IT Security

Significant gaps exist between perceptions of cyber resilience among top security executives and C-suite leadership, according to a report published in October by PwC.

More than two-thirds of technology leaders see cybersecurity as their top risk for mitigation, compared with only 48% for business leaders, according to the 2025 Global Digital Trust Insights report. The research is based on a survey of more than 4,000 business and technology executives across 77 countries. 

Less than half of executives said their CISOs were heavily involved in strategic planning, reporting to the board and overseeing technology deployment. In addition, there is a gap between CISOs and top C-suite executives over the company’s ability to comply with regulations, particularly those involving AI and critical infrastructure.

The research highlights a troubling gap between security executives and the C-suite at a time when the security industry has been pushing businesses to embrace cyber risk as a core business risk. 

“This gap can be concerning because it indicates that security and IT executives, who are more attuned to the day-to-day operational difficulties and potential vulnerabilities, may not be effectively communicating these risks to the leadership team—or may not have the opportunity to do so,” Matt Gorham, leader of PwC’s Cyber & Privacy Innovation Institute, said via email. 

The report indicates a misalignment between IT security leaders and the C-suite on their perceptions of cyber risk, as well as the top priorities necessary to address these issues.

According to the report, cloud security is the top investment priority for tech leaders, followed by data protection and trust. In contrast, nearly half of business executives in the study said that data protection is their top business priority, followed by tech modernization.  

More than a year has passed since the Securities and Exchange Commission voted to adopt rules requiring businesses to disclose material cyber incidents to investors. Those rules also require companies to disclose cyber strategies and risks. 

Prior studies show that while CISOs have gained more access to the C-suite and corporate boards, the various stakeholders have competing sets of priorities. 

A report released in May from Trend Micro shows that CISOs have felt pressure from corporate boards to downplay the severity of cyber risk facing their organizations. 

IT leaders say increased AI investments have made their organizations more vulnerable to cyberthreats, according to a Flexential survey published in September.

More than half of executives credit the complexity of AI applications for weakening their company's cybersecurity posture by expanding the attack surface, according to the survey of 350 IT decision-makers at organizations with annual revenues of more than $100 million. 

Around 2 in 5 IT leaders say their security teams lack the skills needed to protect AI applications and workloads. 

As AI has become more interwoven in the fabric of IT strategy, concerns around security have grown among enterprise leaders. 

So far, AI-driven attacks have been minimal in the context of overall threat activity, according to Chris Novak, senior director of cybersecurity consulting at Verizon. 

“I try to be careful about saying it because we’re not saying that it can’t happen or there aren’t any instances,” Novak told CIO Dive earlier this summer. “But what we’re seeing is that if you look at it from a statistical perspective, in the grand scheme of cyberattacks, AI is probably one of the lowest risks.”

Part of what’s driving the status quo is threat actors’ ROI. Cyberattacks that exploit human error are so successful that adding an often costly new technique wouldn’t change much, Novak said. More than two-thirds of data breaches this year involved a non-malicious human element, such as a social engineering attack or a worker making an error, according to Verizon’s annual Data Breach Investigations report. 

“Threat actors don’t necessarily need to try very hard,” Novak said. “For many of them, it’s already working just really, really well and the paydays are typically very fast.”

Organizations should continue investing in employee training to curb mistakes, but leaders can also take advantage of the lag in AI attacks. 

More than one-third of C-suite leaders pointed to cybersecurity and AI as top investment areas for upskilling this year, according to a Skillsoft survey published in June. Failing to mitigate skills gaps can exacerbate risks. More than 2 in 5 cyber pros admitted to having little to no experience in securing AI, according to ISC2 research.  

Infusing security into AI adoption plans is critical. 

“This is an opportunity for us to actually be ahead of the threat actors where normally, we’re waiting to see what they’ve done,” Novak said. Understanding how organizations can mitigate AI’s risks and protect the business from AI-driven attacks is key. 

Sponsored content

By Wind River eLxr Pro

As the Linux market is set to soar to nearly USD 100 billion by 2032,[I] businesses are facing mounting challenges in managing increasingly complex workloads spanning from the cloud to the edge. Traditional Linux distributions are not built to meet the specific demands of these modern use cases, creating an urgent need for a more specialized, enterprise-grade solution.

Historically, enterprises have depended on general-purpose Linux distributions operating across racked servers and hybrid data centers to centrally store and process their data. But with the rapid rise of edge computing and the Internet of Things (IoT), real-time data processing closer to the source has become mission-critical. Industries like healthcare, telecommunications, industrial automation and defense now require localized, lightning-fast processing to make real-time decisions.

This shift to edge computing and connected IoT has sparked a surge of use cases that demand specialized solutions to address unique operational requirements such as size, performance, serviceability and security. For instance, the telecommunications sector demands carrier-grade Linux (CGL) and edge vRAN solutions with reliability requirements exceeding 99.999% uptime.

Yet, traditional enterprise Linux distributions—while robust for central data centers—are too general to meet the diverse, exacting needs of IoT and edge environments. Linux offerings are continuing to expand beyond conventional distributions like Debian, Ubuntu and Fedora, but the market lacks a unified platform that can effectively bridge the gap between edge and cloud workloads.

Today’s complex computing needs demand a unified solution

To stay competitive, businesses need computing solutions that process time-sensitive data at the edge, connect intelligent devices and seamlessly share insights across cloud environments. But no single Linux provider has yet bridged the cloud-to-edge divide—until now.

Introducing eLxr Pro: one seamless solution for all enterprise-grade workloads

Wind River® eLxr Pro breaks new ground as the industry’s first end-to-end Linux solution that connects enterprise-grade workloads from the cloud to the edge. By delivering unmatched commercial support for the open source eLxr project, Wind River has revolutionized how businesses manage critical workloads across distributed environments—unlocking new levels of efficiency and scalability.

As a founding member and leading contributor to the eLxr project, Wind River ensures the eLxr project’s enterprise-grade Debian-derivative distribution meets the evolving needs of mission-critical environments. This deep integration provides customers with unparalleled community influence and support, making Wind River the go-to provider for secure, reliable, enterprise-grade Linux deployments.

Why eLxr Pro is a game-changing solution

Built on the stable foundation of Debian, eLxr Pro offers the proven reliability and hardware compatibility needed for the most demanding use cases. Whether you're managing centralized cloud applications or distributed edge systems, eLxr Pro delivers a tailored solution backed by expert commercial support, streamlining operations and accelerating innovation.

This breakthrough solution is the result of Wind River’s 20-year leadership in the open source community and embedded systems market. By bridging critical gaps for enterprises, eLxr Pro empowers businesses to scale seamlessly, innovate faster and thrive in a connected world.

The eLxr Project: Expanding access to cutting-edge technologies

The eLxr project is a community-driven initiative that offers an open source, enterprise-grade Debian-derivative distribution. This platform empowers enterprises to adopt scalable, secure and reliable Linux solutions for cloud-to-edge deployments.

• Upstream-first approach: Fully aligns with Debian’s open governance, ensuring a free operating system that preserves software freedom
• Cloud-native-ready: Optimized for containerized workloads and supported across a range of modern runtimes
• Performance-optimized: Ready for commercial off-the-shelf (COTS) hardware and prioritizing support for silicon accelerators
• Security-first: Continuous security monitoring throughout package lifecycles
• Compact and extensible: Right-sized packages adaptable to industry-specific needs

5 ways the eLxr Project helps close the gap

1. One platform for every use case: Deploy a unified Linux solution that scales effortlessly across environments, from cloud to edge, enabling smooth usage and the adoption of diverse hardware and new technologies.
2. Unmatched flexibility for innovation: Control your innovation roadmap with the eLxr project’s fully open source, upstream-first approach, eliminating vendor lock-in and putting the pace of progress in your hands.
3. Built for scalability: Whether you're scaling up in data centers or optimizing lightweight edge devices, the eLxr project is engineered to adapt, ensuring seamless performance across every infrastructure.
4. Optimized for cost efficiency: With a minimal footprint and a tailored feature set, the eLxr project reduces complexity, cuts operational expenses and enhances power efficiency, particularly in resource-constrained environments.
5. Enterprise-ready support: Gain confidence in your deployments with comprehensive lifecycle support, ensuring your Linux platform is always secure, up-to-date and backed by dedicated Wind River experts.

Partner with Wind River to drive cloud-to-edge success

With two decades of expertise in Linux and open source solutions, Wind River is uniquely positioned to help you succeed in even the most demanding cloud-to-edge deployments. eLxr Pro offers the flexibility, support and innovation necessary to stay ahead in a rapidly evolving digital landscape. Ready to close the gap between the cloud and the edge? Visit Wind River to discover how eLxr Pro can transform your operations.

Companies have largely overestimated their cyber resilience capabilities, and are mostly unable to maintain their own business recovery goals when confronted by ransomware or other malicious attack, according to a survey commissioned by Cohesity.

Nearly 7 in 10 IT and security leaders said their organization paid a ransom in the last year, despite widespread internal policies to not pay ransoms. Almost 4 in 5 respondents said their company had a policy to not pay extortions. 

Almost half of the companies surveyed said they need more than six days to recover their core business processes after an attack. 

The report highlights a disconnect between what companies like to project as their ability to withstand a malicious attack and their actual capabilities while under duress. 

The report is based on a survey, conducted by Censuswide, of more than 3,100 IT and security decision makers across eight countries between June 27 and July 18. 

About 4 in 5 respondents said they were confident in their company’s resilience strategy. However, the study indicated the projected confidence was based more on lofty goals instead of real world performance. 

The vast majority, 98% of respondents, said their companies had a targeted recovery time of one day in the event of a cyberattack or similar security incident. However, nearly one-third said they would need at least four to six days to recover and 31% said they would need one to two weeks.

The ability to recover from catastrophic IT and security incidents has taken on added significance in the wake of the February ransomware attack against Change Healthcare and the July IT outage impacting 8.5 million Microsoft Windows devices linked to a defective CrowdStrike software upgrade. 

In a bid to address the chronic cybersecurity workforce gaps, enterprises are looking beyond traditional four-year degrees to find qualified staff. 

More organizations are working to hire people with subject matter expertise, certifications or other credentials above, or even in place of, college degrees, CompTIA's State of Cybersecurity research found.

Security experts agree the industry may need more novel measures to help fill the shortfall. 

“They need to start getting creative about how they can find, recruit and hire candidates,” said Brennan Baybeck, SVP and CISO for customer success services at Oracle and ISACA vice-chair.

With 4 million cybersecurity professionals needed worldwide, according to ISACA’s 2023 Cybersecurity Workforce Study, there’s a substantial gap to fill, and requires collaboration between industry, government and workplaces.

To address the shortfall, partnerships between business and government agencies that train people in cybersecurity are emerging, and hyperscalers are offering free training and certifications, Baybeck said. 

For its part, Oracle is supporting government initiatives in Singapore and provides a range of free training and certification programs.

“Hyperscalers may be driving more use of their platforms, but the topics and concepts provide valuable knowledge that will address most of the skill gaps and help chip away at the millions of open cybersecurity positions out there,” Baybeck told Cybersecurity Dive.

Baybeck believes the collaborative approach is a win for everyone and can target where the skills gaps are most pronounced. Particularly short-staffed areas, including cloud computing, security controls, coding skills and DevOps, according to ISACA’s report.

“With cloud technology usage growing exponentially throughout the world, it’s a formula that should pay off for hyperscalers, their customers and individual workers,” he said.

Changing the approach to hiring and nurturing staff

The pace of change is one of the primary drivers of workforce skills gaps. Enterprise technology in general and cybersecurity in particular are moving faster than traditional learning pathways can keep up with, according to the CompTIA report. 

In response, organizations are recognizing different ways for candidates to prove their knowledge and skills. They're hiring less experienced people who can continue building their skills while also becoming familiar with corporate culture and objectives. 

But to make this work, businesses need to rewrite hiring criteria and become open to non-traditional candidates.

Training existing non-security staff to level-up their skills to take on new cybersecurity roles is another option, the ISACA report found. The benefit is that in-house people probably have some of the other skills and requirements, such as soft skills, a college degree, and prior hands-on technology experience. 

“Then it’s a matter of closing the specific skills gaps, which can usually be done if someone has the interest, passion and dedication to learn new things,” said Baybeck.

To assist in upskilling, Baybeck would like to see organizations offer more focused, modular learning programs, such as microlearning concepts that professional industry organizations or service providers offer.

“It would help people gain the skills needed to address the gaps, move into the workforce sooner and then they could supplement the cyber skills with a degree or certification,” he said.

The gap in soft skills in 2024

Soft skills, including communication, is the other major area that’s in demand at the moment, according to the ISACA report and the latest ISC2 Cybersecurity Workforce Study.

While organizations continue to look for people with technical backgrounds, because it’s an easier pathway into cybersecurity, they’re increasingly giving more weight to non-technical skills, according to ISC2. 

“Over the last few years, we’ve seen organizations moving to hire for the non-technical skills first and organizations doing are more quickly dealing with their workforce gaps than those holding out for a more detailed skill set,” said Clar Rosso, CEO of ISC2.

The non-technical skills organizations are prioritizing include problem solving, curiosity and eagerness to learn, effective communications, critical thinking and analytical thinking, Rosso told Cybersecurity Dive.

Despite the fervor about the possibilities of generative AI, Rosso doesn’t see AI displacing the workforce, but rather changing the types of jobs people do which will put more emphasis on non-technical competencies.

“In an AI-driven world, we need more people who can apply their analytical and critical thinking skills to understand the data they’re looking at and whether it’s relevant and accurate, and consider the decisions to make against it,” she said.

Rosso expects to see an increase in demand for skills that touch on the safe and ethical use of AI within organizations and risk more broadly.

“Hiring managers may start to prioritize people who have risk assessment, analysis and management skills,” she said.

It’s part of a broader shift in cybersecurity that’s moving from an offensive approach to more of a defensive position around risk management.

“Risk is the basis of everything in cyber defense, understanding, analyzing, mitigating and transferring risk,” she said.

In taking this change of approach, organizations may need to step back from prioritizing specific experience and instead look at the competencies required for that task. Doing so could help address the workforce gaps by broadening the field of candidates and even improve diversity.

“We've had this workforce gap for so long, organizations are thinking differently about who and how they hire,” she said.

High-profile incidents, escalating threats and cascading impacts have raised the C-suite's awareness of the perils of poor security and resiliency practices. 

“Fortunately — or unfortunately — discussions around security and technology investment are becoming relatively easier,” Feroz Merchhiya, CIO at the City of Santa Monica, said during a CIO Dive live event. 

Nearly 9 in 10 IT decision-makers expect their security budgets to increase in the next year. Of those, 14% expect a budget bump of at least 15%, according to an ETR survey published in May. Cyber is also a top priority for enterprise upskilling efforts and a fixture of generative AI plans. 

Merchhiya joined the City of Santa Monica in July and previously held a dual CIO-CISO title at the City of Glendale in Arizona. During his four-year stint, Merchhiya said a monthslong stretch of events illustrated the value of and need for investment in security best practices. 

In 2023, the city hosted Super Bowl LVII, the debut of Taylor Swift’s Eras Tour and Beyoncé's Renaissance Tour. The influx of fans and tourists created a target-rich environment, and leaders were already on high alert because of cyberattacks around the country targeting local utility services, Merchhiya said. 

Most CIOs don’t have to search far for the real-life implications of lackluster security. Though the C-suite is far more informed about risk, tech leaders still have to show — and maximize — the value of cyber investments. 

“The overall requirement of operational resiliency and having that technology to support that resiliency doesn't change whether you're in public or private sector,” Merchhiya said. 

3 lessons: take stock, find gaps, show value

Even with heightened awareness and focus on cyber, leaders are still accountable for making the most out of their resources.

“You have to be mindful of every dollar you spend, and in my mind, there’s no secret sauce to figuring out how to maximize the value,” Merchhiya said. But it starts with being realistic about what the business needs. 

“Look at your assets that you have available, see what they deliver for you,” Merchhiya said. “Because as a technologist, we do get attracted and enamored by new and emerging technology.”

There’s a time and place for introducing emerging tech, but that shouldn’t be the automatic next move. Cross-referencing tools to use cases will help uncover gaps and app sprawl. The process will also assist in determining whether a new tool or technology is necessary. 

“There are a lot of things that can be handled by simple, basic cybersecurity hygiene,” Merchhiya said. 

While C-suite leaders craft goals, tech leaders are tasked with knowing how to get organizations tech stack to that next level. Sometimes it requires an internal culture shift that CIOs can shepherd. 

Engaging the C-suite can take different forms, from highlighting market changes or challenges as they arise to building relationships. Organizations that have a legacy mindset, which Merchhiya characterized as a reluctance to change, will require more coaxing if policies or practices should be updated.  

“Education goes a long way when you go back in during budget conversations and ask for investment, because they understand the context,” Merchhiya said. 

Tying investments back to an ROI analysis will also present a stronger argument for more resources. Tech leaders should work to clearly understand and explain how tools or capabilities prevented breaches, mitigated risks or expedited recovery. 

“Each organization will have those opportunities in the context of their operating environment, and they have to do that,” Merchhiya said. “But it’s a concerted effort to have to spend time in presenting that benefit … so that your business partners can understand what your investment is delivering.”

Executives are targeting upskilling investments toward cyber, AI and data training opportunities as hiring for these skills remains a persistent pain point, according to a Skillsoft report. The corporate training company surveyed 5,711 IT decision-makers and staff, including 219 C-level executives. 

More than one-third of C-suite leaders identified cybersecurity and AI as top investment areas for training, and 3 in 10 said data. A year ago, only 13% of executives said hiring for AI skills was difficult — 32% said finding AI talent was challenging this year. 

“The reality is you can’t have a department operating at 100% efficiency when you don’t have a workforce qualified to meet those expectations,” Skillsoft said in the report. “You can’t take full advantage of emerging technologies without skilled staff.”

AI, data and cybersecurity have always been intertwined, but the need for highly skilled teams in these areas is reaching a boiling point.

Without a good foundation and understanding, teams are left to toil. 

“Gaps in skills necessary to keep a department running seamlessly is a heavy weight on IT leaders’ shoulders,” Skillsoft said in the report. “Decision-makers need to get creative with how they handle skilling, reskilling, and upskilling — whether it’s addressing root causes behind recruitment or retention issues or investing in more effective, efficient training solutions.”

Businesses have incentives to plug the holes. Critical gaps in skills can put pressure on those ultimately bearing the burden: existing IT staff. Employees who feel overworked and behind on projects aren’t having a great experience at work, which can lead to them searching for greener pastures. 

Women in tech plan to leave their jobs this year at a comparable rate to that of 2022’s "great resignation" era of high attrition, according to an Ensono report. Enterprises that aren’t willing to support employees at work are putting their aspirations at risk. 

“You already have a known commodity: a workforce that knows your business, your customers, your process,” Skillsoft said in the report. “What you might not have, in terms of new skills or expertise in emerging technology, can be developed by dedicating resources to new certifications and continuous learning.”

Cloud security is a top priority for organizations around the world, Thales research found. The report is based on a survey of 3,000 IT and security professionals from 18 different countries.

More than 2 in 5 respondents said they have had their cloud environments breached in the past, with 14% of respondents reporting a breach in the past year. 

For nearly one-third of incidents, human error and misconfiguration are to blame. Respondents also cited the exploitation of known vulnerabilities in 28% of breaches and failure to use multifactor authentication in 17%.

Thales research comes at a time when cloud security is under heightened scrutiny.

Leading cloud providers, such as Microsoft and others, have been targeted by sophisticated threat groups targeting companies, government agencies and other organizations that store data in the cloud. 

A wave of attacks have impacted at least 100 Snowflake customer environments, with those incidents linked to failure to use MFA.

“The cloud is not inherently more secure than on prem,” Todd Moore, VP of data security products at Thales, said via email. “Security is determined entirely by the measures put in place to identify and protect the data within the cloud, and this responsibility lies between providers and users.”

As cloud use becomes more prevalent, companies are finding the attack surface — and the complexity of the network environment — are becoming more complicated. 

Application sprawl is partially to blame. The Thales study found two-thirds of organizations say they use 25 or more SaaS applications. And nearly half of data in the cloud is considered sensitive. 

Despite the high level of sensitivity, only 10% of organizations say they have encrypted 80% of their data.