How connected ecosystems test incident response plans

We’ve been reading two reports, both recently published, that landed on the same conclusion. A growing number of organisations do have incident response plans in place – but those plans weaken when an incident crosses teams, suppliers, and environments. 

Incident response that breaks at the edges 

If you look at Sygnia’s 2026 CISO survey, incident response looks (on paper) mature in many organisations. Of those surveyed: 

• 96% have a documented incident response plan
• 99% have tested plans through tabletop or simulation exercises
• 97% have 24/7 monitoring or MDR coverage
• 97% have digital forensics in place

But after all of this, you have to ask the question of what happens tomorrow. In the same survey, 73% said their organisation would not be fully ready to withstand a significant cyberattack without disruption.

Fewer than 40% rated any core response element as highly effective. Tabletop exercises came in at 32%, documented plans at 33%, digital forensics at 33%, and defined roles and escalation paths at 34%.

Then there’s a report on digital resilience from Economist Impact, commissioned by Telstra. In this one, only 23% of organisations said their disruption response went mostly to plan, and only 12% of executives expressed confidence in their teams’ ability to adapt during system outages. 

They’ve got tooling and investment in place, but using that to deliver a response under pressure is a leap that many don’t quite manage. 

The weak point lives between functions, partners, and systems 

Both reports push the discussion beyond tooling. Sygnia found that 90% of respondents expect difficulty coordinating stakeholders during a significant incident, 89% cite limited executive or board involvement in readiness and decision-making, and 75% say delays or uncertainty around legal and communications teams slow decisions during cyber incidents.

Economist Impact describes the same issues in a different way. In 47% of organisations, digital resilience sits with a single function, usually IT or security. That leaves a lot of operational ground uncovered when the issue spreads across the business.

And incidents do spread. Economist Impact found that:

• 92% of organisations faced cyber-related threats in the past year
• 63% faced internal failures
• 62% experienced external outages 

Sygnia adds the visibility problem: 78% say blind spots increase the risk of persistent attacker access and repeat incidents, while 84% are concerned about attackers crossing from corporate IT into OT/ICS environments.

This is where incident response readiness turns into an ecosystem question. The event might begin in one part of the estate, then move across cloud, SaaS, endpoints, operational technology, third parties, leadership channels and customer operations.

So connected ecosystems deserve a bigger role in readiness planning

The strongest link between these two reports is in external dependency. Economist Impact found that only 12% of organisations have first-hand insight into suppliers’ resilience. That is a striking number. It suggests many firms understand their own controls far better than the resilience of the partners and providers wrapped around their critical services.

Sygnia reaches a compatible finding from the incident side. Visibility gaps are expected across public cloud, on-premise systems, endpoints, OT/ICS and SaaS, each cited by 89% or 90% of respondents as areas where detection or investigation could slow during a major cyberattack. The report also found that 79% agree non-vendor-agnostic IR providers could leave critical risks unaddressed, and 65% are likely to consider switching providers at contract end. 

We’re pulling in a lot of stats here, but the message is pretty straightforward. Readiness improves when organisations connect the people, partners and environments involved in response before a crisis begins.

What can CISOs take from this? 

A connected ecosystem is an operating model choice. It requires:

• Board-level involvement
• Defined decision rights
• Legal and communications alignment
• Joint exercises
• Better visibility across hybrid environments
• Closer resilience work with strategic suppliers and response partners

Investment is continuing. Sygnia found that 85% plan additional spending on continuous threat monitoring and 81% on 24/7 monitoring or MDR over the next 12 months. Even so, both reports suggest the next gains will come from coordinated execution across the wider ecosystem around the organisation.

Incident response readiness holds up best when the business, its partners, and its providers are prepared to move together.

Join us for Black Hat MEA in Riyadh (1–3 December 2026) to build stronger relationships with everyone in your ecosystem.