Bridging the gaps to cyber resilience: The C-suite playbook

Australian companies are slower in adopting AI-driven cyber solutions compared to their global counterparts, highlighting the need for more significant investments to leverage opportunities in the cybersecurity space, according to PwC’s 27th Global Digital Trust Insights 2025. While Australian businesses are ahead of their global counterparts in many aspects of responding to the increasing frequency of cyber attacks, there is more they can do to harness AI’s potential as an enabler of cybersecurity and integrate it comprehensively across all business functions to support their ambitious goals for revenue growth through digital transformation.

Cyber attacks are no longer just a risk to be managed by Australian businesses; they have become a certainty. Over the next 12 months, 67% of Australian organisations have identified Cyber risk as their number one priority, surpassing concerns about inflation, macroeconomic volatility, and geopolitical risks. This will require continued investment with over 50% of Australian organisations seeking to increase Cyber budgets by at least 6% in 2025. 

Mitigation Priorities - 67% of Australian respondents stated mitigating cyber risks as the number one priority over the next 12 months, followed by digital and technology risks at 56% and inflation at 53%.

Lack of training and resources - 51% of Australian organisations are not investing enough in upskilling their workforce, compared to 35% globally. Only 23% of Australian companies are prioritising ongoing security training into their cyber budgets compared with 34% globally.

Confidence Gap - 50% of Australian CEOs are not confident in their organisations ability to comply with critical infrastructure regulation. This contrasts to 65% of CISO's, suggesting not only is there a confidence gap amongst senior executive levels, but a broader lack of confidence in this relatively new area of Australian regulation.

Q1. Which of the following risks is your organisation prioritising for mitigation over the next 12 months

_{Source: PwC 2025 Global Digital Trust Insights}

With the attack surface continuing to expand through advances in AI, connected devices and cloud technologies, and the regulatory environment in constant flux, achieving cyber resilience at an enterprise level is critical.

Yet despite widespread awareness of the challenges, significant gaps persist. To safeguard their organisations, executives should treat cybersecurity as a standing item on the business agenda, embedding it into every strategic decision and demanding C-suite collaboration.

PwC’s 2025 Global Digital Trust Insights survey of 4,042 business and tech executives from across 77 countries revealed significant gaps companies must bridge before achieving cyber resilience.

• Gaps in implementation of cyber resilience: Despite heightened concerns about cyber risk, only 2% of executives globally and in Australia say their company has implemented cyber resilience actions across their organisation in all areas surveyed.
• Gaps in preparedness: Organisations feel least prepared to address the cyber threats they find most concerning, such as cloud-related risks and third-party breaches.
• Gaps in CISO involvement: Fewer than half of executives say their CISOs are involved to a large extent with strategic planning, board reporting and overseeing tech deployments.
• Gaps in regulatory compliance confidence: CEOs and CISOs/CSOs have differing levels of confidence in their ability to comply with regulations, particularly regarding AI, resilience and critical infrastructure.
• Gaps in measuring cyber risk: Although executives acknowledge the importance of measuring cyber risk, fewer than half do so effectively, with only 15% globally versus 20% in Australia measuring the financial impact of cyber risks to a significant extent.

Q2. Over the next 12 months, which of the following cyber threats is your organisation most concerned about (e.g., risk to your brand, loss of business or business disruption, compliance)?

_{Source: PwC 2025 Global Digital Trust Insights}

All of this points to the need for better C-suite collaboration and strategic investment to strengthen cyber resilience. By addressing these gaps and making cybersecurity a business priority, leaders can bridge to a more secure future. CISOs can help drive this outcome by sharing tech-enabled insights and by explaining cyber priorities in business terms (cost, opportunity, risk).

Navigating cyber threats: Establishing a shared vision for preparedness

While the cybersecurity landscape continues to evolve, organisations are struggling with increasingly volatile and unpredictable threats. An expanding attack surface — spurred by growing reliance on cloud, AI, connected devices and third parties — demands an agile, enterprise-wide approach to resilience. Aligning organisational priorities and readiness is essential for maintaining security and business continuity.

In Australia, cyber risk remains the #1 priority for 67% of organisations over the next 12 months compared to global at 57%. This elevation above the global average may be due to the increasing regulatory pressures in Australia over the last 12-24 months (such as SOCI, Privacy Act Amendments and APRA's CPS 230 and 234) as well as a number of high profile breaches that have heightened the need for ongoing cyber investment.

Cyber threat concern vs preparedness

_{Source: PwC 2025 Global Digital Trust Insights}

Unprepared for the most concerning threats

What worries organisations most is what they’re least prepared for. The top four cyber threats found most concerning in Australia — cloud-related threats, hack-and-leak operations, third-party breach and attacks on connected products - are the same ones security leaders feel least prepared to address. This gap highlights the urgent need for better investments and stronger response capabilities. 

30% of Australian organisations have cited software supply-chain compromise as a concern which is 7% higher than global. Clearly we have more work to do on supply chain and third party risk in Australia as organisations continue to increase their reliance on a broader digital ecosystem.

GenAI and emerging tech: Balancing opportunity and risk

While the rapid advancement of generative AI (GenAI) is ushering in new opportunities across industries, it also presents cybersecurity risks. As organisations adopt GenAI and other emerging technologies, the C-suite should navigate more complex and unpredictable attack vectors, integration challenges and the dual-edged nature of GenAI in both cyber defence and offence.

51% of Australian companies suggest that lack of training is the most significant challenge they are facing internally on GenAI relating to cybersecurity and privacy over the next 12 months - in stark contrast to 35% globally. This 16% difference clearly highlights that Australian organisations must do more to invest in upskilling their workforce with respect to cybersecurity and privacy applications of GenAI.

Leveraging GenAI for cyber defence: Opportunities and challenges

Although GenAI is increasing the cyber risk attack surface for most organisations, executives are also using that same technology for cyber defence. The top three ways they’re leveraging GenAI include threat detection and response, threat intelligence and malware/phishing detection.

This year 15% of Australian companies identified GenAI as a technology that has affected the cyber attack surface in their respective IT environments over the past year compared to 31% globally. While on face value this may appear like AI-enabled threats are less of a concern in Australia, it is more suggestive of an opportunity to accelerate - Australian organisations are moving slower to adopt GenAI technologies relative to the globe. 

A highly regulated cyber world: Are companies really ready?

Regulatory frameworks are asking companies to swiftly comply with a growing array of requirements. A surge of new regulations — DORA, SOCI, Cyber Resilience Act, AI Act, CIRCIA, Singapore Cybersecurity Act, etc. — underscores the urgency for organisations to align their practices to these heightened expectations. Addressing these challenges is essential to building a resilient and compliant cybersecurity posture that can withstand both regulatory scrutiny and emerging threats.

Here in Australia the regulatory landscape has been highly dynamic over the past 12-24 months with SOCI, CPS 230 and Privacy Act amendments just to name a few. Almost every industry sector in Australia is now facing increased regulatory pressure and this was reflected in the survey results. 13% of Australian organisations stated that cybersecurity regulations have caused delays in strategic, product and/or operational planning and delivery outcomes versus 7% for global organisations. This suggests that here in Australia we have not yet found the right balance between adding compliance overhead versus driving more resilient outcomes, and more focus is needed on optimising and streamlining these processes. 

Confidence gap: CISOs and CEOs share varying levels of certainty over cyber compliance

Despite the belief that cyber regulations are helping the organisation, there’s a significant difference between CEO and CISO/CSO confidence in their ability to comply with these regulations.

The biggest gaps involve compliance with AI, Resilience and Critical Infrastructure. In these areas which have seen recent regulation in Australia, CEOs are far less confident in their organisations ability to meet regulatory requirements compared to CISOs.

CISOs, who are on the front lines of cybersecurity, are less optimistic than CEOs when it comes to Data Protection requirements.

Q15. How confident are you in your organisation’s ability to be in compliance with the following types of regulations that may apply to the geographic area(s) in which your organisation operates?

_{Source: PwC 2025 Global Digital Trust Insights}

Unlocking the potential of cyber risk quantification: What’s holding organisations back?

As cyber threats rapidly evolve in scope and sophistication, cyber risk quantification has become a critical tool that organisations can’t afford to overlook. However, despite its widely acknowledged benefits, several challenges (data quality issues, output reliability, etc.) have impeded broader adoption.

Measuring cyber risk is critical but limited

While 93% of Australian executives largely agree that measuring cyber risk is crucial for prioritising cyber risk investments (88% globally) and 85% stated allocating resources to areas of highest risk (87% globally), only 20% of organisations are actually doing it to a significant extent (e.g., extensive cyber risk quantification with automation and extensive reporting).

Consider starting small with a specific output in mind. Leverage the information you have within your organisation (e.g., controls effectiveness, maturity, incident or loss data. New tools can help with risk quantification but aren't a requirement. Define your program and look for enabling technologies to support what you've designed.

Investing in resilience, building trust

As cybersecurity continues to evolve into a critical business priority, organisations are beginning to see its potential as a key differentiator and a way to enhance their reputation and trustworthiness. To prepare, many are increasing their cyber budgets with a particular focus on data protection and trust. By strategically investing in these areas, companies are not only building resilience but positioning themselves positively to their customers. 

In Australia 76% of respondents are increasing cybersecurity budgets in the year ahead which is consistent to global, but there are some interesting deviations in the detail. 
 

Investing in what matters most: Cloud and data trust go hand-in-hand

Over the next 12 months, organisations are prioritising data protection/trust and cloud security above other cyber investments. They understand that securing sensitive information is vital to maintaining stakeholder trust and brand integrity.

Business and tech executives rank a different list of priorities based on areas specific to their roles.

Only 34% of Australian business leaders are prioritising modernisation of technology, including cyber infrastructure, compared to 48% globally. This is a concerning lead indicator that Australian organisations are taking on more risk in having to manage legacy technology environments which not only are more susceptible to cyber attacks but tend to be more costly to maintain (from both a technology and people perspective).

Only 11% of Australian technology leaders are investing in Identity and Access Management compared to 16% globally, which is an area that is foundational to robust cybersecurity and resilience. The highest areas of investment for Australian organisation are cloud security at 30% and Data Protection / Data Trust at 27%.

Q7. How will your organisation’s cyber budget change in 2025?

_{Source: PwC 2025 Global Digital Trust Insights}

Q8a. Which of the following investments, if any, are you prioritising when allocating your organisation’s cyber budget in the next 12 months?

_{Source: PwC 2025 Global Digital Trust Insights}

Cybersecurity and trust: The new competitive edge

Organisations increasingly view cybersecurity as a key differentiator for a competitive advantage, with 67% of Australian executives citing customer trust versus 57% globally. As cyber threats escalate, a strong cybersecurity posture isn’t just about protection — it’s about building a reputation that customers and stakeholders can rely on.
 

Is your cyber strategy and leadership driving real resilience?

From lagging resilience efforts to gaps in CISO involvement in strategic decisions, there are clear areas where strategic alignment is needed. To get there, organisations should emulate the leading cybersecurity practices of their top performing peers. They should also move beyond addressing known threats and implement an agile, secure-by-design approach to business, one that strives to build trust and lasting resilience.

Partial implementation isn’t enough

Despite mounting concerns about cyber risk, most businesses are struggling to fully implement cyber resilience across core practices. A review of 12 resilience actions across people, processes and technology globally indicates that 42% or fewer of executives believe their organisations have fully implemented any one of those actions. More concerning, only 2% say all 12 resilience actions have been implemented across their organisation. This leaves a glaring vulnerability — without enterprise-wide resilience, companies remain dangerously exposed to the increasing threats that could compromise the entire operation.

In order to accelerate implementation, and in light of an ongoing skills-constrained workforce, 40% of Australian organisations are investing in Managed Services versus only 29% globally. This highlights the importance of having a trusted ecosystem of providers that can enable an organisation to focus on its core mission. This greater dependency on managed service providers may also explain why Australian organisations are more concerned about supply-chain compromise at 30% compared to globally at 23%.

Q23. What, if any, are your organisation’s strategy, people and investment goals relating to cyber and privacy over the next 12 months?

_{Source: PwC 2025 Global Digital Trust Insights}

Here are just a few key areas that would benefit from cross-organisational attention

• Establishing a resilience team (globally, only 34% say this has been implemented across the organisation, Australia is sitting slightly lower at 29%).
• Developing a cyber recovery playbook for IT-loss scenarios (globally, only 35% say this has been implemented across the organisation, compared to 30% in Australia).
• Mapping technology dependencies (only 31% both globally and in Australia say this has been implemented across the organisation).

Elevating the CISO: Aligning strategy with security

Many organisations miss critical opportunities by not fully involving their CISOs in key initiatives. Fewer than half of executives tell us that their CISOs are largely involved in strategic planning for cyber investments, board reporting, and overseeing tech deployments. This gap leaves organisations vulnerable to misaligned strategies and weaker security postures.

To address this vulnerability, it's crucial to integrate CISOs more into strategic planning and board activities. Their expertise is not only vital for aligning cyber investments with organisational goals but also for enhancing the board's understanding of regulatory responsibilities. This opportunity clearly presents itself in Australia, with only 40% of Boards stating they are very effective at managing regulatory responsibilities versus 50% globally. The role of the CISO is key to providing deeper insights into compliance issues and the dynamic regulatory environment, and to help close this regulatory confidence gap at the Board level.