Ask just about any security professional to list the biggest threats facing their organization. They’ll rattle them off without hesitation. They’ve read the reports. They’ve briefed the board. They know.
And yet, across the industry, readiness to deal with those threats is slipping — not holding steady, not slowly improving, but actively declining. Ivanti’s 2026 State of Cybersecurity Report, based on responses from more than 1,200 cybersecurity professionals worldwide, found that the shortfall between perceived risk and preparedness widened by an average of 10 points year over year. That held true for all 10 threat types we track.
Everyone has the information. But organizations are struggling to maintain operational capability. Why?
The three biggest trouble spots
When you break down the data by threat category, a few areas are especially exposed.
Ransomware is the top-ranked concern — 63% of security professionals call it a high or critical risk. Confidence in defending against it is far lower, at 30% — leaving a 33-point gap that grew by four points since last year. And this can get expensive when you consider that more than half of organizations surveyed admitted they’d likely pay up if hit with a ransomware attack today. That’s despite longstanding FBI guidance recommending against payment.
Also Read: CIO Influence Interview With Jake Mosey, Chief Product Officer at Recast
DDoS attacks are one of the oldest threat categories in the book, and you’d expect organizational defenses to be well established by now. They’re not. The readiness shortfall for DDoS showed a 31-point gap between perceived threat and preparedness, which widened by 14 points year over year. This suggests that even common attack vectors are outpacing current defenses.
API-related vulnerabilities are a growing concern because the attack surface keeps expanding. APIs connect systems, enable integrations and power the products companies sell. The research showed a 32-point gap that widened by 11 points years over year. As that footprint grows, security teams are struggling to maintain coverage, and the data reflects it.
Speed has become the central issue
The biggest single driver behind the widening readiness deficit is speed. AI has given attackers an acceleration advantage that most defenders haven’t matched.
Threat actors can now take a released patch, reverse engineer it with the help of AI and produce a working exploit within hours. That means the patch cycle is compressing and the importance of strong cyber hygiene can’t be overstated.
Deepfakes are another area where speed and scale are compounding. Seventy-seven percent of organizations in our survey have already dealt with deepfake-related attacks, and more than half have been on the receiving end of AI-enhanced phishing emails that used synthetic content to impersonate trusted contacts. When we asked security professionals whether their CEO could reliably identify a deepfake, only 30% said yes with confidence.
These are familiar threat categories. What’s changed is how fast and how convincingly attackers can execute them.
Budget growth hasn’t produced proportional results
On a positive note, Organizations are clearly taking cybersecurity seriously at the board level. In our survey, 94% report that security is discussed by the board, and 83% say their budgets are increasing for the coming year — a 10-point improvement over the prior period. Investment is flowing into cloud security (68% increasing spend), data security (67%) and GenAI for security applications (60%).
On paper, that should be moving the needle. In practice, readiness scores are still declining.
The reason comes down to execution discipline. More than four in five organizations (81%) have a documented risk appetite framework. But when we asked whether that framework was closely followed in daily operations, fewer than half — 45% — said yes. A third of organizations report difficulty prioritizing remediation in critical areas like patch management.
You can have the right framework, a supportive board and a growing budget. If the framework sits unused and patches don’t get deployed on time, none of it makes a difference.
Where to focus
I’ve led more than 100 cybersecurity investigations over my career, specializing in nation-state cases and high-profile breaches. The organizations that weathered those situations best weren’t always the ones with the biggest budgets. They were the ones where preparation was an operational habit, not a document on a shared drive.
With that in mind, three areas deserve immediate focus:
- Prioritize patching. Given what we know about how quickly attackers can weaponize disclosed vulnerabilities, multi-week patching timelines no longer make sense.
- Fix the breakdown between security and IT. Our research found that 48% of security professionals feel their IT counterparts don’t respond to cybersecurity concerns with sufficient urgency. Forty percent say IT doesn’t grasp the organization’s risk tolerance. These two teams need to operate as one unit when it comes to remediation. Security sets the priority. IT executes the fix. When those handoffs break down, risk accumulates.
- Make your risk framework operational or throw it out. If 55% of organizations aren’t closely following their own documented risk framework, those frameworks are decorative. A useful framework determines what gets patched first, what gets funded, what gets escalated and what gets accepted. If yours doesn’t do those things, rebuild it from the ground up — and measure whether people are using it.
The real constraint
The data in this year’s report is evidence that we need to turn the resources available (budgets, tools, talent, board attention) into faster, more coordinated action. That takes daily discipline, but it’s within our control.
Catch more CIO Insights: The New Business of QA: How Continuous Delivery and AI Will Reshape 2026
[To share your insights with us, please write to psen@itechseries.com ]
