The disconnect between perceived cybersecurity readiness and actual protective practices
Most executives feel secure because their organizations check the right boxes. You’ve bought the latest cybersecurity tools, met compliance standards, and conducted annual audits. On paper, it looks solid. But the reality is different and dangerous.
Data from Horizon3.ai, which analyzed responses from 800 IT and security professionals across the U.S., U.K., and the EU, makes this clear. While 84% of organizations reported experiencing a breach, over one in five flagged known unpatched vulnerabilities as their biggest risk.
Now here’s something even more telling: 61% of cybersecurity decision-makers understand how important it is to reduce Mean Time to Remediate (MTTR), that’s the speed at which your team patches or fixes a problem. They know slowing this down increases costs and risk. But 16% of those same professionals have effectively ignored the measure altogether. Awareness isn’t enough. Action is.
Stephen Gates, Principal Security SME at Horizon3.ai, said it plainly: “What surprised us was the massive gap between what organizations believe to be important to cybersecurity and what they’re actually doing.”
Here’s the problem, it’s not that leaders don’t care. It’s that many are stuck in a defensive posture geared toward compliance rather than actual security. If your strategy is designed to keep auditors happy rather than attackers out, you’ve already lost the initiative. Compliance doesn’t predict resilience. It rarely even prevents it.
Focus on real outcomes, not assumed results. Measure what matters, like speed to patch and the effectiveness of your detections.
Vulnerability management practices are inadequate
Most companies are scanning for threats. That’s not the issue. The issue is what happens after the scan. Horizon3.ai found that 98% of organizations use some form of scanning technology to detect vulnerabilities, but only 34% of these organizations think the tools they use are actually effective. That’s a problem.
The signal-to-noise ratio is out of control. 36% of surveyed teams said their tools overwhelm them with false positives. When your security teams spend their time chasing hundreds of inaccurate alerts, they’re not fixing the actual risks that matter.
Even more concerning, 36% of CISOs say they delay applying patches simply because they don’t know if a vulnerability can actually be exploited in their environment. That’s a clarity issue. And clarity is everything when you’re managing critical systems under pressure.
Stephen Gates from Horizon3.ai put it well, when teams are inundated with alerts, they start disregarding them altogether. You already know what that leads to: when the real threat shows up, no one is watching.
For executives, this highlights a structural problem. Investing in vulnerability scanners isn’t enough if your teams can’t distinguish urgency from noise. You either fix that or risk missing something critical. If your security tools don’t enable fast, accurate decision-making, they’re adding friction instead of protection.
The path forward? Prioritization must be built into every layer of your security strategy. Your teams need greater insight into exploitability and context, not just alert counts. That requires tools designed to deliver fewer, smarter signals, and workflows designed to act on them without delay.
Outsourced penetration testing often fails to deliver
A lot of companies pay for external penetration testing to find weaknesses in their systems. That part makes sense. But the way most of it is done today doesn’t give you real-time or useful results. It creates more confusion than confidence.
According to Horizon3.ai, 40% of organizations said their environment had changed so much between the time the test was run and when they received the report that the findings were either outdated or irrelevant. Another 27% flagged problems with accuracy, false positives and negatives caused by testers not fully understanding the company’s infrastructure. Even more concerning, 24% didn’t receive any practical guidance on how to actually fix the issues identified.
That’s time, budget, and trust spent on an outcome that doesn’t move the needle.
Security programs depend on context. If your testers can’t understand your architecture or give you insight you can use right now, not after the next maintenance cycle, then you’re not solving vulnerabilities. You’re compiling reports that might meet a contractual deliverable but leave your environment exposed.
Inadequate testing of cloud environments leaves organizations exposed
Cloud is now where business runs. Migration is fast. Adoption is high. But many companies haven’t adapted their security practices to match that reality. That’s where the exposure begins.
Horizon3.ai’s data shows that 40% of organizations are not regularly testing their cloud environments at all. When an environment isn’t tested, vulnerabilities aren’t tracked. When they aren’t tracked, they aren’t fixed. The risk compounds.
Many teams assume that moving to the cloud means security is automatically handled by the provider. That’s a dangerous misunderstanding. While major cloud platforms manage security for underlying infrastructure, the responsibility for testing and securing configurations, applications, and identity policies remains with the organization using the cloud.
This isn’t about intent, most companies want secure operations. It’s about visibility. If you’re not testing what’s deployed in your own cloud footprint, you don’t know where you’re vulnerable.
From an executive perspective, cloud has flexibility and scale advantages. That’s why you’re in it. But it also multiplies risk if unchecked. Every component provisioned, every update deployed, every privilege misused—those all increase the attack surface daily. Regular cloud testing isn’t optional. It’s foundational.
To move forward, your strategy must include continuous, automated cloud assessments, and not just per project or at the end of the quarter. You need those tests to be real-time, scoped to your architecture, and capable of validating change impact fast. Cloud moves quickly. Your visibility into it has to move faster.
Staffing shortages and human factors impede effective cybersecurity defense
Technology doesn’t operate on its own. People run the systems. People investigate alerts. People apply patches. When you don’t have enough of the right people in the right roles, everything slows down, and weak spots stay exposed longer than they should.
Stephen Gates, Principal Security SME at Horizon3.ai, pointed to this directly: “IT and operations teams are understaffed and stretched thin.” That pressure creates blind spots, things get missed, policies slip, errors multiply. And when there’s an incident, teams fall behind instead of getting ahead.
The more overworked your people are, the less time they have to focus on strategic tasks like proactive monitoring, detailed root cause analysis, or refining defenses. They’re firefighting. They’re reacting instead of reducing risk.
When staff burn out or leave, the institutional knowledge they take with them amplifies those gaps further.
For C-suite leaders, this shouldn’t be seen as only a hiring problem. It’s a prioritization issue. You don’t need to overbuild headcount. What you need is strategic investment in automation and intelligent tooling that amplifies your existing team’s capabilities, tools that cut noise, streamline patching, and support fast, accurate remediation.
You can’t ignore the operational constraints of your internal teams. If visibility and consistency drop due to staff limitations, your entire security posture weakens. Investments need to balance software, infrastructure, and people, because without enough trained, supported professionals managing them, even the best systems fall short.
Rising cybersecurity investments are not effectively reducing risks due to misaligned strategies
Spending is up. Risk is not going down. That’s the disconnect.
According to Gartner, global spending on information security will rise to $212 billion by 2025, a 15% increase from $184 billion in the previous year. Much of that growth is driven by enterprise adoption of generative AI and the increased demand for protective tooling around it. The investment is real. The problem is that the outcomes often aren’t.
Organizations are buying more tools but continuing to experience the same breaches. The core issue isn’t budget. It’s direction. If security programs are structured around compliance, not actual threat reduction, then you’re paying more to maintain the illusion of protection. That illusion breaks the moment an attacker moves faster than your quarterly review cycle.
This is about tightening alignment between investments and outcomes. Buying technology won’t reduce risk unless you’ve addressed how it is implemented, integrated, maintained, and measured.
Executives need to push for strategies that link spend directly to frontline performance. Where did the breach start? How long did remediation take? Are detection signals improving? These are the metrics that matter.
If spending looks good on a graph but incident volume stays the same, leadership has to ask different questions. Are teams setup for speed and agility? Do tools increase signal clarity or add friction? Is there accountability tied to tool usage, not just tool acquisition?
Security effectiveness comes down to operational integration and measurable results. Budget is just an enabler. The decisions behind it determine whether risk actually drops or just gets documented better.
Cyber attackers outpace defenders with speed, innovation, and substantial resources
Attackers have the advantage, and they’re using it. They’re fast, well-funded, and not bound by process. They move quickly when they find a weakness. Most defenders don’t.
Stephen Gates, Principal Security SME at Horizon3.ai, summed it up clearly: defenders are in “an asymmetric battle against attackers who innovate faster, exploit weaknesses instantly, have seemingly endless budgets to fund their activities, advance their toolsets daily, and never play by the rules.” That’s not an exaggeration, it’s the current state of cybersecurity.
Internal security teams remain focused on schedules, compliance cycles, and static processes. Attackers don’t wait. They probe, pivot, and strike in days or hours—not quarters. When organizations are still conducting annual testing and delayed patch cycles, they’re playing on outdated timelines.
The bigger issue is structural. Most security teams are reactive, while attackers are adaptive. This results in defenders being outmaneuvered—not due to lack of effort, but because the operational model doesn’t support fast adaptation.
C-level leaders need to understand that closing this gap can’t be achieved through compliance-driven approaches or occasional assessments. It requires real-time visibility, constant testing, and rapid feedback loops. You have to enable your teams to operate at the same speed attackers are using to move in.
That means deploying tooling that flags only the issues that matter and reduces noise. It means building processes that empower faster decisions. And it means shifting from static defenses to dynamic, continuous monitoring and improvement.
Security isn’t broken because defenders aren’t trying. It’s broken because the system most organizations use isn’t designed to compete with an always-on, well-resourced, fast-moving threat. That’s what needs to change.
Recap
The gap between what most organizations spend on cybersecurity and the protection they actually get is growing. Tools aren’t the issue. Strategies are. When decisions prioritize compliance over resilience, speed takes a backseat, and attackers don’t wait.
Every breach, every delayed patch, every ignored alert is an operational failure disguised as a technical problem. If your teams are overwhelmed, if your cloud environments aren’t tested, if your penetration tests generate paperwork instead of action, you have exposure. And it’s measurable.
For executives, this comes down to accountability. Not just in your security team, but across the leadership table. You don’t reduce risk by writing bigger checks. You reduce risk by driving execution that matches reality—fast, contextual, and relentless about getting the basics right.
Make cybersecurity a performance function, not a compliance checkbox. Prioritize what matters. Give your teams the time, clarity, and tooling they need to act. The threats are moving. The question is whether your organization is, too.
