Notifications
Clear all
Topic starter
07/06/2026 8:34 pm
TL;DR: 96% of organisations have a cyber crisis response plan, yet over 70% still experienced at least one high-impact cyber event in the past 12 months, underscoring a gap between documented readiness and operational resilience, according to Semperis. The governance problem is no longer whether a plan exists, but whether it survives real incident pressure and audit scrutiny.
NHIMG editorial — based on content published by Semperis: partnership with CGS CyberDefense to improve crisis response and audit-ready compliance
By the numbers:
- 96% of organizations have a cyber crisis response plan, while over 70% experienced at least one high-impact cyber event in the past 12 months.
- 70% experienced at least one high-impact cyber event, event in the past 12 months.
Questions worth separating out
Q: How should organizations prepare identity response plans for a cyber crisis?
A: They should define incident ownership, approval authority, evidence capture, and recovery sequencing before the event occurs.
Q: Why do identity incidents create audit and compliance problems so quickly?
A: Because access changes, recovery actions, and privilege decisions happen under pressure and often across multiple tools.
Q: What do security teams get wrong about cyber crisis readiness?
A: They often treat readiness as a document rather than an operational capability.
Practitioner guidance
- Map identity incident ownership across security, IAM, and GRC Define who approves access changes, who preserves evidence, and who signs off on recovery decisions before a crisis begins.
- Test recovery plans against identity-specific failure modes Run exercises for Active Directory outage, privileged account compromise, and access recovery loss.
- Build audit-ready evidence collection into response workflows Capture privileged actions, change approvals, and recovery timestamps as part of the incident process.
What's in the full analysis
Semperis's full post covers the operational detail this post intentionally leaves for the source:
- The Ready1 and CGS CyberDefense partnership scope and how the combined workflow is positioned for crisis coordination.
- Semperis's breakdown of the specific blockers behind response failure, including communication gaps, outdated plans, staffing shortages, and tool overload.
- The company’s cited readiness study details behind the 96% plan figure and the high-impact event rate.
- The practical framing of audit defensibility and regulatory-ready reporting in identity-led incident response.
👉 Read Semperis's post on the Ready1 and CGS CyberDefense partnership →
Crisis readiness and GRC: what this partnership means for IAM teams?
Explore further
08/06/2026 8:11 am
Crisis readiness is an identity governance problem before it becomes an operations problem. The source article is describing more than response tooling. It exposes the fact that identity incidents fail where governance, escalation authority, and evidence handling are not pre-wired into the response model. Practitioners should treat crisis readiness as a control design issue, not a communications exercise.
A few things that frame the scale:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, including 46% confirmed and 26% suspected.
A question worth separating out:
Q: Who should own identity recovery when an outage affects privileged access?
A: Ownership should sit with the teams that can coordinate security, IAM, and compliance actions in sequence, not with a single tool owner. Privileged access recovery changes both service availability and control evidence, so the accountable group must be able to move across those concerns without delay.
👉 Read our full editorial: Semperis and CGS partnership puts crisis readiness under GRC
