Bridging the gaps to cyber resilience: The C-suite playbook

Findings from the 2025 Global Digital Trust Insights

With the attack surface continuing to expand through advances in AI, connected devices and cloud technologies and the regulatory environment in constant flux, achieving cyber resilience at an enterprise level is critical.

Yet despite widespread awareness of the challenges, significant gaps persist. To safeguard their organisations, executives should treat cybersecurity as a standing item on the business agenda, embedding it into every strategic decision and demanding C-suite collaboration.

PwC’s 2025 Global Digital Trust Insights survey of 4,042 business and tech executives from across 77 countries revealed significant gaps companies must bridge before achieving cyber resilience.

  • Gaps in implementation of cyber resilience: Despite heightened concerns about cyber risk, only 2% of executives say their company has implemented cyber resilience actions across their organisation in all areas surveyed.
  • Gaps in preparedness: Organisations feel least prepared to address the cyber threats they find most concerning, such as cloud-related risks and third-party breaches.
  • Gaps in CISO involvement: Fewer than half of executives say their CISOs are involved to a large extent with strategic planning, board reporting and overseeing tech deployments.
  • Gaps in regulatory compliance confidence: CEOs and CISOs/CSOs have differing levels of confidence in their ability to comply with regulations, particularly regarding AI, resilience and critical infrastructure.
  • Gaps in measuring cyber risk: Although executives acknowledge the importance of measuring cyber risk, fewer than half do so effectively, with only 15% measuring the financial impact of cyber risks to a significant extent.

All of this points to the need for better C-suite collaboration and strategic investment to strengthen cyber resilience. By addressing these gaps and making cybersecurity a business priority, leaders can bridge to a more secure future. CISOs can help drive this outcome by sharing tech-enabled insights and by explaining cyber priorities in business terms (cost, opportunity, risk).

Cyber threat outlook and emerging cyber risk

Navigating cyber threats: Establishing a shared vision for preparedness

While the cybersecurity landscape continues to evolve, organisations are struggling with increasingly volatile and unpredictable threats. An expanding attack surface — spurred by growing reliance on cloud, AI, connected devices and third parties — demands an agile, enterprise-wide approach to resilience. Aligning organisational priorities and readiness is essential for maintaining security and business continuity.

Unprepared for the most concerning threats

What worries organisations most is what they’re least prepared for. The top four cyber threats found most concerning — cloud-related threats, hack-and-leak operations, third-party breach and attacks on connected products — are the same ones security leaders feel least prepared to address. This gap highlights the urgent need for better investments and stronger response capabilities.

“Don’t stop short on your journey for cybersecurity and resilience. Criminals and nation-state actors are becoming expert at finding unprotected seams: weak identity and access controls, unpatched devices and security misconfigurations.”

Rob Joyce, Cyber, Risk & Regulatory Senior Fellow, PwC US, former Special Assistant to the President & Acting Homeland Security Advisor
Cyber threat concern versus preparedness chart

Executive call-to-action

Underscore to the rest of the C-suite the threats that jeopardise the business most, especially if investment efforts need to be shifted.

Based on conversations with the risk executives, gauge how certain threats can damage information and infrastructure security at large and which threats pose the biggest challenge to resilience.

Gain deeper insight from the CISO and CRO on the most critical cyber management and investment priorities.

Meet regularly with the CRO and CISO to understand the threat vectors they’re most concerned about. Make sure you’re receiving regular reporting on current threat mitigation efforts.

Understand the top cyber risks to the organisation and ask the tough questions of management. How are risks being mitigated? Do we have adequate plans and funding in place to proactively address risks and respond should an event occur?

Cybersecurity impact of emerging technologies and GenAI

GenAI and emerging tech: Balancing opportunity and risk

While the rapid advancement of generative AI (GenAI) is ushering in new opportunities across industries, it also presents cybersecurity risks. As organisations adopt GenAI and other emerging technologies, the C-suite should navigate more complex and unpredictable attack vectors, integration challenges and the dual-edged nature of GenAI in both cyber defence and offence.

“Cybersecurity is predominantly a data science problem. It’s becoming imperative for cyber defenders to leverage the power of generative AI and machine learning to get closer to the data to drive timely and actionable insights that matter the most.”

Mike Elmore, Global CISO, GSK

Leveraging GenAI for cyber defence: Opportunities and challenges

Although GenAI is increasing the cyber risk attack surface for most organisations, executives are also using that same technology for cyber defence. The top three ways they’re leveraging GenAI include threat detection and response, threat intelligence and malware/phishing detection.

Chart of obstacles to incorporating GenAI into cyber defense strategies

Executive call-to-action

Help to drive standardisation across the technology estate to help integrate AI. Enforce access rights on a user-by-user basis to identify probable attack vectors.

Develop an AI impact assessment to educate business executives on where investment and implementation makes the most sense. Prepare your platforms for scalability as GenAI use grows.

Work with the CISO on prioritising the security and confidentiality of financial data protection.

Enhance data governance protocols and assess any data privacy risks against privacy laws and regulator guidance.

Collaborate with other risk and compliance teams to guard against improper secondary uses of data and potential legal exposure.

Cyber regulations compliance

A highly regulated cyber world: Are companies really ready?

Regulatory frameworks are asking companies to swiftly comply with a growing array of requirements. A surge of new regulations — DORA, Cyber Resilience Act, AI Act, CIRCIA, Singapore Cybersecurity Act, etc. — underscores the urgency for organisations to align their practices to these heightened expectations. Addressing these challenges is essential to building a resilient and compliant cybersecurity posture that can withstand both regulatory scrutiny and emerging threats.

Confidence gap: CISOs feel less certain than CEOs about cyber compliance

Despite the belief that cyber regulations are helping the organisation, there’s a significant difference between CEO and CISO/CSO confidence in their ability to comply with these regulations.

The biggest gaps involve compliance with AI, resilience and critical infrastructure requirements. CISOs, who are on the front lines of cybersecurity, are less optimistic than CEOs about their organisation’s ability to meet these regulatory requirements.

Chart of confidence in organization’s regulation compliance

Executive call-to-action

Deliver frequent reporting to executive leaders on the state of regulations that directly impact respective industry or territory needs, and work towards implementing technology and regulatory change management processes.

Verify the accuracy, completeness and defensibility of all regulatory disclosures of cyber risk management and program posture. Develop a clear understanding of materiality and the specific impact of a cyber incident, incorporating cyber risk quantification to accurately assess and communicate potential risks.

Understand oversight responsibilities to guide compliance efforts, including any necessary coordination between different business units. Identify key questions to ask CISOs to close any knowledge gaps on compliance posture.

Stay abreast of regulatory compliance requirements and collaborate with the CISO and CRO to incorporate proactive compliance measures and monitoring to periodically confirm compliance.

Determine the right amount of disclosure details needed to fulfill cyber program reporting obligations, striking a balance between transparency and confidentiality.

Stay abreast of emerging regulatory requirements and seek input from management on proactive measures being taken to prepare for new requirements. Understand management’s approach to assessing and disclosing cyber incidents.

Cyber risk quantification

Unlocking the potential of cyber risk quantification: What’s holding organisations back?

As cyber threats rapidly evolve in scope and sophistication, cyber risk quantification has become a critical tool that organisations can’t afford to overlook. However, despite its widely acknowledged benefits, several challenges (data quality issues, output reliability, etc.) have impeded broader adoption.

Measuring cyber risk is critical but limited

While executives largely agree that measuring cyber risk is crucial for prioritising cyber risk investments (88%) and allocating resources to areas of highest risk (87%), only 15% of organisations are actually doing it to a significant extent (e.g., extensive cyber risk quantification with automation and extensive reporting).

Chart of the benefits of quantifying cyber risk

Executive call-to-action

Consider starting small with a specific output in mind. Leverage the information you have within your organization (e.g., controls effectiveness, maturity, incident or loss data. New tools can help with risk quantification but aren't a requirement. Define your program and look for enabling technologies to support what you've designed.

Show C-suite executives the most impactful financial risk measurement outcomes from quantification tools and practices. These examples can help persuade leadership to prioritise and allocate the right resources to the highest areas of risk.

Work with your CISO and CRO to gain a deeper understanding of the business value of cyber risk quantification and the potential costs and missed opportunities from not measuring cyber risks.

Understand the methods your organisation currently uses to assess cyber risk. Press management on its plans to implement risk quantification more broadly to better assess and report on the company’s cyber risk posture.

Cyber investment and business priorities

Investing in resilience, building trust

As cybersecurity continues to evolve into a critical business priority, organisations are beginning to see its potential as a key differentiator and a way to enhance their reputation and trustworthiness. To prepare, many are increasing their cyber budgets with a particular focus on data protection and trust. By strategically investing in these areas, companies are not only building resilience but positioning themselves positively to their customers.

Investing in what matters most: Cloud and data trust go hand-in-hand

Over the next 12 months, organisations are prioritising data protection/trust and cloud security above other cyber investments. They understand that securing sensitive information is vital to maintaining stakeholder trust and brand integrity.

Business and tech executives rank a different list of priorities based on areas specific to their roles.

  • Business executives say data protection/trust is their top cyber investment priority (48%), followed by tech modernisation and optimisation (43%).

  • For tech executives, cloud security remains their top priority (34%), following the same trend from last year. Data protection and trust is the next priority (28%).

Cybersecurity and trust: The new competitive edge

Organisations increasingly view cybersecurity as a key differentiator for a competitive advantage, with 57% of executives citing customer trust and 49% citing brand integrity and loyalty as areas of influence. As cyber threats escalate, a strong cybersecurity posture isn’t just about protection — it’s about building a reputation that customers and stakeholders can rely on.

Chart of how organizations position cybersecurity as a competitive

“The threat landscape is increasingly unpredictable, as we’re seeing multi-vector threats to physical and digital environments. We’re investing resources toward integrated response and recovery capabilities to enhance physical security and cybersecurity. Threat actors don’t differentiate. We need to be prepared at every level with our business continuity and resilience programs.”

Dr. Georg Stamatelopoulos, CEO of EnBW AG

Executive call-to-action

Translate the business case for data protection and cloud security investment priorities to CFOs based on the business value of key outcomes (e.g., reducing the time to recover mission-critical data or patching a system).

Determine the business value of data protection and cloud security to gain stakeholder trust and make more informed cybersecurity investment decisions.

Collaborate with tech, security and finance executives to pinpoint the most essential data security and integrity priorities to guide the information and cloud security investment strategy. Confirming data quality and readiness is necessary to increase security investments.

Cyber strategy and leadership

Is your cyber strategy and leadership driving real resilience?

From lagging resilience efforts to gaps in CISO involvement in strategic decisions, there are clear areas where strategic alignment is needed. To get there, organisations should emulate the leading cybersecurity practices of their top performing peers. They should also move beyond addressing known threats and implement an agile, secure-by-design approach to business, one that strives to build trust and lasting resilience.

“It’s the CISO’s job to contextualise and connect the threats that exist to the vulnerabilities within the organisation. That means educating people on the threats the enterprise is prepared to deal with and those it’s not ready for. With an education-forward approach, there tends to be more cooperation across the organisation.”

David Bruyea, CISO at Moneris

Partial implementation isn’t enough

Despite mounting concerns about cyber risk, most businesses are struggling to fully implement cyber resilience across core practices. A review of 12 resilience actions across people, processes and technology indicates that 42% or fewer of executives believe their organisations have fully implemented any one of those actions. More concerning, only 2% say all 12 resilience actions have been implemented across their organisation. This leaves a glaring vulnerability — without enterprise-wide resilience, companies remain dangerously exposed to the increasing threats that could compromise the entire operation.

Here are just a few key areas that would benefit from cross-organisational attention.

  • Establishing a resilience team (only 34% say this has been implemented across the organisation)
  • Developing a cyber recovery playbook for IT-loss scenarios (only 35% say this has been implemented across the organisation)
  • Mapping technology dependencies (only 31% say this has been implemented across the organisation)
Chart of implementation of cyber resilience actions across the organization

Elevating the CISO: Aligning strategy with security

Many organisations miss critical opportunities by not fully involving their CISOs in key initiatives. Fewer than half of executives tell us that their CISOs are largely involved in strategic planning for cyber investments, board reporting and overseeing tech deployments. This gap leaves organisations vulnerable to misaligned strategies and weaker security postures.

Chart of CISO involvement in business activities

Executive call-to-action

Make the business case to the rest of the C-suite for why it’s imperative that CISOs be involved in strategy, planning and oversight of the cyber risk mitigation and resilience strategy.

Participate in cyber resilience assessments and exercises to better understand gaps and approaches CISOs might face for integrating leading practices, standards and controls.

Stay informed and educated on cyber risk program developments, especially related to the organisation’s cyber risk and threat exposure, to meet expanding oversight and governance responsibilities.

Bridging the gaps to cyber resilience: The C-suite playbook

Sign up to get the full playbook and access more of the latest findings for 2025.

About the survey

The 2025 Global Digital Trust Insights is a survey of 4,042 business and technology leaders conducted in the May through July 2024 period.

A quarter of leaders are from large companies with $5 billion or more in revenues. Respondents operate in a range of industries, including industrials and services (21%), tech, media, telecom (20%), financial services (19%), retail and consumer markets (17%), energy, utilities, and resources (11%), health (7%) and government and public services (4%).

Respondents are based in 77 countries. The regional breakdown is Western Europe (30%), North America (25%), Asia Pacific (18%), Latin America (12%), Central and Eastern Europe (6%), Africa (5%) and Middle East (3%).

The Global Digital Trust Insights Survey had been known as the Global State of Information Security Survey (GSISS). Now in its 27th year, it’s the longest-running annual survey on cybersecurity trends. It’s also the largest survey in the cybersecurity industry and the only one that draws participation from senior business executives, not just security and technology executives.

PwC Research, PwC’s global Centre of Excellence for market research and insight, conducted this survey.

The Future Secure: Bringing leadership and innovation to the forefront

Watch PwC's Global Cybersecurity Summit and hear from industry leaders, cybersecurity executives, and innovative thinkers from around the world, sharing their perspectives on the latest risks and threats, cyber regulation, cyber strategy, GenAI in cyber defence, and more.

Register

Contact us

Sean Joyce

Sean Joyce

Global Cybersecurity & Privacy Leader, PwC US; Cyber, Risk & Regulatory Leader, PwC US

Follow us