Life sciences and health care CISO survey: Risk is rising. Is readiness?

98% have a response plan. 95% test them regularly.

Cyber resilience has decisively shifted from theory to practice.

An overwhelming number of organizations surveyed now have an incident response plan in place, and 95% say that they test theirs on a regular, defined schedule—at least annually, bi-annually, or quarterly. Only a small minority rely solely on informal or ad hoc testing.

This signals real, widespread momentum toward operational resilience, indicating that cyber readiness is evolving from a paper exercise to an ongoing practice.

As more organizations move from planning to testing, cyber defense becomes less about reacting and more about proactive protection.

89% are tired of the compliance maze.

Many respondents show a strong desire for a universal regulatory framework—at least in one way, shape, or form. 39% say they strongly agree and 50% say they partially agree, leaving only 11% with an opposing opinion.

Navigating a patchwork of rules is a compliance burden—and a distraction from real security.

The desire for regulatory harmonization is clear, with 89% agreeing on the desirability of a rationalized, universally accepted set of requirements.

Getting involved in industry groups and advocating for unity can help drive meaningful change.

Tech + automation top the list of cyber cost optimization strategies

Survey responses reveal a clear trend: organizations are turning first to technology rationalization (69%) and automation (67%), making them the top two optimization strategies.

This signals a decisive shift toward simplifying tech stacks and leveraging automated capabilities to strengthen cybersecurity performance while reducing spend.

Close behind, organizations are also prioritizing labor sourcing and workforce optimization (59%) and vendor or third-party consolidation (54%). These approaches likely indicate that organizations’ are working to streamline operations, improve efficiency, and reduce dependency on complex vendor ecosystems.

3 in 5 say application security is one of their biggest skill gaps.

67% of executives cite application security as a talent need, making it the most commonly identified cybersecurity skill gap among surveyed leaders.

More than half—56%—also say they lack sufficient identity and access management (IAM) expertise, while data security (48%) and infrastructure (46%) round out the leading gaps.

As digital doors multiply, keeping the right people in—and the wrong ones out—has never been more complex.

The acute shortage of application security and IAM expertise threatens to become the Achilles’ heel of many organizations. Investing in both application security and IAM talent and technology is no longer optional; it’s an urgent imperative for safeguarding your digital assets and maintaining resilience as cyber risks evolve.

6 in 10 organizations outsource or co-source their SOC, making it cyber’s most commonly outsourced function

SOC is the most frequently outsourced or co-sourced cybersecurity function, with 61% of respondents indicating they rely on external partners for some or all SOC responsibilities.

This underscores the ongoing need for scalable threat monitoring and access to specialized support as cyber risks intensify.

Organizations use a broad mix of methods to evaluate SOC performance, with penetration testing (68%) and breach-and-attack simulations (65%) emerging as the most widely adopted.

Together, these findings point to a cybersecurity landscape where organizations increasingly blend external specialized support with rigorous, real-world testing to keep pace with evolving threats.