Published on the 23/04/2026 | Written by Heather Wright
Seeing cyber risk isn’t the same as surviving it…
Local organisations have never had more cyber insight, with three quarters of A/NZ organisations saying they have ‘good visibility’ into cyber risk. Dashboards a full. Alerts are firing. Detection is humming along.
But recovery? That might be another story with only a third or organisations in a recent survey having a tested incident response or business continuity plan. The figures, contained in Datacom’s 2026 Cybersecurity Index point to a false sense of security big enough to drive a ransomware truck through.
“The figures point to a false sense of security big enough to drive a ransomware truck through.”
The Index draws on a survey of more than 700 security leaders across Australia and New Zealand. It found 73 percent of New Zealand respondents and 77 percent of Australian believe they have sufficient visibility across risks, vulnerabilities and compliance. They’re confident too (Australia: 70 percent; NZ: 78 percent), that they have the resources to deal with a cyber attack.
But Datacom has raised a red flag when it comes to organisational preparedness. The data shows only 30 percent of New Zealand and 32 percent of Australian organisations have a business continuity or cyber incident response plan in place. That gap between confidence and readiness is what Datacom dubs the region’s growing ‘resiliency gap’: Organisations have built world-class radar systems, but many still don’t have a safe runway to land the plane when things go wrong.
“Organisations have invested heavily in monitoring and detection, but they are falling short when it comes to recovery,” says Mark Hile, Datacom managing director, infrastructure products. “The priority now is not another dashboard but engineered resilience – from containment to stabilisation to rapid recovery.”
The Index shows most leaders expect to recovery from a major cyber incident within days, an optimism which flies in the face of real-world examples which routinely show recovery taking weeks or months. “Business leaders in particular underestimate recovery times, despite the fact IT leaders report an average of four weeks to reach a minimum level of operational recovery after an attack, according to global tech research firm Omdia,” the report says.
The problem is not a lack of alerts, but instead untested plans, unclear decision rights and an absence of operational muscle memory when cyber incidents become business crises.
“In 2026, maturity will be defined by resilience, not just detection,” the report says. “Visibility alone is no longer the differentiator; the ability to operate under high volume and to recover when defences fail is.”
As Datacom CISO Collin Penman puts it: “Detection is table stakes. Reporting is a must. Resilience is the differentiator.”
That resilience, he says, comes down to preparedness – something he says is a problem for A/NZ organisations, based on the survey data and an issue requiring a fundamental shift in how boards and business leaders make decisions in cybersecurity investment.
He notes the example of the 2025 ransomware attack on Jaguar Land Rover UK, which halted production for five weeks and took nearly five months for full recovery.
“What prolongs recovery is not a lack of alerts, but a lack of preparedness for disruption. Many organisations are well equipped to identify an incident, yet struggle once it impacts customers, services or revenue. At that point, untested continuity plans, unclear decision rights and cross functional dependencies slow progress,” the report notes.
The report suggests the threat landscape itself is well understood. Across both markets AI-enabled cyberattacks and phishing/social engineering consistently rank as the top concerns for organisations. These are closely followed by employee or user error, application and API attacks – particularly involving legacy systems – and data breaches involving extortion. Datacom notes AI-enabled threats are not necessarily new, but are acting as force multipliers, enabling attackers to move faster, scale more easily and compress attack timelines.
Cyber’s human problem
The same visibility trap is playing out inside security teams.
According to the Index, 43 percent of Kiwi and 36 percent of Australian organisations report signs of cyber burnout among their security or IT teams. While this is down form 2025 levels, Datacom warns that’s not because the work has eased, but because pressure has been recalibrated as ‘normal’.
Security teams are managing relentless alert volumes, AI-enabled attack acceleration and rising expectations from boards who often underestimate recovery realities. Responsibility for cybersecurity remains concentrated in IT, with over half of organisations in both markets still viewing cyber as primarily an IT or security function, rather than a shared executive responsibility.
“The drop in reported burnout is encouraging, but I don’t think the pressure has eased,” says Penman. “I think out people have recalibrated what they consider to be normal… no amount of hiring will outpace the volume and velocity of what we’re facing.”
Seeing everything, owning nothing
One of the potentially more uncomfortable findings in the Index is how poorly visibility translates into organisational action. Framework adoption remains fragmented, with no single framework surpassing 50 percent, even among organisations expressing high confidence.
Even where frameworks exist, Datacom notes they function more as ‘organising mechanisms than operational anchors’ with limited impact on real-world recovery capability.
Security teams are expected to manage incidents that cross cloud, identity, applications, supply chains and customer experience, often without clear authority to stabilise systems quickly. When response plans exist only on paper and have never been tested, recovery becomes improvisation under pressure. Says Penman: “A plan that’s never been tested isn’t a plan – it’s a document. Regular exercises build muscle memory, so response becomes automatic, coordinated and fast in the event of a cyber incident.”
