The latest research on Cyber Resilience from the Ponemon Institute shows that 79 percent of security executives reported that they aren’t prepared for a cybersecurity incident. And only 21 percent have the technology in place to respond to a cyberattack. This new independent study, The Cyber Resilient Organisation in Germany: Learning to Thrive against Threats, from privacy and information security research firm Ponemon Institute, benchmarks German organizations’ resilience to cyber threats.

Surprisingly, the German study also revealed that 54 percent rated their cyber resilience as high, suggesting a gap between perceived resilience and reality. This is the third report in a series of cyber resilient studies, with founding sponsor, Resilient Systems. The first study was published in the US last year and the second study was released earlier this week in the UK. Similar to the UK findings, insufficient planning and preparedness and organizational factors are identified as major barriers to achieving cyber resilience.

The report from the Ponemon Institute, surveyed 445 IT and security executives in Germany about their organizations’ approach to becoming more resilient in the face of increasingly problematic and frequent cyberattacks. The respondents comprised a wide range of senior security professionals across several verticals.

Germany is undergoing significant changes to its regulations around cybersecurity. The Upper House of the German Parliament ratified legislation on the cyber protection of critical infrastructure in July 2015 and German lawmakers have been driving the upcoming EU-wide Network and Information Systems Directive (NISD) and the General Data Protection Regulation (GDPR), which contain mandatory breach reporting requirements and require companies to clearly document their incident response strategies.

Key findings from the study include:

Nearly eighty percent reported that they are not prepared to respond to a cybersecurity incident

  • 79% reported that they have either ad-hoc or no cyber-incident response plans.
  • Twenty-one percent of companies reported they are unprepared to respond to a cybersecurity incident, lacking a cybersecurity incident response plan (CSIRP).
  • An additional 58 percent have only an “ad hoc” CSIRP in place, or one that is not applied across the enterprise.
  • Only 21 percent having a well-defined CSIRP applied across the entire organization.
  • The research also shows that planning and preparedness is key to cyber resilience. Yet, 69 percent ranked insufficient planning and preparedness as the greatest barrier. This went ahead of complexity of business processes (51 percent), and insufficient awareness, analysis, and assessment (55 percent).

The majority of German security leaders reported that the state of cyber resilience in their organization is high even without a planned or practiced response.

  • Fifty-four percent of respondents rated their cyber resilience as high. This shows German organizations to be far more confident in their capabilities than their US and UK counterparts, where high ratings of cyber resilience were at only 25 and 29 percent, respectively.
  • The majority of German organizations are also very confident in their ability to detect (56 percent), contain (63 percent), and recover from (51 percent) a cyberattack.

Persistent attacks are the greatest threat to cyber resilience.


  • The IT-related threat with the greatest impact on an organizations’ ability to be cyber resilient is persistent threats. The most likely threat to occur is third-party glitches.

Organizational factors also make cyber resilience difficult to achieve.

  • The study shows that a high level of cybersecurity is difficult to achieve if no single function clearly owns responsibility. Only 20 percent of respondents say the business unit leader is accountable for making their organization resilient to cyber threats, followed by 13 percent who say it is the chief information officer (CIO). Others commented that no single person has responsibility.
  • Forty-six percent of respondents believe that funding for IT security is insufficient to achieve a high level of cyber resilience, and 53 percent believe that staffing for IT security is also insufficient.

“The study results are fascinating in that there seems to be a disconnect between the German security leaders reported lack of preparedness yet a level of confidence of their Cyber Resilience,” said Larry Ponemon. “In order to weather the next wave of cyberattacks, organizations need to plan and prepare, they need to coordinate with the entire organization, and they need to ensure they have proper CSIRPs in place for when an attack does happen.”

The study is at