Only 31% of Critical Infrastructure Orgs Prioritize Patching Within 3 Days vs 69% in Tech, New Onyxia Cyber Study Finds
New survey report exposes wide gaps in cyber resilience standards across critical infrastructure, healthcare, financial services, retail, and technology.
What this research makes clear is that acceptable risk isn't universal — the variation across sectors is striking, and those discrepancies have real consequences.”
NEW YORK, NY, UNITED STATES, July 15, 2026 /EINPresswire.com/ -- Onyxia Cyber, the industry-leading Operational Cyber Resilience platform, today unveiled its third annual CISO research report, "Industry Divides: Uncovering the CISO's Resilience Priorities Across Sectors." Based on a survey of 300 Chief Information Security Officers across financial services, healthcare, critical infrastructure, technology, and retail, the report exposes a stark reality: there is no single industry standard for cyber resilience.— Sivan Tehila, CEO & Founder of Onyxia Cyber
What one sector treats as an unacceptable level of risk, another quietly accepts as routine. And most security leaders have no reliable way to know where they stand.
Nowhere is this divide more apparent than in patch management, one of the most fundamental measures of cyber hygiene. Just 31.3% of Critical Infrastructure organizations target resolving critical vulnerabilities within three days, compared to 61.4% in Financial Services and 69.0% in IT & Technology. The gap between the highest- and lowest-performing sectors represents more than a two-to-one difference on the same threat.
"What this research makes clear is that acceptable risk isn't universal — the variation across sectors is striking, and those discrepancies have real consequences," said Sivan Tehila, Founder and CEO of Onyxia Cyber. "Security leaders need cross-domain, context-aware data to benchmark their programs continuously, not just against their own industry, but against the full picture of what good looks like elsewhere — that's what proactive operational cyber resilience actually requires."
Additional key findings include:
- Healthcare's compounding exposure: Healthcare organizations reported the highest phishing click-through rate at 5.53%, nearly double the 3.13% reported by Financial Services organizations. Healthcare also reported the highest percentage of inactive privileged accounts at 3.42%, a significant access risk as HIPAA Security Rule compliance deadlines approach.
- Financial Services sets the gold standard on hygiene, but not everywhere: Financial Services organizations reported the lowest rate of unmanaged devices (1.76%) and the lowest percentage of inactive privileged accounts (1.05%) of any sector. Yet even the top performer has blind spots: Financial Services also reported the highest acceptable SOC false-positive rate at 13.23%, compared to 7.23% in Healthcare, nearly double, and a sign that even mature programs can normalize the noise.
- Technology sets the highest human-layer expectations: IT & Technology organizations reported the highest phishing reporting expectations, with employees expected to report 86.71% of phishing emails, compared to 76.02% in Critical Infrastructure. The gap reflects dramatically different assumptions about workforce security culture across sectors.
- Critical Infrastructure's identity blind spot: Critical Infrastructure is a sector surveyed where zero CISOs report that organizations in their industry demand 100% MFA coverage for user accounts. By contrast, 35% of financial services CISOs hold to that standard. For a sector responsible for power grids, water systems, and transportation networks, the absence of any expectation of complete MFA enforcement represents a significant and systemic vulnerability.
- Retail's compliance gap: solid technical controls, exposed identity layer. Retail & eCommerce organizations patch 62% of critical vulnerabilities within three days, reflecting years of PCI-DSS pressure. But the same compliance framework has not closed the identity risk gap: Retail's MFA coverage gap of 3.72% is more than double the financial services benchmark, and its average phishing simulation reporting rate is 78.9%, the second lowest in the survey.
The data points to a consistent theme: the organizations best positioned to weather the next generation of threats are those that have set measurable resilience targets, benchmark themselves against peers, and treat acceptable risk as a deliberate decision rather than a default.
The full report is available for download at: www.onyxia.io/whitepapers/industry-divides-ciso-report
About Onyxia Cyber
Onyxia Cyber is the Operational Cyber Resilience Platform that transforms security data and asset intelligence into action. Powered by agentic AI and a cross-domain data fabric, the platform enables security teams to proactively identify and mitigate risk, strengthen security strategies, and improve operational efficiency, before exposures become critical. Onyxia is trusted by industry leaders and Fortune 500 companies across multiple sectors and partners with leading technology providers. Learn more at: www.onyxia.io.
Angelique Faul
Silver Jacket Communications
+1 513-633-0897
angelique@silverjacket.net
Legal Disclaimer:
EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.
