CISOs increasingly assume the next breach is coming. What concerns them most is whether their teams will understand the incident quickly enough to limit the fallout. A recent report by Binalyze looks at how investigation practices are holding up across large US enterprises.
Attackers hold the advantage
84% say a successful breach is inevitable. That belief shapes budgets, staffing plans and expectations during an incident. It also increases pressure to shrink the gap between detection and investigation. Even so, teams wait an average of 8.6 hours before bringing forensics into the response process.
Slow engagement creates cost. Each hour of delay adds about $114,000 to the impact of an attack. The exact number will vary from case to case, but it reflects a shared view across the industry. Response time is a financial risk as much as a technical one.
CISOs also say their organizations struggle to learn from past incidents. The issue is not reluctance. It is a lack of clarity. When teams cannot see what happened, they cannot adjust defenses with certainty.
Crisis management frameworks lag behind reality
Only a minority of CISOs feel confident in their crisis management frameworks. Fewer than half can answer three basic questions during a breach. They are whether the attacker still has access, how the attacker got in and what data was taken. Boards, regulators and insurers expect those answers. They are also essential for containing an incident.
Visibility is a major problem. CISOs say they can see only about 57% of their IT environment at any given moment. That leaves large areas where evidence is difficult to find or verify. These gaps slow investigations and force teams to guess at the scope of an incident. When the picture is incomplete, reporting becomes harder. Some teams report too much. Others report too little. Both create risk.
This lack of clarity comes with financial consequences. On average, unclear investigations cost organizations more than $1 million. Some have lost insurance claims or faced regulatory penalties because they could not show exactly what happened. Better investigative footing can prevent many of these outcomes.
Investigation teams are stretched thin
Enterprises have an average of 18 skilled investigators. That may be workable for some organizations. For others it falls short of what is needed for environments that span on premises systems, cloud services, personal devices and third party platforms.
90% of CISOs say a shortage of skills has slowed or limited investigations over the past five years. Only about one third believe their teams have the skills needed to handle investigations without outside help. These gaps shape daily work. Tasks often land with staff who are less experienced in forensics simply because no one else is available. The process continues, but errors become more likely.
Burnout is also a concern. Workloads keep rising and pressure lands on the most experienced investigators. Some organizations have already lost staff to stress or turnover. Once those employees leave, it takes time to rebuild their skills within the team. Over time this cycle shrinks capacity, slows investigations even further and raises overall risk.
A shift toward investigation readiness
Prevention continues to matter, but teams need more than protective controls to handle attacks. Organizations that recover well are usually the ones that investigate early and with clarity. They rely on a framework that guides decisions, visibility across their environment and tools that help teams reach answers without depending on a small group of specialists.
The goal is to make it easier to understand what happened while keeping the toolset lean. CISOs want a response process that begins sooner, produces fewer blind spots and allows them to speak confidently to leadership and regulators.
Attackers will keep pushing, but defenders still have room to improve their position. Stronger investigation practices help organizations reduce the damage from the next breach and learn from it. Resilience grows when teams can see what is happening in real time and act without hesitation.