Download the report
Bridging the gaps to cyber resilience:
The C-suite playbook
Findings from the 2025 Global Digital Trust Insights – India edition
Foreword
Advances in emerging technologies such as artificial intelligence (AI), increased adoption of cloud, and trends like connected devices have significantly expanded the attack surface and overall threat landscape for enterprises. Given that the focus on technology will only increase with time and with regulatory oversight likely to get more stringent, the need to build enterprise-level resilience is currently at an all-time high.
That cybersecurity needs to be an organisational priority is somewhat well accepted today. What is also increasingly acknowledged is that cyber resilience is a shared responsibility for the C-suite, and not just a chief information security officer’s (CISO’s) prerogative. While these are encouraging trends, PwC’s 2025 Global Digital Trust Insights uncovers critical deficiencies that organisations must urgently bridge to achieve effective cyber resilience.
Our survey encompasses feedback from 4,042 business and technology executives across 77 countries. Of these, 155 respondents from India shared with us their views on critical areas such as threat outlook and emerging risks, cyber investments and priorities, the impact of emerging technologies like generative AI (GenAI), regulatory developments, and cyber leadership strategies.
Some of the positive findings from our survey are as follows:
However, many concerns remain:
CISOs can play a crucial role in bridging these gaps, particularly by strengthening organisational collaboration with tech-enabled insights, and by sharing a view of the tangible business value derived from cyber resilience – be it in terms of operational cost, opportunity cost and the costs associated with possible risks, including reputation risk. This will help position cybersecurity as a core business function.
Cybersecurity is not just a value protector. It is a value creator. The sooner businesses acknowledge and appreciate this, the faster they will embark on the journey toward building enterprise-level resilience.
Threat outlook and emerging risks
Steering through cyberthreats: Cultivating a harmonised blueprint for resilience
In the rapidly shifting realm of cybersecurity, organisations are confronted by ever more volatile and unforeseen threats. The rising dependence on cloud services, artificial intelligence (AI), connected devices and third-party vendors has significantly expanded the attack surface, making a flexible, enterprise-wide resilience strategy indispensable. To safeguard security and ensure seamless business continuity, it is imperative for organisations to align their priorities and readiness at every level.
Forward-thinking leaders must recognise that a reactive approach is no longer sufficient. Staying ahead of emerging threats requires taking proactive steps, continuously adapting and being dedicated to innovation. By fostering a culture of resilience and prioritising cybersecurity as a core business function, organisations can navigate this complex landscape with confidence and agility.
Unfortified against the gravest of threats
Organisations are most besieged by the threats they feel least equipped to confront. Top cyber risks, including cloud-related threats, attacks on connected products, social engineering and software supply chain compromises, are areas where security executives feel particularly underprepared. This disparity underscores the pressing need for heightened investments and fortified response capabilities.
Moreover, there is a discernible ‘perception chasm’ between security executives and other organisational leaders. Security leaders have ranked business email compromise as one of their top concerns, while business executives perceive third-party breaches as the most significant threat to operations. Interestingly, security leaders exhibit greater confidence in mitigating third-party breaches. This divergence accentuates the necessity for enhanced information sharing among leadership teams to ensure harmonised priorities.
Over the next 12 months, which of the following cyberthreats is your organisation most concerned about (e.g. risk to your brand, loss of business or business disruption, compliance)?
Over the next 12 months, which cyberthreats do you think your organisation is least prepared to address?
Source: PwC’s 2025 Global Digital Trust Insights
Over the next 12 months, Indian organisations are prioritising the mitigation of three key risks: cyberthreats, digital vulnerabilities and inflation. This focus highlights the critical need for robust cybersecurity, reliable technological infrastructure, and strategies to counter counter rising costs and ensure resilience and sustained growth.
8% of security leaders in India have reported a data breach with a cost exceeding USD 20 million
More than 33% of leaders indicate that a majority of their serious data breaches within the last three years cost them no less than USD 1 million. This number is marginally lower than that in our previous annual survey, highlighting the need for better readiness across different regions, industries and company sizes.
Which of the following risks is your organisation prioritising for mitigation over the next 12 months?
Source: PwC’s 2025 Global Digital Trust Insights
Top performers – those who consistently demonstrate high-quality cybersecurity practices – were less likely to experience data breaches during the same period. These prominent firms are expanding rapidly and their cyber budgets are anticipated to increase by 15% or more over the coming year, underscoring the connection between mature cyber security programmes, requisite investments and amplified resilience.
This trend indicates the importance of investing in robust cybersecurity measures and continuously evolving practices to safeguard against future threats.
Call to action
In today’s sophisticated threat landscape, an intelligence-driven cyber investment strategy is essential. Business and technology leaders must align efforts to prioritise critical risks, ensuring resources are effectively allocated across personnel, processes and defence technologies.
It is essential to adopt a threat-informed approach by prioritising investments in critical cyber risks, meticulously evaluating their application and balancing these priorities with economic pressures. Aligning cybersecurity strategies with overall business objectives improves risk management and guarantees robust operations.
Executives should proactively assess both current and emerging risks, with regular cross-functional evaluations to keep strategies aligned. Further, it is important to emphasise holistic risk mitigation – spanning prevention, detection, response and recovery – and understand the broader impacts of breaches beyond financial harm.
Emerging technologies and GenAI
Striking the balance between innovation and risk
As GenAI swiftly advances, it brings forth a myriad of opportunities across industries while simultaneously introducing complex cybersecurity risks. The dual-use nature of GenAI, capable of bolstering both cyber defence and offence, requires organisations to navigate an increasingly intricate threat landscape. Executives must address unpredictable attack vectors and integration challenges to harness the full potential of emerging technologies.
Furthermore, substantial data usage and associated legal challenges add complexity to the ethical implementation and oversight of GenAI. These factors underscore the necessity for strategic oversight and robust planning. By proactively addressing these challenges, leaders can ensure that their organisations not only capitalise on the benefits of GenAI but also maintain a resilient and secure operational framework.
The expanding cyber frontier
In the past year, security leaders in India have observed a significant expansion in the cyberattack surface, driven by advancements in cloud technologies, GenAI and software as a service (SaaS). These innovations have not only increased the vulnerability to sophisticated threats but also lowered the entry barriers for less experienced threat actors, enabling them to execute large-scale phishing attacks and create convincing deepfakes.
This trend is echoed in the India chapter of PwC’s 27th Annual Global CEO Survey, where close to three-fourths of the CEOs recognised the increase of cybersecurity risks associated with the use of GenAI within their companies. GenAI implementation also highlights issues related to data security, privacy and regulatory compliance.
Additionally, the exponential rise of connected devices and operational technology (OT) is expanding the attack surface, leading to an impact in various sectors such as manufacturing, healthcare and energy. With more interconnections, the complexity of securing these systems escalates. Moreover, quantum computing is still on the horizon, with 60% of security leaders focused on addressing vulnerabilities that could arise from its adoption.
*Showing combined percentage who selected ‘increase significantly’ or ‘increase slightly’ To what extent have the following technologies affected the cyberattack surface in your IT environment over the last 12 months?
Source: PwC’s 2025 Global Digital Trust Insights
Harnessing the power of GenAI in cybersecurity: Exploring potential and overcoming hurdles
While GenAI is expanding the cyber risk landscape for many organisations, forward-thinking executives are harnessing this very technology to bolster their cyber defences. The primary avenues for leveraging GenAI include modernising security operations centres (SOCs), enhancing threat detection and response, advancing threat intelligence, and refining identity and access management.
Despite these promising opportunities, organisations encounter significant challenges in integrating GenAI into their cybersecurity strategies due to the following factors:
lack of trust in GenAI by internal stakeholders (49%)
inadequate internal controls and risk management (40%)
lack of standardised internal policies governing its use (38%).
Gen AI is at the helm of cyber investment priorities
In response to escalating cyberthreats, a striking 86% of executives have significantly increased their investments in GenAI, with a keen emphasis on governance. This strategic allocation highlights the critical need to balance the powerful capabilities of GenAI with robust risk management.
Simultaneously, companies are beginning to prepare for the quantum era. While widespread adoption of quantum technologies may still take time, there is a growing urgency to develop quantum-resistant technologies and post-quantum security measures to safeguard against potential future threats posed by malicious actors.
Call to action
Continuous assessment of vulnerabilities, targeted investments in building advanced security measures, and promoting harmonious partnership among the legal, risk, security, and technology teams are crucial. By tackling these threats, companies can effectively safeguard critical assets and inspire trust across the board.
GenAI has the potential to transform an organisation’s cyber defences mechanisms. However, the victory is contingent on appropriately integrating and managing this technology in accordance with responsible AI practices. Failure to do so may leave an organisation trailing in the cybersecurity arms race against adversaries.
Investing in GenAI is merely the beginning. To truly advance, organisations will need to explore the untapped potential of other technologies, such as quantum-resistant solutions, to ensure their defences stay ahead of evolving threats.
As emerging technologies continue to reshape the cybersecurity landscape, it is imperative for C-suite executives to actively steer their organisations through both the opportunities and risks these innovations present.
Regulatory developments
Navigating complex cyber regulations: Are corporations prepared?
In today’s growing digital environment, compliance mandates are forcing businesses to quickly adjust to evolving regulatory requirements. The introduction of new regulations such as the Cyber Resilience Act, Digital Operational Resilience Act (DORA), the AI Act, Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), and the Singapore Cybersecurity Act highlights the pressing need for organisations to elevate their practices to meet these heightened standards.
As leaders steer their companies through this intricate regulatory landscape, a notable confidence disparity arises between the CEOs and CISOs/CSOs concerning their propensity to achieve compliance. Closing in on the gap is essential for leaders to create a reliable and transparent cybersecurity posture which is able to endure both regulatory scrutiny and emerging threats.
Cybersecurity regulations act as drivers for significant advancements, promoting a safer digital environment
Cyber regulations are consistently driving heightened cybersecurity spending. Every executive surveyed acknowledges that regulatory mandates have driven them to bolster their security measures. Furthermore, close to three-fourths of these executives report that these regulations have tested, upgraded or strengthened their cybersecurity stance. This pattern highlights that, even in the face of challenges around compliance, regulations play a crucial role in promoting cybersecurity maturity across diverse sectors.
To what extent, if at all, have cybersecurity regulations increased your organisation’s cybersecurity investment over the last 12 months?
Source: PwC’s 2025 Global Digital Trust Insights
Call to action
Companies that actively adopt compliance mandates frequently build more robust security structures and a more adaptive stance against emerging threats. Compliance should be seen not as a mere tick-in-the-box exercise, but as a strategic opportunity to build long-term resilience and foster trust with stakeholders.
As compliance requirements keep influencing the security landscape, senior leaders must stay ahead of the curve by leveraging these regulations as drivers of transformation. To sustain compliance preparedness and strategic enhancements, harmonious alignment between top management, security and the risk function is vital.
Cyber risk quantification
Unleashing the potential of cyber risk quantification: What’s stalling organisations?
Companies are increasingly relying on cyber risk measurement as a crucial tool as cyberthreats become more advanced and intricate. Although this approach has demonstrated benefits, challenges around data quality and output dependability have obstructed its broader adoption. To fully harness the potential of cyber risk quantification, security leaders must plan to overcome these barriers.
The imperative and constraints of cyber risk measurement
Although a large majority of senior leaders acknowledge the importance of quantifying cyber risk to prioritise investments (95%) and align risk evaluations with defined tolerances (94%), only one-fifth of organisations are adopting thorough risk quantification methodologies, such as automation and extensive reporting.
What challenges, if any, has your organisation faced in quantifying the potential financial impact of cyber risk?
Source: PwC’s 2025 Global Digital Trust Insights
Of those that do assess cyber risk, over 60% of senior leaders state that they are using security posture evaluations to quantify residual risk by examining key controls such as adherence to vulnerability remediation, user access reviews and training completion.
This is often followed by scenario-based quantification methods such as FAIR and Monte Carlo simulations. However, these initiatives have not substantially increased the adoption of cyber risk quantification.
Advantages of cyber risk quantification
- % | To demonstrate the cyber risk management programme’s value
- % | To help prioritise cyber investments
- % | To support financial reporting or insurance negotiations
- %| To measure the impact of deals on the risk profile
- % | To help evaluate and communicate cyber risks in line with defined risk tolerance
Source: PwC’s 2025 Global Digital Trust Insights
Factors limiting broader implementation
Key obstacles to implementing cyber risk quantification include uncertainty around the intended scope of outputs, data quality issues, legal and regulatory concerns, and doubts about the reliability and trustworthiness of the results. Moreover, our survey revealed that senior leaders’ expectations often do not align with the outcomes delivered by CISOs, highlighting the need for inter-disciplinary alignment on an organisation’s risk tolerance.
Call to action
It’s time to unlock the full potential of cyber risk quantification. The disparity between acknowledging the value of cyber risk quantification and implementing it is an overlooked opportunity that must now be addressed. Organisations that fail to measure cyber risk or haven’t fully developed this capability are missing out on critical intelligence, especially for board decisions and capital allocation.
Organisations cannot afford to let obstacles to adopting cyber risk quantification obstruct essential decision making. Leaders must address these challenges head-on to inspire trust in the process of cyber risk quantification, and seamlessly integrate it into strategic planning.
Developing a dependable cyber risk quantification system is crucial for informed decision making and prioritising strategic investments. By precisely assessing cyber risks, leaders can align cybersecurity initiatives with wider enterprise goals.
Cyber investment and priorities
Fostering resilience through strategic investment and trust building
Cybersecurity has strengthened its position as a vital business imperative. Companies are acknowledging its value as a competitive advantage and a means to uplift their reputation and inspire trust. Accordingly, security leaders are increasing their cyber expenditure, with a sharp focus on data protection and trust. Investments in these areas are not only enhancing resilience but also promoting companies favourably in the eyes of their stakeholders.
Cybersecurity budgets are on the rise
Increases in cyber budgets have remained proportionate compared to last year with smaller organisations investing a comparatively higher percentage of their resources compared to their larger counterparts. This trend suggests that smaller firms are striving to establish themselves in areas where larger firms have already invested substantially. Larger firms are more concerned about emerging threats and resilience, leading them to adopt a more measured approach to their investments.
How will your organisation’s cyber budget change in 2025?
Source: PwC’s 2025 Global Digital Trust Insights
Prioritising strategic investments
In the coming year, organisations intend to place a strong emphasis on data protection and trust, post-breach remediation and cloud security as their top cybersecurity investments. They recognise that safeguarding sensitive information is crucial for maintaining stakeholder trust and brand integrity.
However, business and technology executives prioritise different areas based on their specific roles and responsibilities.
Business executives say data protection/data trust is their top investment priority, followed by remediation in the aftermath of recent cyber breaches or intrusions into organisation or industry.
Cloud security continues to be the foremost concern for technology executives followed by GenAI/machine learning.
Despite investments increasing over the years, cloud security continues to command attention as risks have compounded due to rapid adoption of cloud technologies, cloud hyperscalers, unification of infrastructure, and the expansion of multi-cloud and hybrid environments. This increases the potential impact of data breaches, access misconfigurations and integration issues. Cloud security strategists must continue making recurring investments as it is essential to mitigate these heightened risks.
Which of the following investments, if any, are you prioritising when allocating your organisation’s cyber budget in the next 12 months?
Source: PwC’s 2025 Global Digital Trust Insights
Which of the following investments, if any, are you prioritising when allocating your organisation’s cyber budget in the next 12 months?
Source: PwC’s 2025 Global Digital Trust Insights
Call to action
In the evolving cybersecurity landscape, aligning budget increases with both current and future risks is crucial. Every rupee spent should enhance resilience and prepare the organisation for emerging threats.
Cybersecurity commitment is akin to building trust. Organisational commitment towards cloud security, data protection, and risk management will continue to inspire stakeholder confidence and fortify resilience.
Cybersecurity is not just about data protection; it’s about safeguarding your brand. In a competitive market, trust is paramount. Strengthening your security measures now will position your organisation as a leader in data integrity.
With increasing cybersecurity investments, it’s crucial for every C-suite leader to align their strategies with the critical business risks. These investments should drive mitigation of current vulnerabilities and help build trust and resilience for the future.
Cyber strategy and leadership
Is your approach to cybersecurity and its leadership fostering true resilience?
To effectively counter future threats, organisations must go beyond mere investments and enhance their cyber strategy and leadership. Enhancing lagging resilience measures and ensuring that CISOs play a significant role in strategic decision making are essential areas for improvement.
Organisations should emulate the best practices of high-performing peers, transitioning beyond familiar threats to implement an agile, secure-by-design business model. This approach not only mitigates immediate risks but also fosters trust and long-lasting resilience.
Achieving meaningful change requires a full-scale implementation, not just partial efforts
Despite growing fears about cyber risks, numerous businesses are struggling to fully embed cyber resilience within their fundamental practices. An evaluation of 12 crucial resilience measures in the areas of personnel, processes and technology reveals that 41% of executives believe their organisations have thoroughly adopted any single measure. This leaves a substantial number of companies that lack enterprise-wide resilience vulnerable to rising threats that are capable of disrupting their entire operations. Key areas that demand comprehensive organisational focus include:
- identifying critical business processes (only 40% of executives indicate this has been implemented across the organisation)
- mapping technological dependencies (only 40% of executives indicate this has been implemented across the organisation)
- deploying tools to enhance visibility of operational technology (OT) assets (only 39% of executives indicate this has been implemented across the organisation).
Achieving cyber resilience requires a comprehensive approach, integrating resilience measures throughout the organisation
To what extent is your organisation implementing or planning to implement the following cyber resilience actions?
Source: PwC’s 2025 Global Digital Trust Insights
A considerable number of companies are still unable to ramp up their cybersecurity practices, with only approximately 20% of executives reporting consistent implementation. For example, just 18% regularly expect future cyber risks, and only 27% typically distribute their cyber budget to the organisation’s top risks. This shortfall may stem from various factors such as lack of strategic foresight, inadequate resources, or a reactive rather than proactive stance on cybersecurity.
Typical practices undertaken by an organisation’s cybersecurity team*
(Showing percentage who selected 81–100% of the time)
To what extent is your organisation implementing or planning to implement the following cyber resilience actions?
Source: PwC’s 2025 Global Digital Trust Insights
Please indicate how consistently your organisation’s cybersecurity team does the following.
Source: PwC’s 2025 Global Digital Trust Insights
Essential strategic priorities encompass agility, cultivating trust and safeguarding stakeholder security
Over the next year, more than one-third of executives plan to improve experiences for both customers and employees. Added priorities include providing resources and collaborating with the CISO, as well as increasing the use of cyber managed services. These goals reflect a comprehensive strategy to not only speed up risk mitigation but also to build trust and safeguard stakeholders.
Cybersecurity and trust: The definitive competitive edge in today’s market
Organisations are progressively acknowledging the importance of cybersecurity as a key competitive advantage. A significant 65% of executives stress the importance of customer trust, while 64% point to business growth potential, underscoring the necessity of strong cybersecurity measures. Due to the evolving cybersecurity landscape, preserving a robust cybersecurity posture enhances credibility with customers and stakeholders. We live in an era where trust is crucial to business, and organisations that prioritise cybersecurity are better placed to stand out as leaders in both safety and integrity.
Leveraging cybersecurity to gain a competitive edge
(showing percentage of respondents who selected ‘To a large extent)
What, if any, are your organisation’s strategy, people and investment goals relating to cyber and privacy over the next 12 months?
Source: PwC’s 2025 Global Digital Trust Insights
To what extent does your organisation position cybersecurity as a competitive advantage in these areas?
Source: PwC’s 2025 Global Digital Trust Insights
Empowering the CISO: Integrating strategic vision with security
Many organisations miss critical opportunities by failing to fully involve their CISOs in major initiatives. Fewer than half of executives say that their CISOs play a substantial role in drafting and reviewing regulatory disclosures. This lack of oversight results in misaligned strategies and weaker security postures, leaving organisations vulnerable.
Extensive involvement of CISOs in business activities
How involved is your organisation’s CISO in taking an active role in the following areas?
Source: PwC’s 2025 Global Digital Trust Insights
Call to action
Lagging in cyber resilience leaves an organisation vulnerable to substantial risks. Implementing thorough measures across technology, processes and personnel is essential to strengthen defences and prepare for future challenges.
To bridge the gap, organisations must transition from reactive to proactive cybersecurity strategies. This involves better risk anticipation, strategic budget allocation and a commitment to continuous improvement.
Cybersecurity is about more than just data protection; it’s about safeguarding the brand. Trust is a key differentiator in today’s market, and enhancing security measures now will position an organisation as a leader in data integrity.
Immediate threat response is crucial. Slow reactions can damage trust and cause major business disruptions. Hence, it is crucial to prioritise rapid and decisive leadership.
Further, organisations need to involve their CISO in the highest level of decision making. The CISO’s expertise is vital for proactively managing cybersecurity risk. Involving them in key decision-making processes ensures effective protection of critical assets and reinforces resilience.
Strategic vision and unified alignment across the board is a key requirement for strong cybersecurity leadership. Executives must support this alignment, from including the CISO in major decisions to prioritising resilience initiatives.
About the survey
The 2025 Global Digital Trust Insights is a survey of 4,042 business, technology and security executives (CEOs, corporate directors, CFOs, CISOs, CIOs and C-suite officers) based in various regions. The survey was conducted from May through July 2024. The India edition of the global survey report focuses on the responses of the executives of 155 Indian businesses.
- 70% of the respondents are executives in large companies (USD 1 billion and above in revenues); 20% are in companies with USD 10 billion or more in revenues.
- 73% of the respondents from India who participated in our survey are tech executives and 27%, business executives.
- PwC Research, PwC’s Global Centre of Excellence for market research and insight, conducted this survey.
Follow PwC India
