EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
Select your location
Local sites
New research from Ernst & Young LLP confirms that cybersecurity remains center stage: 84% of C-suite leaders say their organization’s focus on cybersecurity has increased compared with three years ago. What’s more, 85% also say their organization’s cybersecurity focus will increase over the next year compared with today.
With the majority (84%) of C-suite leaders confirming their organization has experienced a cybersecurity incident in the last three years, the most common incidents in the past year are spyware, domain name spoofing and zero day exploits (when cybercriminals take advantage of an unknown or as-yet-unaddressed flaw).
Separate EY analysis of Russell 3000 companies also reveals that companies face significant financial risks from cybersecurity incidents, including far-reaching financial repercussions beyond immediate recovery costs. Our analysis shows a direct correlation between share price declines and cybersecurity breaches. In the days following a cybersecurity incident, company stock prices decrease not just upon disclosure but extending to 90 days after the incident, compared with companies that did not experience a cybersecurity incident. Companies are seeing real costs associated with cyber incidents, with a longer impact than envisioned.
The 2025 EY Cybersecurity Study: Bridging the C-suite disconnect also reveals an alarming divide between Chief Information Security Officers (CISOs) and the rest of the C-suite. This C-suite disconnect centers on how cyber threats are perceived by CISOs and the rest of the C-suite in four key areas:
1
Disconnect: 1
How exposed is the organization?
Our study reveals a divide between CISOs and the rest of the C-suite on whether cybersecurity defenses are keeping pace with threats and whether threats are being underestimated.
CISOs more concerned about cybersecurity
CISOs (66%) are more likely than the rest of the C-suite (56%) to express worry that the cybersecurity threats their organization faces are more advanced than their defenses.
Many also worry that their organization has a history of underestimating cybersecurity threats, highlighting a lingering vulnerability. CISOs (68%) are also more likely than the rest of the C-suite (57%) to express concern about senior leaders at their organization underestimating the dangers of cybersecurity threats. For many CISOs, it’s a matter of when and how — rather than if — their organization will experience a cybersecurity incident.
Interestingly, EY analysis found a correlation between experiencing cybersecurity incidents and higher levels of executive concern about cybersecurity. This suggests that concern is more reactive than proactive, since more attacks predict higher levels of concern.
2
Disconnect: 2
How much are we spending on cybersecurity?
There is a lack of agreement across the C-suite on both current and future investment levels in cybersecurity.
Gap in budget
CISOs are more likely to report a higher budget than the rest of the C-suite, with 67% of CISOs saying their organization’s current total cybersecurity budget are at minimum seven figures, vs. the rest of the C-suite (45%).
This gap widens when asked about next year’s budget, with 82% of CISOs saying next year’s total cybersecurity budget will be at minimum seven figures, compared with the rest of the C-suite (53%). This may, in part, be attributable to the lack of organizations with a stand-alone cyber budget, which obscures how much is being spent on cybersecurity.
When it comes to artificial intelligence (AI), CISOs are particularly optimistic about AI’s ability to positively transform their organization’s cybersecurity strategy and preparedness: CISOs (90%) are more likely than the rest of the C-suite (81%) to say AI is a critical component of their cybersecurity strategy.
Interestingly, C-suite leaders whose organization has adopted AI into their cybersecurity practices (80%) are more likely to say their organization’s cybersecurity budget should prioritize investment in people (for example, hiring cybersecurity talent and upskilling current employees) over new technology solutions compared with organizations that have not adopted AI (70%). AI is one of many factors making an impact as cybersecurity functions evolve.
3
Disconnect: 3
What’s making a difference?
Across the C-suite, there are differing perspectives on which technologies or initiatives are helping to reduce cybersecurity incidents.
Execs differ on what's helping to reduce cybersecurity incidents
Surprisingly, CISOs are the most likely to attribute decreased cyber incidents to investment in AI. In fact, 75% of CISOs say their organization experienced a decrease in cybersecurity incidents following increased investment in AI, compared with the rest of the C-suite (68%). By contrast, the rest of the C-suite (77%) is more likely to attribute success in decreased cybersecurity incidents to increased investments in employee cybersecurity training than CISOs (69%).
4
Disconnect: 4
Where are cyber threats coming from?
A gap in understanding the historic source of incidents is problematic for building defenses against future threats.
Execs differ on inside vs. outside threats
More CISOs (47%) say their organization has experienced a cybersecurity incident due to inside threats (i.e., employees intentionally stealing or leaking private information) in the past three years, compared with the rest of the C-suite (31%).
CISOs (57%) are also more likely than the rest of the C-suite (47%) to say their organization has experienced a cybersecurity incident due to cybercriminals in the past three years. This gap in understanding the historic source of incidents is problematic for building defenses against future threats.
Industry insights
Stand-alone cybersecurity budgets and C-suite disconnects
Most (84%) C-suite leaders consider cybersecurity investments a cost center and many (68%) agree that their organization prioritizes short-term revenue generating investments over investments to protect the organization from cybersecurity threats.
This perception is reflected in where cybersecurity budgets are housed, with only 18% of C-suite leaders saying the cybersecurity is a stand-alone budget, in other words separate from the organization’s overall or IT budgets.
For a majority (68%) of C-suite leaders, cybersecurity is part of the IT budget. This puts cybersecurity in direct conflict with a multitude of operational priorities, rather than on a footing with more strategic aspects of running the business, such as manufacturing operations, finance and business transformation.
Four actions to overcome the C-suite divide
Current efforts on cybersecurity are not shifting the dial. Although most (83%) C-suite leaders who are investing in cybersecurity say their organization is investing the right amount regardless of how much, many (60%) remain worried that the cybersecurity threats their organization face are more advanced than their defenses.
Without transparency on what is being spent and clear performance metrics, there is clearly room for confusion, as reflected in the four C-suite disconnects reported here. CISOs see escalating threats and vulnerabilities, while the C-suite appears to often believe cybersecurity is handled. Certainly, CISOs (63%) admit they struggle with motivating other C-suite leaders to prioritize cybersecurity investments.
Our research reinforces the urgent need for leaders to come together and develop a comprehensive cybersecurity strategy that addresses the evolving threat landscape and includes clear communication, a shared understanding of the risks and opportunities and priority areas for investment.
Companies need to move beyond a “check the box” mentality and recognize cybersecurity as a strategic investment, not simply a cost center. It’s time to push for not just the resources but the authority for cyber leaders to build truly resilient organizations. The cost of inaction is simply too high.
Here are four actions the C-suite can take to maximize value from capital investment amid heightened cyber risks and turbulent economic conditions:
Special thanks to Jim Guinn, David Cooper, Michelle DeLiberty, Tim Shanahan and Aman Rai for their contributions to this content.
How EY can help
Our latest thinking
How to navigate cybersecurity technology and help manage rising threats
Cybersecurity risks grow with digital expansion; AI/ML adoption invites advanced threats. Strategic defence and ecosystems are key. Learn more.
25 Sep 2024
EY Americas
Embracing cyber resilience: the shift from defense to endurance
Explore the shift to cyber resilience, where organizations anticipate, withstand, recover, and adapt to cyber threats for enduring security.
13 Sep 2024
Varun Sharma
Why AI fuels cybersecurity anxiety, particularly for younger employees
Workers say they are worried that they are putting their organizations — and careers — at risk, new EY survey says. Here’s what to do about it.
22 May 2024