CISOs Report That Their Organizations Can’t Recover Quickly After Cyber Incidents

Enterprise security today is as much about recovery as it is about defense, but many organizations are still falling short.

New research from Absolute Security, based on responses from 750 CISOs in the United States and United Kingdom, highlights a sharp rise in prolonged disruption. 55% of organizations experienced a cyberattack in the past year that left large portions of their workforce unable to operate.

Of those organizations, none restored operations within 24 hours. Most took nearly five days, while 19% experienced outages lasting up to two weeks. This extended downtime is becoming the norm following serious incidents.

Costs added up quickly.

The average cost to bring operations back online reached $2.5 million per event, with most organizations reporting recovery expenses between $1 million and $5 million. These figures reflect only direct technical remediation and do not include revenue loss or reputational harm.

Despite the growing importance of resilience, adoption appears to be slipping.

This year, just 68% of CISOs said their organization has a resilience strategy in place, which is down from 90% the year before.

Prioritization is also weakening.

In 2024, 83% of CISOs said resilience ranked above traditional security controls like detection and prevention. That number has since dropped to 65%. This decline comes at a time when recovery is taking longer, and attacks are becoming more disruptive.

Why It Matters: Recovery timelines are now a key measure of how well security programs are performing. Delays affect customer relationships, financial outcomes, and internal productivity. Many organizations continue to invest in prevention but leave recovery underfunded or poorly planned. In some cases, executive expectations for near-instant restoration don’t reflect what response teams are realistically able to deliver. Without stronger planning and alignment, technical gaps can quickly turn into business-wide disruption.

• Extended Disruptions Are Widespread: More than half of CISOs said their organizations experienced incidents over the past year that disabled mobile, remote, or hybrid endpoints. Most took around five days to restore operations, though some reported disruptions lasting up to two weeks. These delays affected daily workflows and slowed delivery across departments. Not one CISO reported full restoration within a single day, reinforcing that quick recovery remains out of reach for many.

• Budgets Struggle to Keep Up: The majority of organizations reported spending between $1 million and $5 million to address a single incident. That typically includes immediate repair work and support from external vendors, but not the larger financial impact. Downtime often leads to missed targets and strained customer agreements. Even with rising cybersecurity budgets, many organizations still lack dedicated funding for recovery, forcing teams to stretch limited resources to restore operations.

• CISO Responsibilities Are Expanding: 72% of CISOs said they are now responsible for leading the organization’s recovery after incidents that interrupt business. This includes responding to cyberattacks and dealing with internal software failures. In many cases, the responsibility to restore operations has grown faster than the support structures around it. Security leaders are managing recovery efforts without the support or coordination they need.

• Expectations Are Misaligned: 61% of CISOs said their board or executive team expects them to fully prevent breaches and ransomware attacks. At the same time, 59% expressed concern that a serious incident could result in job loss or legal consequences. With leadership now focused on how fast operations resume, even well-managed delays can be viewed as failures. Without a better understanding of recovery demands, pressure on security teams will continue to rise.

• Focus on Resilience Is Declining: Only 68% of CISOs said their organization has a resilience strategy in place, a sharp drop from 90% last year. Even fewer now place resilience ahead of traditional defenses. This decline raises concerns, especially as incident volume grows and recovery windows lengthen. Some organizations may be relying too heavily on detection tools or lack clarity on who owns recovery planning. But whatever the reason, less focus on resilience increases the risk of extended outages and greater business disruption.

Go Deeper -> The Resilient CISO: The State of Enterprise Resilience – Absolute