategic vision with the operational realities managers and engineers face. While C-Suite members and directors demonstrate strong strategic awareness, gaps in implementation at the operational level could weaken overall cyber resilience. Tailored training programs and enhanced communication across roles are critical to bridging these gaps and ensuring cohesive organisational resilience.

This section analyses changes in organisational cyber resilience scores across three key stages: pre-evaluation, self-evaluation, and reflection, as well as three organisational dimensions: position, location, and size.

Analysing cyber resilience scores by organisational position reveals notable variations between groups. C-suite members consistently rate their organisations highest across all three stages, indicating strong confidence in their cyber resilience capabilities. This trend aligns with their strategic oversight and emphasis on governance. However, managers and senior managers report lower scores in all stages, suggesting gaps in operational execution or resource allocation at lower levels of the hierarchy. Interestingly, the Median Self-Evaluation scores show less disparity across positions, indicating a convergence in perceived capabilities during self-assessment exercises. Notably, the Reflection scores reveal an upward shift across all positions, with directors and senior directors reporting the most significant improvements. Engaging in resilience evaluation fosters a greater understanding and appreciation of organisational strengths and weaknesses.

Resilience scores analysed by location demonstrate regional differences in organisational perceptions. European organisations consistently report higher Pre-Evaluation and Reflection scores than those in the USA and India, which could reflect stronger regulatory frameworks and established cyber resilience practices in European markets. Organisations with a global presence exhibit the most significant improvement between the Pre-Evaluation and Reflection stages. Highlighting the potential impact of diverse operational environments and the benefits of cross-regional benchmarking during the evaluation process. However, organisations based solely in India report the lowest scores across all stages, suggesting potential resource or awareness challenges that warrant targeted interventions.

Large enterprises (over 1,000 employees) demonstrate the highest scores across all three stages when categorised by organisational size. Their established infrastructures and access to extensive resources likely contribute to this trend. In contrast, small organisations (fewer than 50 employees) report the lowest scores, particularly during the Pre-Evaluation stage, highlighting resource constraints and potential gaps in cyber resilience frameworks. Mid-sized organisations (51-500 employees) show the most significant score improvements between the Pre-Evaluation and Reflection stages. This suggests that self-assessment exercises provide valuable insights, enabling these organisations to identify and address vulnerabilities better. The convergence of Median Self-Evaluation scores across all size categories indicates a relatively uniform understanding of resilience levels during the assessment phase.

The analysis highlights clear trends in cyber resilience perceptions based on position, location, and organisational size. Higher positions in the organisational hierarchy and larger organisational sizes correlate with higher resilience scores, while regional factors influence perceptions of cyber resilience capabilities. These findings underscore the importance of tailored strategies to address specific gaps, particularly for lower-level management, smaller organisations, and under-resourced regions. Engaging in structured self-evaluations proves beneficial across all dimensions, driving improved awareness and actionable insights into organisational resilience practices.

This section explores how cyber resilience scores differ across the Pre-Evaluation, Median Self-Evaluation, and Reflection stages. The analysis focuses on three key dimensions: position, location, and organisation size.

Scores analysed by position reveal notable variability across the stages. C-Suite members and VP-level roles consistently report higher scores, reflecting their strategic oversight and alignment with cyber resilience objectives. In contrast, Managers and Senior Managers display marked improvements from Pre-Evaluation to Reflection, indicating that self-assessment exercises enhance their understanding of organisational resilience. Security Architects and ICs (Individual Contributors) report more moderate scores with minor differences between stages, suggesting a grounded understanding of operational resilience. The variance across roles highlights the impact of organisational hierarchy on cyber resilience perceptions. Senior leadership roles exhibit confidence in established frameworks, while operational roles highlight practical challenges.

Regional trends reveal significant differences in scores influenced by external regulatory and operational environments. European organisations consistently report the highest Reflection scores, underpinned by strong regulatory frameworks and mature resilience practices. In contrast, USA-based organisations display notable improvements between Pre-Evaluation and Reflection, showcasing the effectiveness of self-assessment in identifying growth areas. Organisations based in India report the lowest scores across all stages, suggesting challenges related to resources and infrastructure. European organisations exhibit the most consistent and accurate scores, reflecting advanced resilience maturity and regulatory alignment.

Scores analysed by organisation size demonstrate the role of resources and structural capabilities in resilience. Large organisations (over 1,000 employees) consistently report the highest scores across all stages, showcasing their established infrastructures and robust frameworks. Small organisations (fewer than 50 employees) report the lowest Pre-Evaluation scores, with significant improvements in the Reflection stage. The data here indicates that smaller organisations benefit substantially from structured evaluations. Mid-sized organisations (51-500 employees) exhibit the most considerable variability, highlighting challenges in scaling resilience practices during growth. Large organisations demonstrate the most consistent accuracy, driven by their capacity to implement and maintain comprehensive resilience frameworks.

Among the three dimensions, location emerges as the most accurate. European organisations consistently report high and stable scores across all stages, reflecting their advanced maturity and alignment with regulatory requirements. This consistency provides a benchmark for other regions to emulate. This analysis underscores the importance of considering hierarchical roles, regional contexts, and organisational scale when assessing cyber resilience practices. Tailored interventions for specific positions, regions, and sizes can drive more comprehensive and accurate resilience improvements.

This section explores perceptions of cyber resilience across key dimensions based on the responses to selected questions. The analysis focuses on the extent to which participants believe in the criticality of cyber resilience, both within their organisations and in general, and how self-reflection activities influence their understanding.

Responses to the question, "Has completing the previous sections on a Cyber Resilient organisation affected your answer?" reveal mixed sentiments. While 48.28% of respondents agreed that self-reflection had an impact, 17.24% disagreed. The variation in responses suggests that structured evaluations enhance understanding for some participants but not universally, highlighting the need for tailored approaches to ensure the reflection process resonates across diverse roles and organisational contexts.

Examining the Pre-Evaluation, Median Self-Evaluation, and Reflection scores offers additional insights into how self-reflection influences participants' understanding of their organisation's cyber resilience.

Pre-Evaluation Scores: These initial scores tend to be more varied, often reflecting participants' assumptions or incomplete knowledge about their organisation's resilience posture. Differences in scores across roles and organisational levels suggest that initial perceptions are influenced by participants' proximity to strategic or operational processes.

Median Self-Evaluation Scores: These scores converge toward more balanced assessments, indicating that structured evaluations and self-reflection activities help participants align their perceptions with their organisation's actual practices and capabilities. Median scores demonstrate a more grounded and consistent view, often serving as a benchmark for comparison.

Reflection Scores: Reflection scores often increase following self-evaluation, particularly among roles that initially reported lower Pre-Evaluation scores. This trend highlights the evaluation process's impact on enhancing awareness and fostering a deeper understanding of organisational resilience. However, some roles exhibit minimal change between Median and Reflection scores, suggesting that their initial self-assessments were already well-informed.

These patterns reveal the critical role of structured evaluation frameworks in shaping perceptions. Participants with lower initial scores benefit significantly from self-reflection, as evidenced by the upward trend in Reflection scores. Conversely, participants with stable scores across stages may already clearly understand their organisation's resilience practices.

When asked if they considered cyber resilience critical to their organisations, 65.52% of respondents rated it as "A great deal," while 24.14% selected "A lot." Only 10.34% of participants indicated "A moderate amount," with no disagreement recorded. This strong alignment demonstrates a widespread acknowledgement of the importance of cyber resilience within organisational structures, likely reflecting its integral role in mitigating risks and ensuring operational continuity.

Responses to whether cyber resilience is critical to the companies as a whole exhibited even stronger alignment. 82.76% of participants rated it as "A great deal," with 6.90% selecting "A lot" and 10.34% choosing "A moderate amount." The absence of disagreement underscores the perception that cyber resilience is universally recognised as a strategic imperative at the organisational level, transcending individual roles or departments.

Across the three questions, the perception of cyber resilience's criticality increases when considering the organisation as a whole rather than individual roles or responsibilities. The discrepancy between the impact of self-reflection and the high agreement levels on criticality suggests that while cyber resilience is vital, the mechanisms to foster deeper personal engagement and reflection may require refinement. This analysis underscores the critical role of structured evaluations and organisational alignment in shaping perceptions of cyber resilience. While the data reflects a high level of agreement on its importance, the varying impact of self-reflection suggests opportunities to enhance engagement strategies and contextual relevance across roles and organisations.

This section explores insights gathered from the question, "In what one area do you think your organisation could improve its Cyber Resilience posture?" highlighting the areas where organisations can enhance cyber resilience. The responses reveal several recurring themes. Training and education emerge as a fundamental area for improvement, with calls for better employee awareness and leadership preparedness. Many respondents stress the importance of conducting regular drills, such as recovery playbooks and attack simulations (e.g., Blue/Red team exercises), to ensure readiness. However, these activities can get deprioritised due to cost and competing priorities. Improved measurement and visibility are also highlighted, with suggestions to define clear metrics, roles, and organisational goals to assess the effectiveness of security actions. Concerns are raised about the lack of integration between security and engineering teams, resulting in a reactive rather than proactive approach to security. Additionally, there is strong support for embedding security earlier in the development process ("shifting left") and allocating more resources to address threats effectively. These insights underscore the need for a cohesive, proactive, and well-supported approach to improving cyber resilience.

The analysis of cyber resilience practices highlights critical areas for improvement across organisations of varying sizes, industries, and regions. While there is a strong consensus on the importance of cyber resilience, the find- ings reveal gaps in training, proactive security integration, and resource al- location. Key themes include the need for regular drills, enhanced training and education, better measurement of effectiveness, and embedding secu- rity earlier in development processes. Additionally, fostering collaboration, improving governance structures, and aligning resilience strategies with organisational goals are essential steps toward a more robust cyber resilience posture. Addressing these challenges requires a cohesive, proactive approach that integrates leadership-driven initiatives, operational alignment, and re- source investments to ensure organisations can effectively anticipate, resist, and recover from cyber threats. The analysis of responses reveals several critical areas where organisations can enhance their cyber resilience posture. Among these, three key themes emerge as priorities: Cultivating a culture of cyber resilience, Communication & Reporting, and Embracing cyber resilient paradigms. Cultivating a culture of cyber resilience emphasises the importance of leadership-driven initiatives, employee training, and embedding resilience practices into organisational workflows. Communication and reporting focus on improving visibility through clear metrics, regular updates, and effective team collaboration to align efforts with organisational goals. Lastly, embracing cyber resilient paradigms highlights the need for proactive strategies, such as inte- grating security earlier in development processes (“shifting left”), conducting regular drills, and adopting frameworks to guide resilience efforts. These ar- eas underscore the importance of a cohesive, proactive, and well-supported approach to cyber resilience, ensuring organisations are better equipped to anticipate, resist, and recover from cyber threats. With the data gathered from this research, we propose a Cyber Resilient 67 Top 3, a focused framework highlighting the most critical challenges and actionable solutions to strengthen organisational cybersecurity resilience.

This research highlights the increasing importance of cyber resilience as organisations face evolving and complex cyber threats. Examining global trends identifies significant gaps in resilience practices, particularly in fos- tering a proactive culture and improving cross-organisational collaboration. While larger organisations demonstrate stronger governance and strategic alignment, smaller entities often struggle with resource constraints and im- plementation challenges. The study emphasises the critical role of leadership, accountability, and integrating human-centric approaches alongside techno- logical advancements. Future studies should focus on validating an organisation’s application of the suggested Cyber Resilience Top 3 framework, investigating interview instru- ments in comparison with surveys and self-assessments when measuring cyber resilience, and utilising the data collected to investigate particular regions or industries. Other suggestions for future research include investigating how challenges in cyber resilience change beyond 2024 and dedicated research into improving cyber resilient cultures, communication, and the adaptation of cyber resilient paradigms within organisations. This research provides a framework modeled on OWASPS Top 10 lists in the form of The Cyber Resilience Top 3, enabling organisations to understand the current global state of cyber resilience and make targeted and educated improvements to their cyber resilience postures. This research makes three significant contributions to the discourse on organisational cyber resilience and its improvement. First, it introduces an open-source online research companion, available at https://cyberresilience.dev/, which provides an accessible platform for explaining the key concepts of the research and their practical applications. By translating complex findings into clear, actionable insights, this compan- ion bridges the gap between academic theory and organisational practice, em- powering stakeholders to enhance their cyber resilience strategies effectively. Its open-source nature ensures broad accessibility, encourages community collaboration, and allows for continuous updates to maintain relevance in a rapidly evolving field. Second, the research presents a comprehensive framework that explores the current Cyber Resilience Top 3 challenges and offers state-of-the-art rec- ommendations for addressing these areas. This framework, as shown in Fig- ure 31, provides organisations with a structured approach to prioritizing 81 critical resilience investments, synthesizing survey data, expert insights, and best practices to guide impactful decision-making. By focusing on actionable strategies tailored to key challenges, the framework not only supports prac- titioners in addressing immediate needs but also contributes to the academic discourse by offering a model for further refinement and application across diverse contexts. Lastly, the research makes its data publicly available as an open-source resource at https://github.com/adameddarcy/cyberresilience.dev. This open data initiative fosters transparency, reproducibility, and collaboration, enabling future researchers to validate findings, explore new questions, and apply advanced methodologies for additional insights. Practitioners can leverage the dataset to benchmark their resilience efforts against broader industry trends, while the cybersecurity community as a whole benefits from a culture of shared knowledge and cooperative progress. Together, these contributions provide meaningful tools, frameworks, and resources that not only advance theoretical understanding but also deliver actionable benefits to organisations striving to enhance their cyber resilience. In conclusion, cultivating a culture of cyber resilience is essential for fos- tering a proactive, organisation-wide approach to cybersecurity, where collec- tive awareness, accountability, and readiness become ingrained. Embracing the “Assume Breach” mentality guides decision-makers in prioritising in- vestments, adopting secure architectures, and implementing operational best practices, reducing overreliance on potentially compromised systems. Finally, effective communication is the most critical cybersecurity skill, emphasising that human collaboration and information-sharing are the cornerstones of defending against ever-evolving cyber threats.