The security assessment gap: Why 40% of organisations still aren’t prepared for cyber threats

When it comes to cybersecurity, spending more doesn’t always mean being safer. We sat down with ASI’s Security Specialist, Zach Amos, to unpack why and how organisations can finally close the security gap.

The industry has it backwards

I’ve spent years working with organisations that are investing heavily in cybersecurity, yet many remain exposed. Based on our recent Growth and Resiliency 2025 report, which surveyed over 500 Australian organisations, there were three critical gaps that leave enterprises vulnerable despite increased security spending.

This paradox tells me one thing; the industry has it backwards.

Too often, organisations focus on tools over outcomes. Buying more products doesn’t guarantee protection. True resilience begins with understanding your actual security posture and attack surfaces through a cybersecurity posture assessment. Without that baseline, spending is little more than guesswork.

Why security budget increases don’t improve cyber resilience

When I sit down with IT leaders, many tell me the same story: “We’ve invested in next-gen firewalls, endpoint detection, and cloud security, but we still don’t feel secure.” And they’re right to feel that way.

When I see that 23% of organisations need more than 24 hours to recover, but 85% can only tolerate 12 hours of downtime, I know exactly where the problem lies: untested recovery processes.

Zach’s Assessment-first approach to cybersecurity strategy

So, what’s the alternative? I call it the Assessment-first philosophy:

1.  Baseline: Establish a clear view of your current environment, controls, and vulnerabilities.
2.  Identify gaps: Highlight the weaknesses across people, process, and technology.
3.  Targeted investment: Prioritise spend on areas that close the highest-risk gaps.
4.  Measure: Continuously test and adapt to ensure improvements stick.

At ASI, we’ve seen this approach transform outcomes. For example, one mid-sized enterprise we assessed had invested heavily in advanced monitoring tools. But our review uncovered that their recovery processes were untested. In a simulated incident, they discovered it would take them days, not hours, to restore operations. The fix wasn’t another tool; it was strengthening their processes and running real-world recovery exercises.

Want to see how your organisation compares?
Read the full Growth and Resiliency 2025 report HERE.

This isn’t unique. Across the research, 85% of organisations said they could tolerate less than 12 hours of restricted access to critical data, but nearly a quarter admitted recovery would take longer than 24 hours. Without a cybersecurity assessment or baseline assessment, these gaps remain invisible until it’s too late.

The lesson: assessment guides smarter, more impactful investments. Without it, you’re throwing darts in the dark.

Beyond compliance checklists: Why a cybersecurity risk assessment matters

Too many organisations treat assessments as tick-box exercises. A vendor hands over a compliance checklist, and once the boxes are ticked, everyone assumes they’re safe. That’s a dangerous illusion.

A comprehensive cybersecurity risk assessment must go deeper. It’s about:

• People: Are staff trained, empowered, and engaged as your frontline defenders? Social engineering remains one of the top causes of breaches
• Processes: Do you have tested incident response and disaster recovery plans? Can you restore systems in hours, not days
• Technology: Are your tools configured properly, patched regularly, and monitored effectively? Even advanced tools fail if the basics aren’t done

When we conduct a security posture assessment, we always look for “low-hanging fruit” — the simple misconfigurations, untested processes, or gaps in training that attackers are most likely to exploit. Addressing these first delivers rapid resilience improvements without ballooning costs.

Why assessment delays costs 3x more than prevention

Think about the major breaches you’ve read about in the headlines. The financial and reputational damage often dwarfs what proactive investment would have cost. I’ve worked with organisations that hesitated to invest in proactive controls, only to later spend far more cleaning up after a ransomware incident — not to mention regulatory fines and reputational fallout.

It is wiser to invest in prevention than cure… and generally always cheaper.

Signs you need a cybersecurity assessment

Here are the red flags I see most often when an organisation is overdue for a security posture assessment, or cyber risk assessment:

• You haven’t run a disaster recovery or incident response test in the past 12 months
• Your security budget has grown, but you’re unsure what outcomes it’s delivering
• MFA is still optional or inconsistently applied
• Employees see cybersecurity as “IT’s problem,” not their responsibility
• You rely on compliance audits as your only form of assessment
• Recovery times are assumed, not tested
• You’ve invested in new tools but haven’t measured if they close real gaps.

If any of this sounds familiar, it’s time to get serious about understanding your true security posture.

Ready to understand your real security posture?

Security isn’t about how much you spend; it’s about spending in the right places. And you can’t know the right places without first assessing your current state. Findings from ASI’s Growth and Resiliency 2025 report are clear: throwing more budget at tools won’t close the maturity gap. A deliberate, assessment-first approach will.

As threats evolve and budgets tighten, organisations that build resilience through people, processes, and technology will pull ahead. The rest risk being tomorrow’s headline.

If you’re noticing signs, you need a cybersecurity assessment, now is the time to act. Is your organisation ready to find out where it really stands?