New world, new rules: Cybersecurity in an era of uncertainty

Cybersecurity is entering unchartered waters. A rapidly shifting world order and threat environment – powered by recent, exponential leaps in technology – is putting cyber strategies to the test.

Organisations are confronting the new reality of a post-globalisation era, one that’s marked by fractured alliances, weakened global institutions, tariff shocks and disrupted supply chains. We’re witnessing unprecedented technology advances that are expanding the attack surface and introducing novel cyber threats, many of them state-sponsored.

PwC’s 2026 Global Digital Trust Insights survey of 3,887 business and tech executives across 72 countries reveals how leaders are handling this era of uncertainty, where they’re falling short, and what they might do differently to better meet the challenge. Among the key findings:

• Geopolitical risk is shaping strategy: 60% of the business and tech leaders rank cyber risk investment in their top three strategic priorities in response to ongoing geopolitical uncertainty.
• Resilience is a work in progress: Given the current geopolitical landscape, roughly half say their organisation is at best only ‘somewhat capable’ of withstanding cyber attacks targeting specific vulnerabilities. Only 6% feel confident across all vulnerabilities surveyed.
• Waiting for trouble: Only 24% of organisations are spending significantly more on proactive measures (e.g., monitoring, assessments, testing, controls) than reactive measures (incident response, fines, recovery). That’s the ideal spend ratio. Most companies (67%) are spending roughly equal amounts on both categories, which can be more costly and risky.
• AI agents for cyber defence: Agentic AI ranks among the top AI security capabilities organisations are prioritising over the next 12 months. They plan to deploy these agents for cloud security, data protection and cyber defence and operations, among other priority areas.
• The quantum clock is ticking: Although quantum computing ranks among the top five threats organisations are least prepared to address, fewer than 10% prioritise it in budgets and only 3% have implemented all leading quantum-resistant measures surveyed.
• Rethinking the cyber talent crisis: Skills shortages remain one of the biggest barriers to cyber progress. Over half (53%) are prioritising AI and machine learning tools to help close capability gaps, and specialised managed services are becoming strategic accelerators to provide expertise and scale.

Meeting the moment will require renewed urgency, creativity and different approaches – not a business-as-usual mindset. Our C-suite playbook translates this year’s findings into practical steps, helping key stakeholders strengthen their foundational security practices and implement future-ready measures calibrated to the new world we’re in.

Today’s cyber risks are shaped as much by geopolitics as by disruptive technologies. Upended alliances, trade disputes, weakened international institutions and other destabilising trends in the new era of strategic competition are reshaping the threat environment, as well as traditional methods of doing business.

Responding to this geopolitical climate, 60% of business and tech leaders are making cyber risk investment one of their top three strategic priorities for the year ahead. They’re also prioritising changes in critical infrastructure location (41%), trade and operating policies (39%) and cyber insurance policies (39%). With disruption now the norm, cyber is a critical lever for resilience.

Cyber strategy changes in response to current geopolitical landscape
(% that ranked in their top 3 areas)

Against this backdrop, confidence in cyber readiness is split. While about half of respondents say their organisations are ‘very capable’ of withstanding cyber attacks targeting specific vulnerabilities surveyed, just as many aren’t prepared. What’s more, only 6% say they’re very capable across all vulnerabilities surveyed.

Cybersecurity is about readiness. It means planning ahead and investing in proactive measures like monitoring, assessments, testing, controls and training – before a crisis happens. The alternative, relying primarily on reactive measures (e.g., response, customer care, remediation, recovery, litigation and fines), is more costly, risky and unsustainable.

Two-thirds (67%) of organisations say their proactive/reactive cost ratio is roughly even – spending about the same on proactive and reactive cyber measures or slightly more on either. Few (24%) are in the sweet spot of investing significantly more on proactive steps. What’s more, those numbers likely underestimate the true cost of reacting. While proactive spending sits in the security leader’s budget and is easy to track, reactive costs are dispersed across the business – legal, communications, operations, IT, product, marketing, government relations – and include harder-to-quantify costs such as lost opportunities and reputational damage.

Spending on reactive vs proactive measures

AI’s potential for transforming cyber capabilities is clear and far-reaching. That’s why it ranks highest in several categories we surveyed. AI enablement of key cyber capabilities is the top priority for allocating cyber budgets, using managed cybersecurity services and addressing cyber talent gaps.

To bolster their AI-enabled security capabilities over the next 12 months, security leaders rank threat hunting as their top priority. They’re also pursuing other capabilities such as agentic solutions, event detection and behavioural analytics, identity and access management, and vulnerability scanning and assessments.

Agentic AI among the top prioritised AI security capabilities
(Ordered based on those who ranked as their top priority)

Although quantum isn’t an immediate cyber threat, those who delay the transition to post-quantum cryptography may be exposing their sensitive data, authentication services and cryptographic systems. With implementation timelines stretching into years, establishing the foundations for quantum-resistant security demands early action today to avoid adversarial disruption for tomorrow.

Some organisations are making initial progress, with 29% in piloting and testing stages. However, only 22% have moved beyond piloting, and almost half (49%) haven’t considered or started implementing any quantum-resistant security measures. What’s holding them back? For many, it’s a lack of understanding around post-quantum risks, combined with limited internal resources and competing demands.

Quantum-resistant security progress

Cybersecurity workforce shortages continue to impede progress, especially as organisations push to operationalise AI, secure complex environments and prepare for next-generation threats.

Knowledge and skills gaps were the two barriers to implementing AI for cyber defence over the past year, forcing organisations to rethink how they scale capabilities. Many are exploring new ways to gain proficiency, including AI tools (53%), security automation tools (48%), cyber tool consolidation (47%) and upskilling or reskilling (47%). They’re also prioritising specialised managed services, especially those organisations that have experienced a major attack (48%).

AI and cloud are the top use cases for specialised managed security services. Organisations are using managed services for more than outsourcing capabilities. They’re partnering with providers to modernise the way critical systems get delivered.

Cybersecurity priorities for the use of managed services
(% that ranked in their top 3 priorities)

About the report

The 2026 Global Digital Trust Insights is a survey of 3,887 business and technology executives conducted in the May through July 2025 period.

One-third of the executives (33%) are from large companies with $5 billion or more in revenues. Respondents operate in a range of industries, including financial services (21%); industrial manufacturing and automotive (21%); tech, media and telecom (19%); retail and consumer markets (16%); healthcare (10%); energy, utilities and resources (9%); and government and public services (4%).

Respondents are based in 72 countries. The regional breakdown is Western Europe (32%), North America (27%), Asia Pacific (18%), Latin America (11%), Central and Eastern Europe (6%), Africa (4%) and the Middle East (3%).

The Global Digital Trust Insights survey had been known as the Global State of Information Security Survey (GSISS). Now in its 28th year, it’s the longest-running annual survey on cybersecurity trends. It’s also the largest survey in the cybersecurity industry and the only one that draws participation from senior business executives, not just security and technology executives.

PwC Research, PwC’s global Centre of Excellence for market research and insight, conducted this survey.