Geopolitics, emerging technology, and skills shortages are reshaping cybersecurity priorities across industries, according to a new PwC report. The findings show a mix of rising awareness, persistent weaknesses, and uneven preparation for the next wave of threats.
Geopolitical risk at the core of strategy
60% of executives say cyber risk investment is now one of their top three strategic priorities in response to political instability, trade disputes, and fractured alliances. For many, this also means reconsidering where to place critical infrastructure, how to manage supply chains, and which partners to rely on.
Confidence in resilience, however, remains low. Only about half of respondents describe their organizations as very capable of withstanding cyber attacks on common vulnerabilities. Just 6% say they are prepared across all vulnerabilities, which points to continued exposure through legacy systems and supply chains.
More than a quarter of respondents report that their most damaging breach in the past three years cost at least $1 million, with large enterprises and tech-driven sectors hit hardest.
“Geopolitical turbulence is directly reshaping the cyber threat landscape. Our survey shows that while most companies recognize cybersecurity as a top strategic priority, few are truly prepared across the entirety of the risk spectrum. Legacy systems, supply chains, and cloud environments remain prime targets, especially as nation-states and AI-empowered criminal attackers raise the stakes. Building resilience today requires sustained investment, the ability to adapt quickly, and respond with agility,” said Matt Gorham, Leader of PwC’s Cyber and Risk Innovation Institute.
Spending remains reactive
Budgets are rising, but spending patterns show a bias toward reaction over prevention. 78% expect their cyber budgets to increase this year, yet only 24% are investing more in proactive measures such as monitoring, testing, and training. Most spend about the same on proactive and reactive measures, which can raise long-term costs and weaken resilience.
Cloud security and AI are the top investment priorities, but connected product risks receive less funding even though they rank high among the threats organizations feel least prepared to handle. This mismatch suggests that some exposures are still not getting the attention they deserve.
AI shifts from promise to priority
AI has become the leading priority for cyber investment. Security leaders rank AI-enabled threat hunting as their top initiative for the coming year. Autonomous AI systems, or agentic AI, are moving from experiments to deployment in areas like cloud security, data protection, and defense operations. These systems can act with limited human oversight and respond more quickly.
But AI depends on strong data practices, and here progress lags. Only half of organizations have implemented basic measures such as data classification policies or data loss prevention, and only 6% have applied data risk measures across the enterprise. Without trusted data foundations, AI adoption for security may fall short of its potential.
Quantum readiness is slow
Quantum computing is not yet an operational threat, but its impact on cryptography is well understood. Despite this, only 3% of organizations have implemented quantum-resistant measures. Almost half have not started at all. Just 8% place quantum readiness among their top budget priorities. The gap between awareness and action is striking given that post-quantum cryptography transitions can take years.
Skills gaps drive managed services
Knowledge and skills gaps are the two biggest barriers to implementing AI for cyber defense. More than half of respondents plan to use AI and automation to help close capability gaps, and nearly half of organizations that suffered major attacks are turning to managed services.
Operational technology and industrial IoT are particular pain points. Almost half of leaders cite lack of qualified personnel as one of their top three challenges in securing these environments.
