With the attack surface continuing to expand through advances in AI, connected devices and cloud technologies and the regulatory environment in constant flux, achieving cyber resilience at an enterprise level is critical.
Yet despite widespread awareness of the challenges, significant gaps persist. To safeguard their organisations, executives should treat cybersecurity as a standing item on the business agenda, embedding it into every strategic decision and demanding C-suite collaboration.
PwC’s 2025 Global Digital Trust Insights survey of 4,042 business and tech executives from across 77 countries revealed significant gaps companies must bridge before achieving cyber resilience.
All of this points to the need for better C-suite collaboration and strategic investment to strengthen cyber resilience. By addressing these gaps and making cybersecurity a business priority, leaders can bridge to a more secure future. CISOs can help drive this outcome by sharing tech-enabled insights and by explaining cyber priorities in business terms (cost, opportunity, risk).
While the cybersecurity landscape continues to evolve, organisations are struggling with increasingly volatile and unpredictable threats. An expanding attack surface — spurred by growing reliance on cloud, AI, connected devices and third parties — demands an agile, enterprise-wide approach to resilience. Aligning organisational priorities and readiness is essential for maintaining security and business continuity.
What worries organisations most is what they’re least prepared for. The top four cyber threats found most concerning — cloud-related threats, hack-and-leak operations, third-party breach and attacks on connected products — are the same ones security leaders feel least prepared to address. This gap highlights the urgent need for better investments and stronger response capabilities.
“Don’t stop short on your journey for cybersecurity and resilience. Criminals and nation-state actors are becoming expert at finding unprotected seams: weak identity and access controls, unpatched devices and security misconfigurations.”
Underscore to the rest of the C-suite the threats that jeopardise the business most, especially if investment efforts need to be shifted.
Based on conversations with the risk executives, gauge how certain threats can damage information and infrastructure security at large and which threats pose the biggest challenge to resilience.
Gain deeper insight from the CISO and CRO on the most critical cyber management and investment priorities.
Meet regularly with the CRO and CISO to understand the threat vectors they’re most concerned about. Make sure you’re receiving regular reporting on current threat mitigation efforts.
Understand the top cyber risks to the organisation and ask the tough questions of management. How are risks being mitigated? Do we have adequate plans and funding in place to proactively address risks and respond should an event occur?
While the rapid advancement of generative AI (GenAI) is ushering in new opportunities across industries, it also presents cybersecurity risks. As organisations adopt GenAI and other emerging technologies, the C-suite should navigate more complex and unpredictable attack vectors, integration challenges and the dual-edged nature of GenAI in both cyber defence and offence.
“Cybersecurity is predominantly a data science problem. It’s becoming imperative for cyber defenders to leverage the power of generative AI and machine learning to get closer to the data to drive timely and actionable insights that matter the most.”
Although GenAI is increasing the cyber risk attack surface for most organisations, executives are also using that same technology for cyber defence. The top three ways they’re leveraging GenAI include threat detection and response, threat intelligence and malware/phishing detection.
Help to drive standardisation across the technology estate to help integrate AI. Enforce access rights on a user-by-user basis to identify probable attack vectors.
Develop an AI impact assessment to educate business executives on where investment and implementation makes the most sense. Prepare your platforms for scalability as GenAI use grows.
Work with the CISO on prioritising the security and confidentiality of financial data protection.
Enhance data governance protocols and assess any data privacy risks against privacy laws and regulator guidance.
Collaborate with other risk and compliance teams to guard against improper secondary uses of data and potential legal exposure.
Regulatory frameworks are asking companies to swiftly comply with a growing array of requirements. A surge of new regulations — DORA, Cyber Resilience Act, AI Act, CIRCIA, Singapore Cybersecurity Act, etc. — underscores the urgency for organisations to align their practices to these heightened expectations. Addressing these challenges is essential to building a resilient and compliant cybersecurity posture that can withstand both regulatory scrutiny and emerging threats.
Despite the belief that cyber regulations are helping the organisation, there’s a significant difference between CEO and CISO/CSO confidence in their ability to comply with these regulations.
The biggest gaps involve compliance with AI, resilience and critical infrastructure requirements. CISOs, who are on the front lines of cybersecurity, are less optimistic than CEOs about their organisation’s ability to meet these regulatory requirements.
Deliver frequent reporting to executive leaders on the state of regulations that directly impact respective industry or territory needs, and work towards implementing technology and regulatory change management processes.
Verify the accuracy, completeness and defensibility of all regulatory disclosures of cyber risk management and program posture. Develop a clear understanding of materiality and the specific impact of a cyber incident, incorporating cyber risk quantification to accurately assess and communicate potential risks.
Understand oversight responsibilities to guide compliance efforts, including any necessary coordination between different business units. Identify key questions to ask CISOs to close any knowledge gaps on compliance posture.
Stay abreast of regulatory compliance requirements and collaborate with the CISO and CRO to incorporate proactive compliance measures and monitoring to periodically confirm compliance.
Determine the right amount of disclosure details needed to fulfill cyber program reporting obligations, striking a balance between transparency and confidentiality.
Stay abreast of emerging regulatory requirements and seek input from management on proactive measures being taken to prepare for new requirements. Understand management’s approach to assessing and disclosing cyber incidents.
As cyber threats rapidly evolve in scope and sophistication, cyber risk quantification has become a critical tool that organisations can’t afford to overlook. However, despite its widely acknowledged benefits, several challenges (data quality issues, output reliability, etc.) have impeded broader adoption.
While executives largely agree that measuring cyber risk is crucial for prioritising cyber risk investments (88%) and allocating resources to areas of highest risk (87%), only 15% of organisations are actually doing it to a significant extent (e.g., extensive cyber risk quantification with automation and extensive reporting).
Consider starting small with a specific output in mind. Leverage the information you have within your organization (e.g., controls effectiveness, maturity, incident or loss data. New tools can help with risk quantification but aren't a requirement. Define your program and look for enabling technologies to support what you've designed.
Show C-suite executives the most impactful financial risk measurement outcomes from quantification tools and practices. These examples can help persuade leadership to prioritise and allocate the right resources to the highest areas of risk.
Work with your CISO and CRO to gain a deeper understanding of the business value of cyber risk quantification and the potential costs and missed opportunities from not measuring cyber risks.
Understand the methods your organisation currently uses to assess cyber risk. Press management on its plans to implement risk quantification more broadly to better assess and report on the company’s cyber risk posture.
As cybersecurity continues to evolve into a critical business priority, organisations are beginning to see its potential as a key differentiator and a way to enhance their reputation and trustworthiness. To prepare, many are increasing their cyber budgets with a particular focus on data protection and trust. By strategically investing in these areas, companies are not only building resilience but positioning themselves positively to their customers.
Over the next 12 months, organisations are prioritising data protection/trust and cloud security above other cyber investments. They understand that securing sensitive information is vital to maintaining stakeholder trust and brand integrity.
Business and tech executives rank a different list of priorities based on areas specific to their roles.
Business executives say data protection/trust is their top cyber investment priority (48%), followed by tech modernisation and optimisation (43%).
For tech executives, cloud security remains their top priority (34%), following the same trend from last year. Data protection and trust is the next priority (28%).
Organisations increasingly view cybersecurity as a key differentiator for a competitive advantage, with 57% of executives citing customer trust and 49% citing brand integrity and loyalty as areas of influence. As cyber threats escalate, a strong cybersecurity posture isn’t just about protection — it’s about building a reputation that customers and stakeholders can rely on.
“The threat landscape is increasingly unpredictable, as we’re seeing multi-vector threats to physical and digital environments. We’re investing resources toward integrated response and recovery capabilities to enhance physical security and cybersecurity. Threat actors don’t differentiate. We need to be prepared at every level with our business continuity and resilience programs.”
Translate the business case for data protection and cloud security investment priorities to CFOs based on the business value of key outcomes (e.g., reducing the time to recover mission-critical data or patching a system).
Determine the business value of data protection and cloud security to gain stakeholder trust and make more informed cybersecurity investment decisions.
Collaborate with tech, security and finance executives to pinpoint the most essential data security and integrity priorities to guide the information and cloud security investment strategy. Confirming data quality and readiness is necessary to increase security investments.
From lagging resilience efforts to gaps in CISO involvement in strategic decisions, there are clear areas where strategic alignment is needed. To get there, organisations should emulate the leading cybersecurity practices of their top performing peers. They should also move beyond addressing known threats and implement an agile, secure-by-design approach to business, one that strives to build trust and lasting resilience.
“It’s the CISO’s job to contextualise and connect the threats that exist to the vulnerabilities within the organisation. That means educating people on the threats the enterprise is prepared to deal with and those it’s not ready for. With an education-forward approach, there tends to be more cooperation across the organisation.”
Despite mounting concerns about cyber risk, most businesses are struggling to fully implement cyber resilience across core practices. A review of 12 resilience actions across people, processes and technology indicates that 42% or fewer of executives believe their organisations have fully implemented any one of those actions. More concerning, only 2% say all 12 resilience actions have been implemented across their organisation. This leaves a glaring vulnerability — without enterprise-wide resilience, companies remain dangerously exposed to the increasing threats that could compromise the entire operation.
Here are just a few key areas that would benefit from cross-organisational attention.
Many organisations miss critical opportunities by not fully involving their CISOs in key initiatives. Fewer than half of executives tell us that their CISOs are largely involved in strategic planning for cyber investments, board reporting and overseeing tech deployments. This gap leaves organisations vulnerable to misaligned strategies and weaker security postures.
Make the business case to the rest of the C-suite for why it’s imperative that CISOs be involved in strategy, planning and oversight of the cyber risk mitigation and resilience strategy.
Participate in cyber resilience assessments and exercises to better understand gaps and approaches CISOs might face for integrating leading practices, standards and controls.
Stay informed and educated on cyber risk program developments, especially related to the organisation’s cyber risk and threat exposure, to meet expanding oversight and governance responsibilities.
The 2025 Global Digital Trust Insights is a survey of 4,042 business and technology leaders conducted in the May through July 2024 period.
A quarter of leaders are from large companies with $5 billion or more in revenues. Respondents operate in a range of industries, including industrials and services (21%), tech, media, telecom (20%), financial services (19%), retail and consumer markets (17%), energy, utilities, and resources (11%), health (7%) and government and public services (4%).
Respondents are based in 77 countries. The regional breakdown is Western Europe (30%), North America (25%), Asia Pacific (18%), Latin America (12%), Central and Eastern Europe (6%), Africa (5%) and Middle East (3%).
The Global Digital Trust Insights Survey had been known as the Global State of Information Security Survey (GSISS). Now in its 27th year, it’s the longest-running annual survey on cybersecurity trends. It’s also the largest survey in the cybersecurity industry and the only one that draws participation from senior business executives, not just security and technology executives.
PwC Research, PwC’s global Centre of Excellence for market research and insight, conducted this survey.
Global Cybersecurity & Privacy Leader, PwC US; Cyber, Risk & Regulatory Leader, PwC US