THE GLOBAL FUTURE OF CYBER SURVEY, 4TH EDITION

THE PROMISE
OF CYBER
Enhancing transformational value
through cybersecurity resilience
 2

THE The demands of cybersecurity are continually evolving.

New threats, technologies, and changing business

GROWING
needs keep redefining priorities and possibilities for
organizations operating in every industry.

VALUE OF
Getting a clearer view into the future of cyber is We are excited to share key findings from the survey
a constant undertaking, allowing us to not only and invite you to explore them here. In the following
stay ahead of emerging risks but to identify new pages, you’ll find a blend of data-driven insights plus

CYBER
possibilities for business value. observations based on Deloitte’s deep global cyber
experience, as well as reflections provided directly
In this, the 4th Edition of Deloitte’s Global Future by interview respondents. Take a look and, if you are
of Cyber Survey, we get that clearer view. We see interested in a deeper dive, we would love to hear
that the link between cybersecurity and business from you.
value is growing stronger—with cyber becoming
increasingly integral to enabling tech-driven Happy reading,
programs and driving business outcomes. We
see also how the role of C-suite leaders, including
the chief information security officer (CISO), is
evolving as cyber considerations intensify across
the enterprise. Emily Mossburg
Deloitte Global Cyber Leader
 3

WHAT’S INSIDE

1 VIEW FROM THE TOP 3 KEY FINDINGS 4 LOOKING TO

A new era of transformational Cyber influences strategic value 9
THE FUTURE
cyber strategies 4 Insights for navigating the
• Cybersecurity’s role in strategic future of cyber 31
business value 10
2 METHODOLOGY
How we developed the insights 8
• Growth of the CISO’s influence 5 TAKING THE
and the C-suite’s savviness 16 NEXT STEP
Making the future matter 33
• Cybersecurity’s integration with
tech-driven transformation 19

• Connections between
cyber maturity, confidence,
and benefits 25
VIEW FROM THE TOP 4

A NEW ERA OF
TRANSFORMATIONAL
CYBER STRATEGIES
Focusing on outcomes and resilience

The future of cyber is constantly evolving That powerful connection between cybersecurity and
as organizations across the globe deal with business impact comes into sharp focus in Deloitte’s
ongoing business complexity and change, 4th Edition of The Global Future of Cyber Survey—
as well as a myriad of new threats and risks. which asked nearly 1,200 leaders in various industries
Yet one thing remains constant: Cyber and worldwide to share their views on cyber threats,
business value are deeply intertwined, enterprise activities, and the future. The survey included
and cybersecurity stays central to how C-suite executives across the enterprise, as well as other
organizations in every industry consistently senior leaders with responsibility for IT, security, risk,
deliver the outcomes they desire. and the business.
VIEW FROM THE TOP 5

The focus on outcomes is growing stronger

In our previous report, the 3rd edition of the But when we look just at organizations that Deloitte
survey, Deloitte recognized the extent to which has classified as having high cyber maturity, we see
cyber was evolving into a distinct functional area two important findings: Cybersecurity is recognized at
of the business, transcending its traditional IT roots senior levels, and there is a strong correlation between

52%
and becoming an essential part of the framework for organizations’ cyber maturity and having greater
delivering business outcomes. confidence in adequately navigating cybersecurity. In
fact, among high-cyber-maturity organizations, that
In this 4th edition of the survey, we see that, in confidence in the C-suite and board grows to 82%—
addition to cyber strategy being essential to unlocking compared to 52% and 39% for medium- and low-cyber-
greater business value, cybersecurity in practice maturity organizations, respectively.
has become increasingly integrated into technology of respondents are very
transformation activities. We also see that the voice of The survey’s findings indicate that, on average, 86% of confident in the C-suite and
cyber leadership—in particular, the CISO—has grown respondents are implementing actions to a moderate
board’s ability to adequately
in importance, along with the emergence of a new or large extent to increase cyber strategies and actions,
cyber-savvy C-suite. embracing cyber as an essential component of the
navigate cybersecurity.
enterprise. And, on average, 85% of respondents
Despite the growing focus on cybersecurity, expect to achieve their desired business outcomes to
only about half (52%) of all respondents are very a moderate or large extent. While this underscores the
confident in the C-suite and board’s ability to critical role cyber plays in driving successful strategy
adequately navigate cybersecurity. And specifically implementation, not all organizations will realize those
among C-suite respondents who are focused mainly benefits equally.
on cybersecurity, only 34% are very confident—
suggesting that they have less confidence in their And the more cyber-mature the organization, the
abilities than others do. bigger the potential impact. The survey found that
respondents in high-cyber-maturity organizations
anticipate almost two times the positive business
Respondents in high-cyber-maturity
outcomes compared with their peers. How these high-
cyber-maturity organizations view cybersecurity—and
organizations anticipate almost
how they are taking action—provides insights and
a potential path for others to follow as they seek to
two times the positive business
increase their own cyber maturity.
outcomes compared with their peers.
VIEW FROM THE TOP 6

Cyber-mature organizations are more prepared and resilient

Being more cyber mature In this edition of the survey, Deloitte identified high- Among these high-cyber-maturity organizations, the
does not make these cyber-maturity organizations based on several factors.
As in the previous edition of the survey, we assessed
CISO and other cybersecurity leaders are being called
in as experts to help guide investments in cloud-driven
organizations immune to their level of strategic cybersecurity planning and
specific cybersecurity activities, and engagement
business initiatives, AI-enabled activities, enterprise
resource planning (ERP) modernization, and other
threats. It makes them in cybersecurity at the board level. Based on these
factors, among the most cyber-mature organizations,
digital transformation priorities. Put another way,
cybersecurity is playing a large role in helping to secure
more resilient when they there is a clear sign that cybersecurity’s influence in
supporting and shaping technology-driven projects has
funding for technology capabilities. The heightened
focus on cybersecurity also means that the CISO is
occur, to enable critical grown by three percentage points. more involved in strategic conversations related to
digital transformation.
business continuity. However, given the rapid advancement in artificial
intelligence (AI) technology, global organizations have While these high-cyber-maturity organizations are
experienced more sophisticated attacks. At the same implementing foundational cyber actions—such as
time, opportunities have emerged to invest in AI- having a strategic and operational plan, cyber risk
powered tools and cybersecurity solutions. Accordingly, monitoring, and more—what is most notable is their
we have updated the Deloitte cyber maturity index ability to bounce back rapidly from cyberattacks. Being
to include the extent to which respondents use AI more cyber-mature does not make these organizations
capabilities within cybersecurity programs (see Cyber immune to threats. It makes them more resilient when
Maturity, page 25). they occur, to enable critical business continuity.

As compared to overall survey respondents, high-

cyber-maturity organizations expect to achieve
business outcomes by 27 percentage points more, on
average, than global respondents overall. And they
maintain those expectations despite reporting 11 or
more cyber breaches in the past year (eight percentage
points more than overall) and despite suffering negative
consequences (on average seven percentage points
more than overall). It may be that high-cyber-maturity
organizations are identifying more cyber breaches—
and therefore reporting more—not necessarily
experiencing more.
VIEW FROM THE TOP 7

The leaders of high-cyber-maturity organizations The steps organizations take today should focus WHERE ORGANIZATIONS ARE FEELING THE PAIN (FIGURE 1)
understand that being prepared to respond to and on how cyber investments can optimize, preserve, Cybersecurity incidents and breaches are resulting in these top negative consequences
recover from the inevitable attack—to get their protect, and create value for the organization. for survey respondents.
businesses back up and running quickly, and to serve That includes laying a strong foundation for future
their customers—is what matters most. growth through cyber practices that enable data Negative consequences resulting 3rd Edition 3rd Edition 4th Edition 4th Edition
security and integrity across digital products and from cyber incidents and breaches (Rank) (Percent) (Rank) (Percent)
What are organizations hoping to prepare for (or infrastructure. That foundation also should incorporate
Loss of confidence in tech integrity 6 55% 1 66%
avoid) as they become more resilient—and how has the fundamentals of a responsive infrastructure and
the picture changed? Compared with the previous digital ecosystem—for enabling future growth and Operational disruption
1 58% 2 66%
edition of the survey, a loss of confidence in tech business resilience. This edition of the survey shows (including supply chain/or partner ecosystem)
integrity (i.e., reliability, accuracy, and availability a marked trend toward cyber programs and CISOs Reputational loss 4 55% 3 65%
of systems and data) has risen to the top of the gaining greater strategic influence across all these
Negative talent recruitment/retention impact 7 54% 4 64%
list as the number one negative consequence of value streams through more integrated technology
cybersecurity incidents or breaches—becoming transformation strategies—especially among the most Loss of revenue 2 56% 5 64%
increasingly important as organizations accelerate cyber-mature organizations. Loss of customer trust/negative brand impact 3 56% 6 63%
their digital transformation journeys.
An effective approach to cybersecurity should Intellectual property theft 8 54% 7 63%
Operational disruption, including supply chain or extend beyond the traditional focus on incident Regulatory fines 10 52% 8 63%
partner ecosystem disruption, remains high on response. It should delve into the core of how
Drop in share price 9 52% 9 63%
the list, in the number two spot, underscoring the businesses need to integrate cyber—risk, security,
importance of business continuity across partners and and trust—into their overall strategy. Adopting a Defunding of a strategic initiative 5 55% 10 63%
infrastructure. However, there is also a notable shift, as holistic, business-oriented perspective allows you to
this was the top concern in the previous edition of the bridge broader business objectives and operational

“
survey. Reputational loss climbed up one place as the needs. This approach ensures that cyber is not just
number three concern (Figure 1). a reactive measure but a proactive, integral part of Our threat surface is quickly increasing.
the organization’s strategic business, technology, As we connect our factories with new
and operational framework. Moreover, Deloitte’s technologies, new risks emerge. As soon as
research illustrates that the most cyber-mature we tie in a supplier’s robot who wants to call
organizations in the market are gaining significant back to the manufacturer for maintenance
value through a similar business-oriented approach. or push a software package to an assembly
line component, things gets much more
complicated.”

—Kevin Tierney, Chief Cyber Security Officer,

General Motors
METHODOLOGY 8

HOW WE
Deloitte also conducted in-depth interviews with At the core of this research, we focused our efforts
senior cyber decision-makers across various on exploring how cybersecurity has changed
industries and geographies, to glean more detailed since the last edition of our report while applying

DEVELOPED
insights and to help validate our observations. Our a forward-looking lens, to help bring the future of
approach covered every aspect relevant to the cyber into sharper focus. We also wanted to get a
future of cyber, from strategy to tactics and culture clearer view into the cyber savviness of the C-suite

THE INSIGHTS
to technology implementation. today. Throughout the survey, we have looked to
unlock insights for better understanding the cyber-
related business value and impact organizations
are experiencing, as well as the distinct actions that
leading organizations are taking to increase value.

Behind the research

Headquarters locations of the organizations we surveyed

Deloitte designed the 4th Edition of The Deloitte based its research on a survey of nearly
Global Future of Cyber Survey based on the 1,200 cyber decision-makers at the director level
complexity of today’s business and technology or higher, including C-suite executives and their
landscape, focusing on the needs of enterprise direct reports, covering a mix of business and
30%
leaders who may recognize the importance of
cybersecurity yet struggle to harness its value.
IT functions. The survey reflects data gathered
across 43 countries and six industries, and is limited
Americas
North America, South America 29%
APAC
to organizations with at least 1,000 employees Asia Pacific
and US$500 million in annual revenue.

41%
EMEA
Europe/Middle East/Africa
KEY FINDINGS 9

CYBER INFLUENCES
STRATEGIC VALUE
Working toward a bigger business impact We will examine how…

Cybersecurity remains an essential element

The path to cyber maturity is becoming
even clearer as we look toward the future
As organizations take continuous steps toward
becoming cyber mature, they can set themselves
1 for strategic business value—and the focus
of cyber. Organizations that travel along apart from their peers by prioritizing and building is intensifying.
that path will integrate cybersecurity risk cybersecurity connections across their business and
strategies, security practices, and trust- technology operations, and their leadership. Doing
building approaches into their business and so will enable them to more successfully achieve the
technology transformation—enabled by a strategic outcomes that we saw being prioritized in the 2 The CISO’s influence is growing across an
increasingly cyber-savvy C-suite.
cyber-savvy C-suite and highly influential CISO. previous edition of the survey.
Those organizations can expect to see a bigger
impact when it comes to measures of success, In this report, we will explore high-level insights
positioning their organizations to undertake grounded in data from the survey, the cyber maturity
Cybersecurity has become deeply integrated
3
transformation more effectively in a rapidly index, and insights from global leaders, to show how
evolving digital landscape. and where high-performing organizations are standing with tech-driven programs and digital
out and to guide global cybersecurity professionals on business transformation.
how to become more mature in their cyber practices.

Organizations with greater cyber maturity are

4 more confident and realizing greater benefits
from their cyber actions and investments.
KEY FINDINGS 10

CYBERSECURITY
REMAINS AN
Taking action is a first step,
but not the only step
Most respondents are taking the need for
These respondents are focusing on a variety of
activities for managing cybersecurity, including
but not limited to: mitigating risks, enhancing
“ It’s really about getting the basics right
and maturing them and being excellent at
them, every day, consistently. Things like
cybersecurity action seriously, with 86% of them cybersecurity controls, improving incident response, foundational controls, asset management,
ESSENTIAL ELEMENT implementing specific activities/actions to a moderate increasing employee awareness, and adopting a vulnerability management. You really need to

FOR STRATEGIC
or large extent to increase cybersecurity. This level of strategic cybersecurity plan. excel there, almost mindlessly. They just have
action suggests that organizations overwhelmingly to happen”

BUSINESS VALUE— understand the need for these activities and a robust
cybersecurity program to implement them. It also
When we project those activities through the lens of
cyber maturity, we see that organizations with high —CISO, Life Sciences and Healthcare Organization

AND THE FOCUS IS suggests that they are keeping pace as the list of
activities they need to stay on top of continues to grow.
cyber maturity undertake these actions to a greater
extent compared to less cyber-mature organizations
INTENSIFYING. (Figure 2, see also Cyber Maturity, page 25).

The foundational importance of cybersecurity

is undeniable in today’s deeply interconnected CYBERSECURITY ACTIVITIES AND THE CONNECTION TO MATURITY (FIGURE 2)
digital environment. And organizations have Organizations with high cyber maturity are engaging in these key cybersecurity activities to a greater extent compared to less cyber-mature organizations.
no shortage of activities/actions and strategic (Percentage)
levers they can pull to bolster their cyber
readiness to enhance business value. 80
75 77 75
74 74 74 74 74 73
69 71
66

48 48
45 45 45 44 44 44 45
45 44 44 43 43 43 40 41 42 42
42 41 41 40 40 40 39
32
29 28 28 28 28 27 29 27
24 25 26
23

86%
A strategic Our cyber- Annual A cyber- A compre- Inventory of Enhanced Full and updated Cybersecurity Action plan Purchasing Third-party Ongoing,
cyber- security practices cybersecurity security incident hensive plan software controls and inventory of exercises are for maintaining cybersecurity cybersecurity voice-of-the-
security plan are guided awareness response plan to assess components measures to assets and conducted basic hygiene insurance risk management customer input
with the by industry- training among that gets how we protect (e.g., APIs) is protect criticality are at the C-Suite controls to monitor and to understand
organization’s specific all employees updated and data where it maintained your customer/ maintained level to stress (e.g., inventory track the security cybersecurity
of respondents reported vision for the standards and tested annually is stored, consumer test response of IT assets, posture of and data privacy
future and an practices processed, and Identity, access, plans, commu- classification of partners and preferences
implementing specific operational transmitted and reduce nications, and data, patching suppliers
plan on how to identity fraud recovery and vulnerability
activities/actions to a get there strategies management)
moderate or large extent to
increase cybersecurity. TOTAL (n=1,196) Low cyber maturity (n=421) Medium cyber maturity (n=612) High cyber maturity (n=163)
KEY FINDINGS 11

GETTING STRATEGIC ABOUT CYBERSECURITY (FIGURE 3) Guided by strategy, cybersecurity execution Overall, 83% of respondents surveyed agree or
The specific strategies respondents say they are undertaking to enhance and improve cybersecurity. gets more integrated across the business completely agree that such measures are an integral
The overwhelming majority of organizations are part of their overall cybersecurity strategy. This level
We have a governing body comprised of senior business and IT leaders, to oversee cybersecurity capabilities and investments. also embracing a number of strategic cyber actions of agreement suggests continued integration of
2 12 45 41 including: benchmarking and measurement, cybersecurity strategy into the business.
collaborating with trusted providers, participating
in consortia for information sharing, and establishing
We partner with trusted provider(s) to deliver specific cybersecurity outcomes or to operate key cybersecurity capabilities.
governing bodies that comprise senior business
3 12 46 39 and IT leaders to oversee cybersecurity capabilities
and investments.

We employ qualitative risk assessments to measure the return on our cybersecurity investments.

2 15 44 39

We use cybersecurity maturity assessments to guide our cybersecurity investment decisions.

3 15 43 39

We employ risk quantification tools to measure the return on our cybersecurity investments.

1 3 15 43 38

We benchmark our cybersecurity activities against other industry leaders.

3 15 45 37

We benchmark our cybersecurity spend against a defined group of peers.

83%
3 13 48 36

We participate in a consortium for information sharing.

of respondents overall
1 4 16 45 34 agree that these
measures are an integral
Completely disagree Disagree Neither agree nor disagree Agree Completely agree part of their overall
(n=1,196) cybersecurity strategy.
Note: Percentages may not add up to 100% due to rounding.
KEY FINDINGS 12

Eyeing bigger cybersecurity Continuously prioritizing and building cybersecurity SPENDING ON THE RISE (FIGURE 4)
investments amid increasing threats connections across business and technology 57% of respondents anticipate increasing their cybersecurity budgets over the next 12 to 24 months.
More than half of the global respondents surveyed operations, as well as leadership, is crucial for (In US dollars and percent)
(57%) anticipate increasing their budget for organizations to differentiate themselves and achieve
cybersecurity over the next 12 to 24 months. Fifty- strategic outcomes successfully. A cyber-mature $500M–$1B (n=314)

eight percent of respondents also indicated that they organization understands that cybersecurity is not 2 36 62
expect to begin integrating their cybersecurity spend just an IT issue but a business-critical imperative
with budgets for other programs, such as digital that requires integration across all functions and
$1B–$5B (n=378)
transformation initiatives, IT programs, and cloud levels of the organization. By fostering such strong
investments. This level of investment and budget cybersecurity connections, organizations can 4 43 53

integration underscores the increasingly interwoven enhance collaboration, information sharing, and
nature of cybersecurity activities across the business. decision-making related to cybersecurity. $5B–$10B (n=253)
It also emphasizes the reality that cyber funding is a
6 33 61
zero-sum game, as cybersecurity is often overlooked This approach enables leaders to make informed
during transformation projects, to save costs in a strategic decisions that align with business objectives
$10B+ (n=251)
zero-sum environment. and mitigate cyber risks effectively. Ultimately,
organizations that prioritize cybersecurity and build 8 36 56
strong cybersecurity connections—integrating cyber
across enterprise functions and leadership roles— All respondents (n=1,196)
can better protect their assets, reputation, and overall 5 57
38
resilience in an increasingly digital world.

Decrease Remain the same Increase

57% “ As companies differ across factors such as size, type of data

they possess, online presence, and supply chain practices, their
threat profiles will be unique. It’s imperative every company
We found that on average, overall respondents
are spending between US$147 million and US$266
of respondents anticipate have a strong threat intelligence strategy that includes million annually on IT. Of that, 19% (US$39 million)
increasing their budget for understanding who cares about them and why, and how they is allocated for cybersecurity related activities,
cybersecurity over the next operate. Understanding the motivations and tactics of potential and respondents expect to increase that by 3% in
12 to 24 months. attackers is crucial for effective security measures.” the next 12–24 months.

—Gary Harbison, Chief Information Security Officer, Johnson & Johnson

KEY FINDINGS 13

THE THREATS THAT ARE BREAKING THROUGH (FIGURE 5) Attack realities are growing, including The survey also tracks how respondents are responding
Where cybersecurity breaches are coming from—and how many organizations are experiencing them. new threats and cyber risks related to to new cyber risks arising from the emergence of GenAI.
(Percentage, 3rd edition vs. 4th edition) Generative AI (GenAI) The analysis shows awareness of these risks is more
The expected increase in investments comes as pronounced among high-cyber-maturity organizations
Actors/sources Tools/techniques
organizations experience a growing and diverse mix versus less-mature counterparts. Among the most
42
of cyber threats. Similar to the previous edition of cyber-mature organizations, these are the top four
42% the survey, cyber criminals and terrorists make up GenAI-related risks that respondents believe will impact
34
32 the top threat actors. They were reported by 42% of their cybersecurity strategy:
28 27 respondents as the leading concern across a diverse
• Explainability in GenAI outputs (82%)
24
22 set of threat actors, which included hacktivists (threat
21
18 18 17
actors aiming to make a statement related to political • GenAI algorithms introducing information
13 13
14 or social causes), cyber criminals (perpetrating integrity risks (81%)
11 11 12
malicious activities for financial profit), and insiders
8
7 7 • Effectively developing controls related to
6 6 6 (with personal grievances and gains at stake).
4 GenAI and humans working together (81%)

As for the tools and techniques employed by • Data poisoning (e.g., corrupting the training
Cybersecurity
criminals

Cybersecurity

Unintended actions of
terrorists

well-meaning employees
resulting in a negative event

Trusted third parties

Malicious employees

Organized crime

Hacktivists

Nation-states

Phishing/malware/
ransomware

Data loss
related threats

APTs (Advanced
Persistent Threats)

DoS
(Denial-of-Service
Attacks)
cyberattackers, phishing, malware, and ransomware data set to influence GenAI outputs) (80%)
combined emerged as the top threat vector, reported
by 34% of respondents. That level is down eight As more organizations automate their processes
percentage points from the previous survey, coinciding and share their data with suppliers and other third
with a significant jump in reported threats related to parties, new vulnerabilities can emerge. These
data loss—up from 14% in the previous survey to 28% increasingly complex digital infrastructures and
in this survey. ecosystems introduce new opportunities for attack.
Number of breaches

“
Meanwhile, 40% of respondents said they have
40
36
38 publicly reported six to ten cybersecurity breaches  verything—and everyone is so interconnected,
E
34
in the past year—an increase of two percentage that the risk is magnifying. Think about our entire
points compared to the previous survey. And it is supply base. Think about all the levels of security

14 15
9 9
40%
of respondents say they
no surprise that attacks continue to trend upwards.
The attack surface available to threat actors is large
and continues to grow.
capabilities across the whole spectrum of companies
out there. We feel pretty good about what is
happening on our campus and with our employees.
But how do we ensure everyone coming in contact
3 2 have publicly reported six to with our network has the same level of capability
1–5 6–10 11–15 16 None ten cybersecurity breaches and capacity to deal with security and controls?”
or more in the past year.
—Patrick Milligan, Chief Information Security Officer,
3rd Edition (n=1,110) 4th Edition (n=1,196) Ford Motor Company
KEY FINDINGS 14

Technology integrity is the top concern among TAKING A CLOSER LOOK AT THE NEGATIVE CONSEQUENCES, THROUGH THREE LENSES (FIGURE 6)
respondents as expectations for the benefits Where respondents see cybersecurity incidents having the biggest impact across financial, operational, and brand areas.
to be gained from cyber programs grow (Percentage)
Amid the persistent web of threats, organizations
are experiencing a range of negative effects, Financial Operational Brand
including impacts across three domains—financial,
operational, and brand (Figure 6). Overall, across 66 66
65
all three of these domains combined, the top two 64
63 63 63 63 64 63
concerns are loss of confidence in tech integrity
and operational disruption (Figure 1, page 7). This 56 58 56
55 55 55
continued focus underscores the importance of 54 54
52 52
having strong cybersecurity programs that can
maintain critical technologies and operations, and
boost business resilience.

Respondents are experiencing all negative

consequences to a higher extent than in the
previous edition of the report. On average, 56%
experienced all these consequences to a moderate
and large extent in the 3rd edition of the report,
compared to 64% in the 4th edition.

This increase points to two potential realities. First,

organizations might be more comprehensively
reporting the impact from cyberattacks, signaling
increased awareness. Second, the attack surface
and frequency has increased due to GenAI and
other advanced technologies, which highlights the

in tech integrity
Loss of revenue

Defunding of a
strategic initiative

Drop in share price

Regulatory fines

Operational
disruption ecosystem,
including supply
chain/partner
ecosystem

Negative talent
recruitment/
retention impact
Intellectual
property theft

Reputational loss

Loss customer
trust/negative brand
Loss of confidence

impact
growing importance of cybersecurity in the future
and provides a clear call to action for putting in place
robust cybersecurity plans.

3rd Edition (n=1,110) 4th Edition (n=1,196)

KEY FINDINGS 15

These negative consequences from incidents or breaches sharply contrast with the benefits—positive business EXPECTING OUTCOMES FROM CYBERSECURITY (FIGURE 7)
outcomes—that organizations expect to achieve with their cybersecurity initiatives. According to the survey, the The benefits that respondents anticipate from cybersecurity initiatives—and the degree to which
top three expected outcomes of cybersecurity initiatives were (1) protecting intellectual property, (2) improving they are expecting them.
threat detection and response, and (3) increasing efficiency and agility (Figure 7). (Percentage)

The expected benefits speak to the enhanced operational resilience many respondents are seeing
from their cybersecurity investments, with some variance by industry:

43 42 41 41 40 40 40 40 40
46 44 44 43

Consumer Energy, Financial Government Life Sciences Technology,

Resources & Services & Public & Health Care Media &
Industrials Industry Services (LSHC) Telecom
(ER&I) (FSI) (GPS) (TMT)
43 43 45
43 44 46 45
Strengthening Increasing Improving threat Protecting Improving Increasing 43 44 44
41 42 42
confidence efficiency and detection and intellectual customer efficiency and
in tech/data agility response, tied property satisfaction and agility
integrity with protecting retention rate
intellectual
property
15 14
12 12 13 12 11 12 15 13 12 13 14
1 2 1 2 2 2 1 2 2 3 2 2 1

The hopes for cybersecurity are clearly high. As the primary owner of the cyber function, those expectations

Protect intellectual property

Improve threat detection and

Increase efficiency and agility

Improve customer
satisfaction and retention rate
response

in tech/data integrity
Strengthen confidence

Improve brand trust

and reputation

Increase information
transparency

Enable our mission/purpose

Avoid regulatory fines

Boost revenue

Ensure resiliency (organizational,

Provide confidence to
experiment and innovate
supply chain, etc.)

Boost customer loyalty to unlock

business value and growth
are directed at the CISO, who faces a massive job in managing and achieving business expectations. For any
organization, a breach or incident will be inevitable, but the promise of cybersecurity is to minimize the risks and
negative impacts and maximize as many benefits as possible—ultimately enabling a more secure and resilient
organization operating with trusted data for use in driving growth.

Not at all To a small extent To a moderate extent To a large extent

(n=1,196)
KEY FINDINGS 16

THE CISO’S INFLUENCE The influence of the CISO appears to be growing

in other ways, too. The CISO, or equivalent leader,
BRINGING THE CISO INTO STRATEGIC CONVERSATIONS (FIGURE 8)
Areas in which CISOs are involved in discussions on business-critical technology capabilities—

IS GROWING ACROSS is increasingly involved in strategic business

conversations about technology capabilities,
and the degree to which they are involved.
(Percentage)
AN INCREASINGLY reflecting their growing importance in driving
business value.
CYBER-SAVVY
CISO involvement is no longer optional
C-SUITE.
30 29 29 28 28 27
33 33 32 29
Roughly one-third of respondents said CISO 34 34 34
involvement had significantly increased in the past
Survey respondents indicated that in their year when it came to strategic conversations about
organization the CISO tends to hold the the following technology capabilities: cloud, AI/
primary responsibility for the majority of cognitive computing, GenAI, data analytics, 5G,
cybersecurity activities asked about in and customer identity and access management
39 37 40
our survey, with chief information officers (Figure 8). 44 41 44
41 42 45
(CIOs) also playing a key role. Often, those 44 45
42
45
CISOs report to CIOs or to chief technology
officers (CTOs). Approximately one-fifth of
CISOs, however, report directly to the chief
executive officer (CEO), according to the
26
survey. This is an important signal of business 23
24 27
24
alignment, with influence across the C-suite 18 20 23 22 21 24
18 18
and executive leadership.
5 6 6
3 1 4 1 3 1 4 2 1 2 3 1 2 3 5 1
3 3 3

The cloud

Quantum computing
Artificial Intelligence/
cognitive computing

Generative AI

Data analytics

5G

Customer Identity & Access

Management (CIAM)

Operational technology

Enterprise resource
planning (ERP) program

Internet of Things

Blockchain/cryptocurrency

Metaverse

Physical robotics
Involvement significantly decreased Decreased No change Increased Involvement significantly increased

(n=1,196)
 KEY FINDINGS 17

As the CISO’s voice of influence grows across The analysis indicates that cyber-mature organizations CYBERSECURITY SAVVINESS IN THE C-SUITE AND A LOOK AT THE CISO’S REPORTING ALIGNMENT
leadership, and as organizations seek to become understand that the role of the CISO has become (FIGURE 9)
more cyber-savvy, we foresee them becoming an crucial to engaging the C-suite and the board, and key A look at the level of confidence leaders have in the C-suite, as well as an overall view on who
essential partner to advise and educate the board to addressing cybersecurity risks effectively. They CISOs report to.
of directors and the C-suite on security vulnerabilities, recognize that, in taking on a more influential role, (Percentage)
risk scenerios, and actions needed for greater the CISO can provide valuable insights and guidance,
resilience. In the future, the CISO will be expected to and ensure that cybersecurity receives the attention CISO/cybersecurity leader Confidence in C-suite and board of directors
not only lead the organization’s overall cyber security and resources it deserves—as a strategic business reports to the following leaders adequately navigating cybersecurity
strategy, but will also provide strategic guidance, issue requiring continuous attention and investment. 27
collaborating closely with other C-suite executives While Deloitte sees this trend with the CISO role 4 1
to align security initiatives with business goals. growing, we recommend organizations accelerate their
actions to elevate the CISO’s role, given the evolving
Among C-suite executives focused on cybersecurity, nature of cyber threats, technology capabilities, and Very confident
only 34% are very confident their C-suite and board cybersecurity’s integration with the business. Somewhat confident
20
can adequately navigate cybersecurity. They are 18 Neither confident
43
percentage points less confident than respondents While most say the CISOs role is evolving, and 18 52 nor unconfident
overall (Figure 9). they have a seat at the table, there is still a lack of Somewhat unconfident
confidence that the C-suite can confidently navigate (n=1,196)
today’s complex cyber environment. These lower
confidence levels could indicate a sobering of the
C-suite to the complexity of today’s cyber landscape
11
as CISOs effectively educate them to risks/threats and
the organization’s ability to address them as well as an
8
over-confidence in the organizations’ cyber maturity 7
and resilience among respondents overall.

“ The big shift for us is by bringing in the security

discussion before, not after, building the
2 2 2
1 1 1
solution. We really want to move into ‘security
by design’ as opposed to what often happens—

Officer (CIO)

Chief Executive
Officer (CEO)

Chief Technology
Officer (CTO)
Chief Information

Board of Directors

Chief Strategy
Officer (CSO)

Chief Security
Officer (CSO)

Chief Operating
Officer (COO)

Chief Financial
Officer (CFO)

Chief Data Officer

(CDO)

Chief Risk Officer

(CRO)

Business Information
Security Officer (BISO)

Chief Compliance Officer

‘security during assessment’—which requires
security to be more of a strategic part of the
overall business.”

—Director General, Cyber and IT Security,

Government and Public Services Agency
(n=1,196)
 KEY FINDINGS 18

While cybersecurity is a staple on the board’s agenda

for most organizations, with 88% of respondents
saying that their boards are addressing cyber-related
issues quarterly, if not more often, there’s clearly
room for greater education and for the CISO to advise

88%
on strategic risks and corresponding actions. On
this point, Deloitte’s Tech-Forward Boardroom report
recommends that to elevate boardroom conversations,
tech leaders can translate technical jargon to business
needs, partner more closely with the CFO to articulate
business impacts, consistently structure reporting and
benchmarking, co-present to the board, workshop of respondents say that
through deep-dive technology sessions, create
their boards are addressing
feedback loops, and cascade these activities across
small board sessions and meetings.
cyber-related issues quarterly,
if not more often.

While most say the CISO’s role is

evolving and they have a seat at the
“ We have standard, quarterly updates with the
board, and that did not exist a few years ago.
I would say the depth of the discussion, not table, there is still a lack of confidence
just frequency, is greater now as well. We have
many more deep dives on key topics that the that the C-suite can confidently navigate
board now has questions about. We end up
scheduling more time to go deeper.” today’s complex cyber environment.
—Chief Information Security Officer,
Financial Services Corporation
 KEY FINDINGS 19

CYBERSECURITY Integrating cyber across the business

Not only are organizations enhancing and securing
PRIORITIZING PRIVACY, TRUST, AND ETHICS (FIGURE 10)
Most respondents are taking steps to integrate cybersecurity with needs such as product

HAS BECOME DEEPLY their technological capabilities; they are changing

the way they create new offerings. More than 80%
development, protecting customer data, and other key areas.
(Percentage)
INTEGRATED WITH of respondents say they are integrating privacy
considerations into the early stages of product
TECH-DRIVEN
Embeds privacy considerations into the initial stages of product or service development.
development, for example, which can help safeguard 12 14 43 40

PROGRAMS AND
customer data and foster greater digital trust.
Such considerations indicate that DevSecOps
Maintains the talent and skills needed to effectively execute the cybersecurity strategy.

DIGITAL BUSINESS
processes are reaching a new level of maturity,
with cybersecurity leaders successfully embedded 3 14 44 39

TRANSFORMATION. into product design and development teams

(Figure 10).
Strives to protect its customer/consumer data while understanding customer needs, delivering seamless experiences, and using
this knowledge to unlock business value and growth.

2 15 44 39
The boundaries of cybersecurity are blurring,
just as the lines of digital transformation
are blurring. As organizations share data Is proactive in identifying and addressing vulnerabilities in our cybersecurity systems.
and systems access with partners and other 3 16 43 38
third parties, concerns about security and
privacy are paramount. Ultimately, the growth Places ethical considerations (e.g., fairness, transparency, accountability, inclusivity) as a top three priority shaping our
cybersecurity strategies.
of business, customer, data, and digital
trust depends on cyber. Accordingly, many 3 15 45 37

organizations are integrating cybersecurity

across business and technology functions Has increased our focus on digital trust as part of our cybersecurity strategy in the last year.
(Figure 10). 12 13 47 37

“ I always look at cyber as an enabler. If you

want to drive fast on the highway, you need to
make sure you’ve got bumpers and brakes and
Has implemented new processes in the last year to improve how we seek user consent prior to collecting personal data.

3 14 47 36

you know a number of things are working in

Is overwhelmed by the need to comply with cybersecurity laws and regulations.
your car, or you are not going to be able to stay
on the road. Cyber acts as those bumpers or 3 9 17 38 33
brakes to support the car (so you can drive at
Internet speeds).”
Completely disagree Disagree Neither agree nor disagree Agree Completely agree
—Vivek Khindria, SVP Cyber Security, Network, and
Technology Risk, Loblaw (n=1,196)
KEY FINDINGS 20

The integration of cybersecurity into more aspects of Those two majority views are not at odds; 25% of WHERE CYBERSECURITY SPEND AND DIGITAL TRANSFORMATION INTERSECT (FIGURE 11)
the business extends to spending, as well. As previously respondents selected both options—integrated How do you see the evolving digital landscape impacting your organization’s cybersecurity spend?
noted, a majority of respondents (58%) expect spending as well as siloed spending—when asked Select all that apply.
cybersecurity spend will begin to become integrated about the future of cybersecurity spend. That duality (Percentage)
with other budgets for initiatives such as digital reflects what Deloitte sees across organizations,
transformation, IT programs, and cloud investments. with cybersecurity spend often coming from a mix of Spend will begin to be INTEGRATED into/with other budgets
At the same time, a majority (55%) also see spend dedicated cybersecurity budgets, as well as budgets for (e.g., digital transformation, IT, cloud investments)

remaining siloed (Figure 11). IT, digital transformation, business areas, and products.
58
In other words, the scale of cybersecurity spend slices
25%
across many priorities, requiring leaders to explore
different, often concurrent models, to finance it. Spend will remain SILOED and SEPARATED from other
budgets (e.g., digital transformation, IT, cloud investments) Around 25% of the respondents
selected both the options—that
55 spend will be integrated in some
areas while staying siloed in others.

Spend will become PRIORITIZED with a

dedicated budget of its own for the first time

37

Budget ownership will shift from a single owner

(e.g., CISO, CIO) to multiple owners (e.g., IT and Risk, etc.)

18

(n=1,196)

58%
Note: Percentages may not add up to 100% due to rounding.

of respondents expect
cybersecurity spend will
begin to become integrated
with other budgets.
 KEY FINDINGS 21

That march toward cybersecurity budget integration tracks closely with another emerging reality: Cybersecurity THE ROLE CYBERSECURITY PLAYS IN SECURING TECHNOLOGY INVESTMENTS (FIGURE 12)
is a driver of business ambitions. Our survey results show that cybersecurity plays a large role in securing an How cybersecurity is influencing decisions on budgets in technology capabilities.
organization’s investment in technology capabilities—especially when it comes to the priority areas such as (Percentage)
cloud (48%), GenAI (41%), and data analytics (41%) (FIgure 12).

30
36 31
41 39 39 39 34 32
39 39
48 41

37 40 40
39
40 41 45 43
39 41
40 42
37

18 17 20
17
17 15 18
16 15 16 15
13 13
11 10 9
4 8
2 4 3 3 3 4 3 3

The cloud

Data analytics

AI/cognitive computing

Operational technology

Customer Identity and

Access Management (CIAM)

Quantum computing
Generative AI

5G

IoT

ERP program

Metaverse

Blockchain/cryptocurrency

Physical robotics
“ For our group, which operates globally, strengthening security is a crucial activity that is
essential for promoting digital transformation. We have established an internal structure
called the JFE-Security Integration and Response Team, allocating resources such as budget and
personnel, and implementing necessary measures in terms of human, technological, and physical
aspects. We aim to enhance cybersecurity measures in various business activities, including
the development, design, manufacturing, and provision of products, systems, and services.
As a result, we contribute to strengthening cybersecurity throughout the supply chain and,
No role at all Small role Moderate role Large role
ultimately, to the overall cybersecurity enhancement of society on a global scale.”
(n=1,196)

—Akira Nitta, Chief Information Security Officer, JFE Steel Note: Percentages may not add up to 100% due to rounding.
KEY FINDINGS 22

CYBERSECURITY ACTIONS TAKEN TO REDUCE CLOUD ECOSYSTEMS (FIGURE 13) When it comes to cloud technologies, cybersecurity has a major role to play as an enabler, helping bolster security
What cybersecurity actions is your organization taking to reduce complexity across your cloud while simplifying the cloud landscape overall for organizations. The top cybersecurity actions respondents are
ecosystems? taking to reduce the complexity of cloud ecosystems include conducting regular security audits and assessments
(Percentage) (44%), implementing consistent security policies and procedures (45%), and employing cloud ecosystem
monitoring technology across multiple parties and solutions (46%) (Figure 13).
46
45
44
43 43

40

36
34

46%
Employing Implementing Conducting Deploying Establishing clear Leveraging Implementing Sharing threat
cloud ecosystem consistent regular security identity and agreements and automation tools zero trust intelligence with
monitoring security policies audits and access governance for security tasks security model others
technology and procedures assessments management measures
across multiple within the controls
parties/solutions ecosystem of respondents reported
employing cloud ecosystem
(n=1,196)
monitoring technology
across multiple parties
and solutions.
KEY FINDINGS 23

Eye on AI-enabled cyber solutions And while the future of AI is evolving, so too is AI CAPABILITIES COMING INTO FOCUS (FIGURE 14)
Given the importance of AI today, we included it the future of cyber. They are evolving together as Where and how respondents are seeing AI emerge as a tool in their cybersecurity programs.
in our index for cyber maturity in this edition of organizations leverage novel AI solutions to ease the (Percentage)
the survey. Some of the top ways organizations cybersecurity burden. Among survey respondents,
are focused on using AI to enhance cybersecurity 39%, on average, are using AI capabilities in their Deploying AI-based tools to continuously monitor the organization's digital infrastructure

capabilities include digital infrastructure monitoring, cybersecurity programs to a large extent. At the same 1 13 44 42
advanced simulations, and automated security. time, respondents have also expressed concerns
related to AI, expressing a need to update their
Generating advanced cybersecurity simulations
Artificially generated content enables attackers cybersecurity strategies to keep up with continuous
to create customized content with a much lower technology innovation (Figure 14). 2 14 44 40
time investment. A wave of artificially generated
content is now targeting enterprises, exploiting
vulnerabilities by impersonating trusted sources.
The problem is accelerating rapidly. None of this
“ Of course, the focus is keeping the bad
guys out. But we also have to look into the
impact of these new technologies (like AI) 2
Automating security processes such as network monitoring, anomaly detection, and threat response using AI

14 45 39
means enterprises are powerless against the tidal and how that will impact our landscape.
wave of artificially generated content coming their How do we make sure that we apply and Enabling faster response time to potential security threats
way. Leading enterprises are taking proactive steps use AI in a safe and secure manner, as well
to make sure they don’t become victims (Source: 2 12 47 39
as how we use AI to better deliver security
Deloitte 2024 Tech Trends: Defending reality: Truth in within our cyber framework?”
an age of synthetic media). Analyzing cybersecurity data in real-time, to understand complex relationships and identify novel attack vectors
—Director General, Cyber and IT Security, GPS Agency
1 14 46 39

Enabling automated security responses

2 15 45 38

39%
of respondents, on
2
Creating dynamic defense systems

14 46 38

average, reported using Using AI to analyze historical data and identify potential cybersecurity threats and vulnerabilities
AI capabilities in their
cybersecurity programs 2 15 45 38

to a large extent.
Not at all To a small extent To a moderate extent To a large extent

(n=1,196)
KEY FINDINGS 24

THE QUANTUM CONNECTION (FIGURE 15) Readying for the next wave The data shows almost 83% of respondents are
How organizations are thinking about the approaching quantum era and the need for of emerging technologies assessing quantum-related risks or taking some kind
quantum cybersecurity readiness. As organizations continue to address AI-related risks of action, whether developing strategies, implementing
(Percentage) and opportunities, other disruptive technologies pilot solutions, or implementing solutions at scale.
are also evolving and marching steadily toward While the majority (52%) of respondents are still
Currently not concerned with quantum-related risks widespread viability. Quantum cybersecurity assessing their exposure and developing quantum-
readiness is becoming a bigger focus for many related risk strategies, others (30%) are taking decisive
4 organizations, as quantum computing gets closer to action to implement solutions as early adopters.
reality—projected to become mainstream in the next
several years and providing a powerful new tool for These figures point to clear momentum on the
Aware of quantum threats but has not yet taken action
cyberattackers to use in breaking cryptography. issue, and leaders can get ahead of the challenge by
13 understanding risk potential, reviewing their data and
system governance, prioritizing vulnerabilities relative
to business operations, and developing a roadmap for
Assessing our exposure to quantum-related risks cryptographic algorithm updates. Doing so can allow
them to get a head-start on what is often a multiyear
27
initiative and introduce new algorithms in an orderly
way across broader enterprise transformations, as well
as via updates to contracting mechanisms.
Developing strategies to address quantum-related risks

25

Implementing beta solutions to mitigate/avoid quantum-related risks

18
30%

30%
Implementing solutions at scale to address quantum-related risks

12

of respondents reported
taking decisive action to
(n=1,196) implement solutions as
early adopters.
KEY FINDINGS 25

ORGANIZATIONS • Key cybersecurity activities, such as qualitative and

quantitative risk assessment, industry benchmarking,
CYBER MATURITY SEGMENTS
WITH GREATER CYBER and incident response scenario planning (see Figure
2, page 10, for full list of activities).
(Percentage of respondents)

MATURITY ARE MORE • Effective board engagement, exemplified by

51

CONFIDENT AND organizations whose boards address cyber-related

issues on a regular basis.
35

REALIZING GREATER

14%
• Deployment of AI capabilities within the

BENEFITS FROM THEIR

cybersecurity program, focusing on organizations
that are undertaking at least five of eight cyber-AI-

CYBER ACTIONS AND related actions to a large extent (see Figure 14, page
23, for full list of actions).

INVESTMENTS. This last criterion—for AI capabilities—is new in

Low cyber
maturity
(n=421)
Medium cyber
maturity
(n=612)
High cyber
maturity
(n=163)
this edition of the survey, to reflect the evolution of
CYBER MATURITY INDEX technology and business, and what it means to be
cyber-mature. When we use just the first three criteria
Deloitte drew from our experience working (the same index we used in the previous edition), we
with thousands of organizations worldwide to see a three-percentage-point increase in cyber-mature
segment high-cyber-maturity organizations organizations—from 21% of organizations to 24%—
from their medium- and low-cyber-maturity which is promising growth.
counterparts.
By including the AI factor in this edition’s cyber

Deloitte drew from our experience

To identify this distinct class of cyber leaders and maturity index, however, we can define a more elite
more fully understand the extent to which group of organizations that are at the forefront of

working with thousands of organizations

cybersecurity supports business success and value, shaping the future of cyber.
we used four sets of leading practices to rate, or

worldwide to segment high-cyber-

index, organizations: In this edition of the survey, high-cyber-maturity
organizations represent 14% of respondents surveyed.

maturity organizations from their medium-

• Robust cybersecurity planning, indicated by the How they are approaching cybersecurity compared to
presence of strategic, operational, and tactical plans the medium- and low-cyber-maturity groups provides

and low-cyber maturity counterparts.

to defend against, and respond to, cyber threat (see important lessons that enterprise leaders can use to
Figure 3, page 11, for full list of planning strategies). elevate their organization’s cyber and business value.
KEY FINDINGS 26

Expectations run high for the CYBERSECURITY DRIVING OUTCOMES (FIGURE 16)
cybersecurity function The benefits that organizations expect to see from their cybersecurity efforts.
Respondents in high-cyber-maturity organizations (Percentage shown across all three cyber-maturity groups)
are highly attuned to the potential benefits that can
come from their cybersecurity measures. On average, Differentials between high-maturity and low-maturity segments

respondents in high-cyber-maturity organizations

% Points % Points % Points % Points % Points % Points % Points % Points % Points % Points % Points % Points % Points
are 2.4 times more likely than respondents in low- +44 +45 +37 +39 +43 +33 +39 +42 +36 +36 +49 +43 +38
cyber-maturity organizations (and 1.6 times more
likely than respondents in medium-cyber-maturity
organizations) to expect positive outcomes from their
cybersecurity measures (Figure 16). 76
74 74

69 70 69 69 69
Some of those benefits include ensuring 68 67
66
organizational resiliency (76%), improving threat 63
detection and response (74%), and protecting 61

intellectual property stature (74%)—three areas

in which the expectations of respondents in
high-cyber-maturity organizations stand far apart 48 47 47 46
compared to low-cyber-maturity groups. 45
45
44 44 43 42 43 43
43 43 42 41
42 40
41 41 41 39
40 40 40 40
This picture reflects the challenge, as well as the
promise, of cyber. The most cyber-mature organizations 32
31
have considerably higher expectations across all 30
29 28
30 30 29
27 27 27
measures. While they recognize the important role that 26 25
cybersecurity should play, that realization puts more
pressure on them to get things right.

Protect Improve threat Increase Improve Strengthen Improve Increase Enable Avoid Boost revenue Ensure Provide Boost customer
intellectual detection and efficiency customer confidence brand trust information our mission/ regulatory resiliency confidence loyalty to unlock
property response and agility satisfaction and in tech/data and reputation transparency purpose fines (organizational, to experiment business value
retention rate integrity supply chain) and innovate and growth

TOTAL (n=1,196) Low cyber maturity (n=421) Medium cyber maturity (n=612) High cyber maturity (n=163)
KEY FINDINGS 27

Threat detection and response approaches EXPECTED NEGATIVE CONSEQUENCES, BY MATURITY GROUP (FIGURE 17)
continue to evolve Respondents with high cyber maturity are seeing more cybersecurity incidents—likely, in part, because of their greater threat detection capabilities.
No organization is immune to the negative (Percentage)
consequences of cyber breaches and incidents—
even high-cyber-maturity organizations. On average,
our analysis suggests that high-cyber-maturity 37 37 37
organizations have a stronger ability to detect 36
35
cyber threats and stronger diligence in complying 34 34
with corresponding reporting requirements. For 33 33 33
32
example, 25% of respondents in high-cyber-maturity 31
31 31
30 30 30
organizations reported 11 or more cybersecurity
29 29
incidents in the past year, eight percentage points 28 28 28
28 28
27 27 27
higher than overall respondents. While this may seem 27 27
26
like a negative, these organizations may have stronger 25
threat detection capabilities that allow them to more 23 23 23
22 22 22
effectively identify and respond to threats. 21

19
In addition to having greater awareness of breaches
and incidents, these organizations also understand the 17

true cost that goes along with them—and, on average,

the high-cyber-maturity group is 13 percentage
points more likely than their lower-cyber-maturity
counterparts to acknowledge the extent of financial,
operational, and brand impacts.

This greater understanding reflects a “virtuous cycle,”

providing a potential catalyst for the continued growth
in cybersecurity integration across the business and
its technology landscape. It also helps elevate the
role of the CISO to preserve and protect value in the
Reputational loss Operational Loss of Loss of Loss of customer Negative Defunding Intellectual Drop in Regulatory
future, enable operational efficiency and resilience, and disruption— confidence revenue trust/negative talent recruitment/ of a strategic property theft share price fines
support innovation and revenue growth objectives. including supply in tech integrity brand impact retention impact initiative
chain/or partner
ecosystem

TOTAL (n=1,196) Low cyber maturity (n=421) Medium cyber maturity (n=612) High cyber maturity (n=163)
KEY FINDINGS 28

Creating confidence in the C-suite’s cyber readiness

Confidence in their C-suite runs high among respondents in high-cyber-maturity organizations. They are twice
as likely as respondents in low-cyber-maturity organizations to be very confident in the ability of the C-suite and
board to effectively navigate cybersecurity needs (Figure 18).

CONFIDENCE AT THE HIGHEST LEVELS (FIGURE 18)

How confident respondents are when it comes to the C-suite’s and board’s ability
to navigate cybersecurity.
(Percentages shown across all three cyber-maturity groups)

82

52 52
52

43
42
39

18

6
4
2 4
1 0
1 0
Somewhat Neither confident Somewhat Very
unconfident nor unconfident confident confident

TOTAL (n=1,196) Low cyber maturity (n=421) Medium cyber maturity (n=612) High cyber maturity (n=163)
KEY FINDINGS 29

High-cyber-maturity organizations appear to be more adept at leveraging cybersecurity to secure investments for
technology capabilities and in keeping the CISO involved in strategic conversations on digital transformation.

On average, respondents in high-cyber-maturity organizations are 2.5 times more likely than respondents in the
low-cyber-maturity group to say that cybersecurity plays a large role in securing investments in their technology
capabilities. The top areas in which they are securing those investments include cloud, data analytics, GenAI,
operational technology (e.g., industrial control systems) and AI/cognitive computing (Figure 19).

GREATER MATURITY MEANS A GREATER ROLE FOR CYBERSECURITY IN TECH-DRIVEN CAPABILITIES

(FIGURE 19)
Compared to the other groups, the high-cyber-maturity group is seeing cybersecurity play a large role
in securing investments in technology capabilities.
(Percentages shown across all three cyber-maturity groups)

80

72
70
67 67 66 65
63 63

53 52
50 50
48
48
44
42 42 41 42 41
41 41 40
39 39 39 39 36 38
36 35 34
33 34 33
31 32 32
27 27 27 30
26 25 25 26
24 24 23
20 20

The cloud Data analytics Generative AI Artificial Operational Internet of Things 5G Enterprise Customer Quantum Physical robotics Blockchain/ Metaverse
Intelligence/ technology resource Identity & Access computing cryptocurrency
cognitive planning (ERP) Management
computing program (CIAM)

TOTAL (n=1,196) Low cyber maturity (n=421) Medium cyber maturity (n=612) High cyber maturity (n=163)
KEY FINDINGS 30

When it comes to strategy conversations around technology capabilities, compared to the low-cyber-
maturity group, the high-cyber-maturity group is 2.3 times more likely to say that involvement by their CISO
or cybersecurity leader has significantly increased. In high-cyber-maturity organizations, the areas in which
“ The role of the CISO is evolving. They need to bring in the right strategies to proactively guide
the company in making data-driven decisions. As this entails increased engagement with
executive leadership, CISOs should not only be technologically proficient but also operate with
CISO involvement is the greatest include cloud, AI/cognitive computing, the Internet of Things (IoT), GenAI, an executive-level mindset and business acumen to demonstrate how a cyber strategy will
and data analytics (Figure 20). influence the business.”

—Gary Harbison, Chief Information Security Officer, Johnson & Johnson

WITH CYBER MATURITY COMES MORE CISO INVOLVEMENT IN STRATEGIC CONVERSATIONS (FIGURE 20)
High-cyber-maturity groups are seeing their CISOs brought into conversations more frequently across
all areas.
(Percentage)

56 55 55 54 54
52
50 49 49
45 44 44

39
36 36 35 35
34 34
34 34 34 33 33 32
32 31 30 31
28 30 29 28
28 29 29 28 28
27
24 23 24 24 23 23 23
22 21
19 19 19 19

The cloud Artificial Internet of Things Generative AI Data analytics Customer Quantum 5G Operational Enterprise Blockchain/ Physical robotics Metaverse
Intelligence/ Identity & Access computing technology resource cryptocurrency
cognitive Management planning (ERP)
computing (CIAM) program

TOTAL (n=1,196) Low cyber maturity (n=421) Medium cyber maturity (n=612) High cyber maturity (n=163)
LOOKING TO THE FUTURE 31

INSIGHTS FOR
NAVIGATING THE
FUTURE OF CYBER
Elevating cybersecurity across the enterprise

Thriving in the future of cyber will require As organizations establish stronger leadership and
organizations to understand the emerging strengthen cyber connections, they can enhance
trends, navigate them, and, most importantly, collaboration, information-sharing, and decision-
take action on them to deliver measurable making wherever business needs intersect with
impact for the business. By focusing on cybersecurity. Doing so can enable leaders to make
the following factors and potential steps, strategic decisions that are highly informed by the
organizations can make strides toward greater realities of their business—all aligned with business
cyber maturity and set themselves apart from objectives and the effective mitigation of cyber risks.
their peers. Ultimately, by making cybersecurity a priority and by
building stronger connections to cybersecurity across
Elevate the cyber essentials, foster the enterprise, organizations can better safeguard
connections and collaboration, build their critical assets and their reputations while
greater resilience enhancing their overall resilience in an increasingly
As the focus intensifies on cybersecurity as an digital world.
element for strategic business value, leaders should
recognize that cybersecurity is not just an IT issue;
it is a business-critical issue that calls for integration
across all functions and levels of the organization.
That will require an ability to continuously build and
prioritize the connection to cyber across business
and technology operations.
LOOKING TO THE FUTURE 32

Once seen as a lead security Increase engagement and savvy among

leadership, from the CISO to the rest of the
Make intentional efforts to integrate budgets,
anchored in strategy and governance

guard for enterprise IT, the C-suite and the board

The future of cyber points to a clear imperative:
The trend of cybersecurity budgets becoming
integrated with budgets for other digital

role of the CISO is evolving ensuring that the CISO is actively involved in strategic
conversations about technology capabilities and
transformation investments is an important one. It
shows that cybersecurity is receiving the recognition it

into one that helps safeguard the business. Once seen as a lead security guard for
enterprise IT, the role of the CISO is evolving into one
deserves and suggests more departments may include
cybersecurity in their funding plans going forward.

the entire enterprise—from that helps safeguard the entire enterprise—from

core business operations to brand reputation—while This integrated approach can lead to a more

core business operations supporting innovation and the future of the business. comprehensive strategy and better outcomes for
overall security. By establishing a clear governance

to brand reputation—while And the CISO should be joined by other cyber-savvy

peers across the top levels of leadership. Addressing
framework that supports a broader agenda and
defines aspirations for cybersecurity, organizations

supporting innovation and cybersecurity risks effectively—and in the context of

business objectives—demands that the entire C-suite
can take crucial steps toward their business
objectives. Such an approach means that everyone

the future of the business. and board are regularly engaged in cybersecurity
conversations. Because cybersecurity is a top risk
in the organization understands the importance
of cybersecurity, commits the appropriate level of
for organizations, top leadership must remain investment, and works toward a common goal.
heavily involved in its management and oversight.
With engaged CISOs providing valuable insights and By having effective governance in place, organizations
guidance to the board and the organization on cyber can ensure that cybersecurity initiatives are aligned
matters, cybersecurity can receive the attention and with other important business priorities, but there is a
resources it merits—as a strategic business issue that possible drawback to such integrated transformational
requires continuous investment. investments. If cybersecurity is not specifically stated
as a line item in budgets, it may get diminished,
because it is treated as a portion of the cost rather than
a value-enhancing investment.

“ When it comes to strategy, one of the things that we are maturing … is starting with the
outcome. So always thinking about where do we want to be X years from now. And I believe in
security creating a strategy more than two years out, you will change a whole lot because the
threats will change, the technology will change, and so on … So we’re building based on outcome
in mind, which is really critical.”

—Chief Information Security Officer, Life Sciences and Health Care Company
TAKING THE NEXT STEP 33

MAKING THE Get started

FUTURE MATTER Contact us to explore insights from the 4th Edition of Deloitte’s Global Future of Cyber Survey,
and discover what else the most cyber-mature organizations are doing to drive business
value and set themselves apart.

Acknowledgements
The future of cyber is being written right now—with every Saurabh Bansode, Criss Bradbury, Deborah Elder, John Gelinne, Tanneasha Gordon, Matt

second. New risks, technologies, and business choices are Holt, Pratik Joshi, Diana Kearns-Manolatos, Isaac Kohn, Daphne Lucas, Mike Morris, Kelly
Nelson, Iram Parveen, Sean Peasley, Abdul Rahman, Colin Soutar, Jan Vanhaecht,
taking shape. How your organization prepares for them and Marius von Spreti

acts on them will define your cyber maturity as well as the Contacts
future of your business. Emily Mossburg Ian Blatchford Pedro Parra
Deloitte Global Cyber Leader Asia Pacific Cyber Leader S-LATAM Cyber Leader
Principal, Deloitte & Touche LLP Partner, Deloitte Australia Partner, Deloitte Mexico
As the recognition of cybersecurity’s role grows within the enterprise, as top leadership becomes more [email protected] [email protected] [email protected]
+1 571 766 7048 +61 474 288 278 +52 55 89785689
engaged in strategic conversations about cybersecurity, and as cybersecurity becomes more integral to
transformation ambitions, a new day is dawning. How will you make the most of what comes next? How will Adnan Amjad Xavier Gracia Niels van de Vorle
you make it matter for your business? US Cyber Leader Spain Cyber Leader North and South Europe
Partner, Deloitte & Touche LLP Partner, Deloitte Spain Cyber Leader
[email protected] [email protected] Partner, Deloitte Netherlands
+1 713 982 4825 +34 931697257 [email protected]
+31 88 2882186
Amir Belkhelladi Andre Gargaro
Canada Cyber Leader Brazil Cyber Leader Peter Wirnsperger
Partner, Deloitte Canada Partner, Deloitte Brazil Central Europe Cyber Leader
[email protected] [email protected] Partner, Deloitte Germany
+1 514 393 7035 +55 11 5186 6213 [email protected]
+49 40 320804675
Yuichiro Kirihara
Japan Cyber Leader
Partner, Deloitte Japan
[email protected]
+81 803 3672805
To find out more, please visit www.deloitte.com/futureofcyber.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (DTTL), its global network of member firms,
and their related entities (collectively, the “Deloitte organization”). DTTL ( also referred to as “Deloitte Global”)
and each of its member firms and related entities are legally separate and independent entities, which cannot
obligate or bind each other in respect of third parties. DTTL and each DTTL member firm and related entity is
liable only for its own acts and omissions, and not those of each other. DTTL does not provide services to clients.
Please see www.deloitte.com/about to learn more.

Deloitte provides industry-leading audit and assurance, tax and legal, consulting, financial advisory, and risk
advisory services to nearly 90% of the Fortune Global 500® and thousands of private companies. Our people
deliver measurable and lasting results that help reinforce public trust in capital markets, enable clients to
transform and thrive, and lead the way toward a stronger economy, a more equitable society, and a sustainable
world. Building on its 175-plus year history, Deloitte spans more than 150 countries and territories. Learn how
Deloitte’s approximately 457,000 people worldwide make an impact that matters at www.deloitte.com.

This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited (DTTL),
its global network of member firms or their related entities (collectively, the “Deloitte organization”) is, by means
of this communication, rendering professional advice or services. Before making any decision or taking any
action that may affect your finances or your business, you should consult a qualified professional adviser. No
representations, warranties or undertakings (express or implied) are given as to the accuracy or completeness
of the information in this communication, and none of DTTL, its member firms, related entities, employees
or agents shall be liable or responsible for any loss or damage whatsoever arising directly or indirectly in
connection with any person relying on this communication. DTTL and each of its member firms, and their related
entities, are legally separate and independent entities.

© 2024. For information, contact Deloitte Global.