Critical infrastructure is where cyber risk stops being abstract. When power grids, water systems, transportation networks, hospitals or financial systems are disrupted, the fallout isn’t limited to one company’s operations or balance sheet. It can affect public safety, economic stability and trust in the systems people rely on every day.
That’s why a recent World Economic Forum survey should get leaders’ attention: 31% of global CEOs lack confidence that their country could respond effectively to a major cyberattack on critical infrastructure. But that lack of confidence may not reflect doubts about governments’ readiness alone. Many leaders may also be recognizing security gaps closer to home, from aging systems and complex vendor networks to crisis plans that haven’t been tested under real pressure. In a recent survey of senior leaders, 48% said the potential emergency they felt least prepared for was a cybersecurity crisis.
Preparedness requires much more than policy statements, compliance checklists or well-intentioned plans stored in a shared drive. Leaders across industries and nations need a clearer understanding of how decisions will be made, who will act first and how organizations, sector partners and public agencies will coordinate when minutes matter.
Members of the Senior Executive Cybersecurity Think Tank have deep expertise in enterprise cybersecurity strategies, risk management and modern security architecture. Below, seven of them share what’s driving leaders’ declining confidence in cyber resilience and what practical steps could strengthen preparedness at both organizational and national levels.
“Name the crown jewel services and set measurable recovery targets. Run joint exercises that include vendors, regulators and comms leads.”
Name Critical Dependencies Before a Crisis Hits
Maman Ibrahim, Founder of Ginkgo Resilience LTD, is unsurprised by leaders’ lack of confidence. He says aging, complex networks combined with global instability are a recipe for anxiety.
“Confidence erodes because critical infrastructure is now a patchwork of legacy tech, outsourced services and shared dependencies,” Ibrahim says. “Then add geopolitical tension, fragile supply chains and unclear decision rights during crises. Many leaders sense that ‘plans exist,’ but they haven’t been stress-tested with real operators.”
That’s a key distinction for executives. Having a plan isn’t the same as knowing whether the plan will hold when essential systems, vendors, regulators and communications teams all have to move at once. For Ibrahim, better preparedness starts with identifying what absolutely must keep running and building real response capability around those priorities.
“Several strategies would help,” he says. “First, name the crown jewel services and set measurable recovery targets. Run joint exercises that include vendors, regulators and comms leads. Fund visibility, segmentation and tested failover.”
At the national level, Ibrahim stresses that the work has to extend beyond individual organizations.
“Nationally, tighten public–private coordination, share threat intel fast, and rehearse cross-sector mutual aid so response isn’t improvised under fire.”
Clarify Who Can Act in the First Minutes
Pavel Mishchenko is a Manager of Security and IT Infrastructure Systems for large-scale critical infrastructure projects. He says the trust problem isn’t mainly about missing or outdated tools.
“The loss of CEO confidence is not driven by a lack of technology but by the fact that responsibility for the consequences of an attack no longer matches the actual levers of control,” he says.
That mismatch becomes especially dangerous in critical infrastructure, where no one organization may control the full chain of systems, providers and decisions.
“Critical infrastructure today is distributed across governments, contractors and cloud providers, with no single entity having full end-to-end control of the system,” Mishchenko says. “In a crisis, decisions must be made at a speed that current governance models are not designed to support.”
Leading agencies, including NIST, place governance at the center of cybersecurity risk management. But recognition of its importance isn’t enough; resilience depends on whether authority, accountability and decision-making rights are clear before an incident begins.
“Improving readiness cannot be achieved through new plans alone,” Mishchenko says. “It requires a restructuring of accountability frameworks: clearly defining who makes decisions and at what level during the first minutes of an incident. The right to autonomous response must be assigned in advance to specific roles rather than institutions. It is also critical to reduce decision-making chains to a minimum in high-risk scenarios.”
Run the Playbook Before It Counts
Boyd Clewis, CEO of Genesis Security and Compliance, says many leaders discover too late that their response process has never been tested under conditions that resemble a real incident.
“The confidence gap is real because most leaders have never actually run the playbook,” Clewis says. “They’ve seen it in a tabletop, signed off on a policy and assumed alignment equals readiness. When the call comes at 2 a.m., they realize nobody knows who has authority to take systems offline, who talks to regulators or how to pay an extortion demand if it comes to that.”
The takeaway for senior leaders is blunt: A plan that hasn’t been practiced may create a false sense of readiness. Tabletop exercises have value, and resources such as CISA’s Tabletop Exercise Packages can help organizations structure effective training, but Clewis argues that leaders must go further.
“There are practical steps we can take,” he says. “Run live failover drills against production, not slide decks. Prenegotiate with incident response retainers, legal counsel and your cyber insurance carrier. Build muscle memory at the executive level, because the first four hours of a real incident are decided by who’s made the hard calls in advance.”
Practice the Hard Calls Under Pressure
Arun Kumar Elengovan, Director of Security Engineering at Okta Inc., says cyberthreats are moving faster than many response models were designed to handle. That gap is especially clear when organizations and governments treat cyber incidents as narrow technology problems instead of operational crises.
“Cyber threats have evolved into fast-moving, AI-powered operations combined with physical disruptions and geopolitical tensions, yet most organizations and governments still treat them as isolated IT problems,” Elengovan says. “Plans exist on paper, but real incidents expose slow decision-making, unclear authority and teams that have never practiced under pressure.”
For Elengovan, building confidence requires cross-functional training. Leaders need to rehearse the moments that are most likely to create hesitation, confusion or delays.
“What actually moves the needle is relentless, realistic practice,” he says. “At the organizational level, run full-scale simulations that include executives making tough live calls like isolating systems, talking to regulators and handling ransom demands. Update plans every year with current stakeholders.”
Preparedness also depends on stronger information flow across the public and private sectors. Elengovan emphasizes the need for active collaboration.
“Nationally, we need trusted real-time fusion centers where industry and government run joint exercises together, not just share reports,” he says. “When people practice the hard parts together under stress, confidence is born.”
“CEOs increasingly see that a major cyber event can be a systemic economic shock, yet most organizations and countries still treat it as a technical problem.”
Treat Cyberattacks as Businesswide Shocks
David Etue, Chief Strategy Officer at Cyberbit, says CEO concern is not misplaced. The threat environment is growing more complex, and many organizations still aren’t treating cyber resilience as a business-critical priority.
“The erosion in CEO confidence is rational: A threat landscape defined by geopolitical friction and AI-enabled attackers is colliding with aging infrastructure, opaque supply chains and overstretched security teams,” Etue says. “CEOs increasingly see that a major cyber event can be a systemic economic shock, yet most organizations and countries still treat it as a technical problem.”
Many view cybersecurity solely as the purview of the IT team. But if a cyberattack can disrupt revenue, operations, public trust or national services, then preparedness has to be embedded into business and mission planning.
“At the organizational level, that means aligning security to revenue- and mission-critical processes, not bolting it on after the fact; running realistic cross-functional crisis exercises; and building industry, law-enforcement and government relationships,” Etue says.
At a broader level, Etue says preparedness depends on operational collaboration that reflects the way modern attacks actually unfold.
“Nationally, we need real-time operational collaboration with industry, co-developed playbooks and joint exercises that assume adversaries will blend cyber, physical and information operations across sectors.”
Keep Incident Response Plans Current
Antonio Sanchez, Chief Strategy Officer at Quantum XChange, says one reason confidence is slipping is that many organizations don’t really know whether their incident response plans actually work.
“The erosion of confidence is real for multiple reasons,” Sanchez says. “One is that organizations don’t test their incident response plans to understand where there may be broken processes that would hinder their ability to get back to baseline.”
He explains that a lack of testing is only part of the problem. A “set it and forget it” strategy could leave organizations scrambling.
“Another reason for leaders’ uncertainty is a failure to update incident response plans,” Sanchez says. “A plan that is a few years old has named stakeholders who may not be the correct stakeholders anymore. This could be due to departmental job change or separation from the organization. An incident response plan needs to have an owner and an executive sponsor and should be updated at least once a year.”
Go Beyond Tabletop Exercises
Bhavya Bhandari, Cybersecurity Risk Management Leader, Financial Services at Ernst & Young US LLP, says the problem isn’t that leaders are unaware of cyber risk. It’s that their response plans may not survive contact with a real crisis.
“Leaders are losing confidence because cyber plans do not always hold up for real incident scenarios,” Bhandari says. “Attacks are sophisticated and complex, but response activities continue to be fragmented across teams.”
That fragmentation can turn a technical compromise into a broader business disruption. Security, legal, communications, operations, finance and executive teams all have roles to play, but those roles have to be tested in realistic conditions.
“Instilling confidence requires doing simulation exercises to test crisis plans,” Bhandari says. “Leaders can’t just rely on tabletop exercises.”
Strengthen Cyber Resilience Before the Pressure Hits
- Identify the services that matter most. Leaders should define their “crown jewel” services, set measurable recovery targets and ensure the systems supporting them have been tested for visibility, segmentation and failover.
- Assign crisis authority before an incident begins. When cyberattacks move quickly, organizations can’t afford long decision chains or confusion over who has the power to act.
- Practice the playbook in realistic conditions. Executives, legal teams, communications leaders, insurers and incident response partners should rehearse tough decisions before a developing crisis makes them unavoidable.
- Treat cyber resilience as a business and national stability issue. A major cyberattack can disrupt revenue, operations, public trust and essential services, so preparedness must extend well beyond IT teams.
- Run simulations that force hard decisions. Full-scale exercises should require leaders to make live calls about system isolation, regulator communications, ransom scenarios and cross-functional coordination.
- Keep incident response plans current. Plans need a clear owner, an executive sponsor and regular updates so they reflect today’s systems, stakeholders and business realities.
- Move beyond fragmented tabletop exercises. Tabletop planning can be useful, but leaders also need simulations that test whether crisis plans hold up across teams during realistic incident scenarios.
Building Confidence Through Action
Leaders’ declining confidence in critical infrastructure cybersecurity reflects a clear reality: Preparedness can’t be assumed, delegated or proven on paper. Stronger resilience depends on knowing which services must be protected first, clarifying who can make urgent decisions and repeatedly testing how people, systems and partners will perform under pressure.
As cyberthreats become faster, more coordinated and more disruptive, the organizations and government entities best positioned to respond won’t be the ones with the most polished policy statements. They’ll be the ones that have already practiced the hard parts, exposed weak points and built the trusted relationships needed to act decisively when a real crisis begins.
