We witness the same pattern repeatedly: only after disaster strikes do we scramble to fix the problems we long ignored. This tendency to act after the damage is done — whether in cybersecurity, public health, or environmental policy — underscores our reluctance to heed foresight and prepare proactively. PwC’s 2025 Global Digital Trust Insights survey reveals that, despite knowing the stakes, most businesses still fail to implement critical measures to secure their digital assets and build resilience against cyber threats.
The PwC 2025 Global Digital Trust Insights survey reveals the need for significant advancements in corporate cybersecurity strategies as businesses face an increasingly complex threat landscape. Despite widespread awareness of cyber risks, only 2% of companies have implemented comprehensive cyber resilience actions across their entire organization, highlighting a critical gap between intent and action.
Our further takeaway follows; you can read the whole report here.
Gaps in Cyber Resilience: A Threat to Business Continuity
PwC surveyed 4,042 business and technology leaders across 77 countries, revealing numerous gaps that companies must address to achieve cyber resilience. With the attack surface expanding due to advances in artificial intelligence (AI), connected devices, and cloud technologies, the pressure on organizations to protect against cyber threats is greater than ever. However, the report finds fewer than half of executives are prepared to address the most concerning threats, such as cloud-related risks and third-party breaches.
One key finding is the lack of CISO (Chief Information Security Officer) involvement in strategic decision-making. Less than 50% of CISOs are involved significantly in board reporting, strategic planning, and overseeing tech deployments. This lack of integration leaves organizations vulnerable to threats, as cybersecurity is not prioritized at the highest levels of business decision-making.
Further gaps were identified in confidence levels regarding compliance with emerging regulations, particularly involving AI, resilience, and critical infrastructure. There is a 13% confidence gap between CEOs and CISOs/CSOs in their ability to meet these regulatory requirements, demonstrating a misalignment that could hinder effective responses to new cybersecurity standards.
Misalignment in Measuring Cyber Risks
While executives acknowledge the importance of measuring cyber risk, fewer than half of the organizations are doing it effectively, with only 15% measuring the financial impact of cyber risks to a significant extent. This gap in risk quantification limits companies’ ability to make informed decisions and allocate resources to mitigate the most critical threats.
To strengthen cyber resilience, C-suite collaboration is crucial. By involving cybersecurity officers in strategic discussions and investing in risk measurement tools, companies can gain a clearer understanding of their vulnerabilities and enhance their preparedness for potential threats.
Addressing the Expanding Attack Surface
The report also emphasizes the challenges brought on by the growing attack surface due to the increasing use of AI, cloud services, and connected devices. The reliance on these technologies requires an agile, enterprise-wide approach to cybersecurity. Aligning organizational priorities and ensuring readiness across the board is essential for maintaining both security and business continuity.
Rob Joyce, Cyber, Risk & Regulatory Senior Fellow at PwC US, warns, “Criminals and nation-state actors are becoming expert at finding unprotected seams: weak identity and access controls, unpatched devices, and security misconfigurations.” His statement underscores the need for organizations to leave no stone unturned in their quest for cyber resilience.
Leveraging Generative AI for Cyber Defence
While generative AI (GenAI) offers opportunities for enhancing cybersecurity, it also presents new risks. Organizations adopting GenAI must navigate more complex attack vectors and integration challenges. GenAI is being used by businesses to boost cyber defense through threat detection, intelligence, and malware/phishing detection, demonstrating both the potential and the challenges of emerging technologies in the cybersecurity landscape.
Mike Elmore, Global CISO at GSK, highlighted the role of AI in cyber defense, stating, “Cybersecurity is predominantly a data science problem. It’s becoming imperative for cyber defenders to leverage the power of generative AI and machine learning to drive timely and actionable insights that matter the most.” However, despite the enthusiasm, companies still face obstacles in incorporating GenAI into their cyber defense strategies, such as data quality issues and output reliability.
Regulatory Compliance and the Confidence Gap
The report also sheds light on the growing complexity of the regulatory environment. Companies must align their practices with new regulations such as the Digital Operational Resilience Act (DORA), Cyber Resilience Act, and AI Act to meet heightened expectations. However, a significant gap exists in the confidence levels of CEOs and CISOs in their ability to comply with these regulations, especially concerning AI and resilience.
CISOs at the front lines of cybersecurity are less optimistic than CEOs about their organization’s ability to meet regulatory requirements, which points to a need for better communication and alignment between leadership teams. Frequent reporting to executive leaders on the state of regulations and implementing technology and regulatory change management processes are recommended as ways to bridge this gap.
Investing in Resilience and Building Trust
The PwC report indicates that organizations are beginning to see cybersecurity as a key differentiator, enhancing their reputation and trustworthiness. Over the next year, companies are prioritizing investments in data protection and cloud security to bolster resilience and build customer trust and brand integrity.
The report highlights different priorities between business and tech executives regarding cybersecurity investments. Business executives rank data protection and trust as their top priority, while tech executives prioritize cloud security. Aligning these priorities and communicating the business value of cybersecurity investments across the C-suite is crucial for maximizing the effectiveness of these investments.
Elevating the Role of the CISO
Despite the rising importance of cybersecurity, most businesses struggle to implement resilience practices across their organizations fully. A review of 12 resilience actions across people, processes, and technology found that 42% or fewer executives believe their organization has fully implemented any of those actions, and only 2% report that all 12 actions have been implemented. This leaves a glaring vulnerability and exposes organizations to increasing threats that could compromise their operations.
Moreover, many organizations are missing critical opportunities by not fully involving their CISOs in key initiatives. Fewer than half of executives report that their CISOs are largely involved in strategic planning, board reporting, or overseeing tech deployments. This lack of involvement weakens security postures and leaves organizations vulnerable to misaligned strategies. Elevating the role of the CISO and ensuring their participation in all strategic business decisions is essential for developing a robust cybersecurity strategy.
A Call for Comprehensive Cyber Strategy and Leadership
The PwC report concludes that bridging the gaps to cyber resilience requires a collaborative effort from the entire C-suite. Organizations must embed cybersecurity into every strategic decision, prioritize risk measurement and data protection investments, and leverage emerging technologies like AI for defense and compliance.
David Bruyea, CISO at Moneris, summarized the importance of education and alignment in cyber strategy: “It’s the CISO’s job to contextualize and connect the threats to the vulnerabilities within the organization. That means educating people on the threats the enterprise is prepared to deal with and those it’s not ready for. With an education-forward approach, there tends to be more cooperation across the organization.”
As cyber threats escalate, businesses must use foresight instead of hindsight; organizations must proactively treat cybersecurity as an integral part of their business strategy. By embedding cybersecurity into every decision, investing in resilience, and fostering C-suite collaboration, companies can bridge existing gaps and build lasting resilience—before reacting to a crisis.
Other News: Cyber Insurance: A Must-Have for Businesses in the Digital Age(Opens in a new browser tab).
Other News: American Water warns of billing outages after finding hackers in its systems.
