Are cyber pros fooling themselves with skills development?

Opinion
By published

The gap between perception and performance is widening

Concept art representing cybersecurity principles
Nytt DDoS-rekord (Image credit: Shutterstock / ZinetroN)

Cybersecurity teams have never been more confident in their ability to respond to a major incident. Boards are engaged, training programs are expanding, and investment continues to rise.

On the surface, this looks like progress. However, that confidence can be misleading.

Dan Potter

VP of Cyber Resilience at Immersive.

Our benchmark data shows that while 94% of organizations believe they would be effective in a cyber incident, actual decision-making accuracy drops drastically in a crisis situation. During breach exercises, decision makers are making the right calls just 22% of the time on average, with incidents taking hours to contain.

Latest Videos From

The gap between confidence and capability isn’t down to a lack of effort, but misjudged focus. With the wrong direction and metrics for success, skills development often builds confidence faster than it builds real readiness.

When confidence outpaces capability

The gap between perception and performance is widening. Despite more training exercises being completed and a stronger involvement from the executive layer, we’re barely seeing a shift in the indicators that matter most. Decision-making accuracy, response times, and resilience scores remain largely flat, even as confidence grows.

Part of the problem is how progress is measured. Many organizations track what is easy to track, such as completion rates or attendance. However, programs can be active and well-attended but not necessarily aligned to the threats that need the most attention.

Immersive’s data shows that 36% of completed labs focus on fundamental skills. While the basics matter, staying at that level limits progression. Teams can complete exercises successfully without ever being pushed into more complex, realistic scenarios.

Connected to this is a tendency to focus on familiar or outdated threats, particularly the early stages of an attack. Over time, this creates a model where success is measured more by completion rather than challenge.

Focusing on foundations and familiarity also means development programs don’t fully assess how teams perform under pressure. Activities like phishing simulations and annual training sessions tend to take place in calm, controlled environments – nothing like the unpredictable chaos, pressure and anxiety of a real incident.

So you have participants failing to develop the essential muscle memory they need to react to a crisis and make snap decisions with a cool head.

The result is visibility without validation: dashboards that look reassuring but don’t reflect how teams respond when something goes wrong.

Beware the Dunning-Kruger effect

This situation is a well-worn psychological issue in many walks of life. Psychologists call it the Dunning-Kruger effect – the tendency for people to overestimate their ability when they have limited exposure to a complex area. It’s a risky mindset in most circumstances, but especially unhelpful when facing a cyber crisis.

When teams spend most of their time on foundational tasks, they build familiarity and confidence, but not depth. Combined with metrics that reward completion, this creates a feedback loop where confidence rises while capability stalls.

The result is the trend we’re seeing in our benchmarking data, with high confidence in cyber response capabilities sitting alongside low decision-making accuracy when skills are tested in crisis simulations.

Many organizations that have invested considerable capital and time into cyber skills development are in for a rude awakening when an attack hits and the pressure is on.

Why experience alone is no longer enough

All of these issues add up to a hamstrung cyber response. Processes are slow and disjointed, and decision makers lack the confidence to act decisively.

This isn’t just a front-line issue either, in many organizations, the gap is more pronounced at the top.

We’re seeing a move away from uncertainty and towards more familiar training scenarios.

For example, our data shows participation by senior staff in AI-focused scenario labs has fallen by 14% year on year, even as concerns about AI-powered threats are dominating the cybersecurity agenda.

Awareness is increasing, but engagement with more advanced training is not. Any level of engagement and experience is better than none, but it has to evolve to stay useful.

Today’s attacks are more complex, less predictable, and often driven by new technologies. Without exposure to those scenarios, even experienced teams can struggle when incidents don’t follow familiar patterns.

Making the change from activity to capability

Closing this gap requires enterprises to be honest about their level of skill development and cyber readiness. Rather than feel-good metrics and ‘participation trophies’ for simply completing modules, companies need to ask themselves some tough questions.

Are their teams and processes ready to contain a threat? Can their leaders keep a cool head and call the right shots in a crisis? How long does it take to make a decision, let alone put it into action?

The goal isn’t more activity, but ensuring the outcome is always set on building stronger capabilities. That starts with measuring the right things. Decision accuracy, response speed, and containment time give a far clearer view of readiness than completion rates ever will.

Training also needs to reflect real conditions. High-pressure simulations help teams understand how they actually perform, not just what they know. Data can be analyzed on a granular level to understand performance on the level of departments, teams and individuals.

Poor results in these scenarios are not failures, but useful signals of where improvement is needed.

Development plans and future exercises can then be tailored to match.

Programs should also build progressively, moving from foundational skills into more complex, adversary-led scenarios. Regular practice, with increasing difficulty, helps develop the consistency needed in a real incident.

Confidence is not a control

Confidence is valuable, but it is not a measure of cyber readiness. When training prioritizes familiarity and metrics focus on activity, organizations risk building a sense of assurance that won’t hold up when it matters most.

Teams may feel prepared, but struggle when faced with the pressure and complexity of a real attack.

Improving resilience means changing how success is defined. It’s not about how much training is completed, but how teams perform when it matters. Only by focusing on real threats and testing capability under realistic conditions can organizations ensure their confidence is justified.

We've featured the best encryption software.

This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.

The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit

TOPICS
Dan Potter

Dan Potter is Senior Director Operational Resilience at Immersive.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.