Cyber Managed Services: Invest in cyber outcomes, not cyber headcount

5 minute read
March 18, 2026

Rich Kneeley

Managing Director, Cyber, Data and Tech Risk, PwC US

Cyber risk is now, more than ever before, a business continuity and enterprise volatility issue. It’s measured not just in security incident counts or direct losses, but in downtime, disrupted operations, and earnings uncertainty. As threat activity accelerates and third-party ecosystems expand, and finding and retaining good cyber professionals becomes increasingly difficult, the question for leadership teams is not whether cyber events will occur, but “Can the organization detect, contain, and recover with speed and discipline?”

Recent analyst research from Gartner¹ points to a rapid expansion of threats, including increased risk of data breaches and intellectual property leakage related to the growing use of GenAI. At the same time, PwC’s 2026 Global Digital Trust Insights survey shows cyber risk investment is now a top priority; 60% of business and tech leaders are making it one of their top three strategic priorities—yet confidence regarding vulnerabilities remains low, with only 6% of leaders saying they feel confident across all vulnerabilities surveyed.

The result is a widening gap between cyber investment and confidence in resilience, especially as ecosystems and AI expand the attack surface. In response, many organizations default to a familiar playbook: try to add headcount, add tools, add activity. But these additions don’t create resilience. Top executives now correctly view cyber as a question of enterprise continuity and downside risk to their companies (and their careers), and ask: “Can we prevent disruption where possible—and when disruption occurs, can we detect, contain, and recover fast enough to protect the business?”

To help confirm that cyber investments reduce exposure and not just add activity, leaders should define outcomes, instrument performance, and hold the operating model accountable for continuous improvement. But successfully doing all of that requires substantial resources, including cyber professionals, tools and experience. In-house can work for some, but it’s often expensive, fragile, and hard to sustain 24/7—especially under surge. Many companies don’t have the wealth of experience and resources of a managed services provider, which acts as a cybersecurity hub, serving that core competency to multiple companies across the globe and continuously learning and improving based on extensive real-world experience with threats and breaches.

Why more people doesn’t always equal less risk

Many leaders can readily quantify the size of their cybersecurity organization, inventory the tools they have deployed, and report how many incidents or cases their Security Operations Center (SOC) handled last month—often supported by dashboards that track operational activity.

The issue is, none of that tells you whether the business is safer tomorrow than it was yesterday. While many of today's executives can tell you how much they spend on cybersecurity, few can tell you how much operational or financial risk was reduced because of that spend.

If you measure your cybersecurity based solely on people and tickets, you can still have gaps in your risk exposure. In fact, headcount does not equal coverage. The number of tickets closed does not equal risk reduced. And the number of tools installed does not equal operational performance.

In other words, simply buying headcount is not a resilience strategy.

Additionally, many business leaders believe they can do cyber better in-house, by hiring more people, and that handing it off to someone else is a mistake. But it can be difficult to find and grow good talent and experience that can provide effective 24/7 coverage for today’s real-world cyber threats. Building that in-house—and incorporating a model designed for scale and surge—may be impossible without blowing up your HR model.

Enhance your investment and achieve outcomes that matter

Instead of redoubling efforts within a traditional people-and-tickets strategy that’s not providing resilience, consider managing cyber ops like any critical operation: Define outcomes, implement them, and focus on continuous evolution and improvement.

To enhane cyber investment, anchor on operational performance: time to detect, decide, contain, and recover. Also, build the operating model to improve those metrics over time. Consider engaging a team with direct experience responding to real-world threats and breaches across industries and geographies, with access to the latest tools and technologies. The objective is measurable resilience: faster detection and containment, and more reliable recovery.

When we manage cyber like a staffing plan instead of an operating capability, we often end up paying for motion and hoping it turns into resilience.

Experience matters. Independent analyst firms such as Forrester and IDC recognize PwC as a leader in their cybersecurity reports. Analyst research particularly notes our strengths in identity and access management, threat and vulnerability management, and incident response, as well as our ability to scale and develop cyber talent globally. We offer our wealth of cyber experience and resources not only through traditional consulting, but also as managed services that help effectively support and extend your organization. So you can focus on the business and rely on our global team of cyber professionals and our rich set of tested processes and technologies to help you manage risk and effectively respond to threats.

Measure the outcomes that matter

Let’s get more specific. Here are outcome measures that matter:

How long does it take to recognize something real is happening?
How long does it take to decide what to do?
How long does it take to contain it?

If you can’t answer those with confidence, your program may be built on optimism.

How long until critical services are restored?
How much business interruption did you experience—and can you reduce it next time?

This is where cyber becomes operational resilience, not just security.

How often do the same issues come back?
Are you eliminating root causes—or just closing tickets?

Repeat incidents are the tax you pay for a cyber program that’s trapped in reaction mode.

Not “we have a policy.” Not “we rolled out a tool.” Instead: What’s actually enforced—and what evidence can you produce?

This matters to regulators, auditors, and boards, and it matters the day after an incident when everyone wants proof.

Outcomes demand an operating model (not just a bigger team)

Threat actors have evolved from opportunistic individuals to organized criminal enterprises and nation-state actors. They require a disciplined, always-on operating model:

Clear ownership and escalation
Repeatable runbooks
24/7 coverage built for consistency, not heroics
A continuous improvement loop that reduces recurrence
Governance that turns technical signals into business decisions

Technology matters, but it’s rarely the main constraint. In many environments, the limiting factor is operating discipline: clear ownership, repeatable workflows, and measurable performance improvement. Without that foundation, even advanced tooling underperforms. With it, experienced professionals and well-crafted processes can help quickly solve problems and deliver cyber solutions.

PwC helps you retain your HR model and simultaneously tap our experienced, well trained, a multinational team of cybersecurity specialists who’ve dealt with a wide range of real-world threats and actual breaches and know how to reduce risk and effectively address risks. We can help reduce time to detect and contain, reduce recurrence, improve evidence readiness and increase coverage consistency. Our scale and breadth of incident experience, working with hundreds of professionals and clients worldwide, can help organizations anticipate second- and third-order issues—operational, regulatory, and stakeholder-related—before they become enterprise disruptions. That scale also allows us to continuously invest in top talent, modern tech and tooling, and automation, spreading the investment across our client base—so you can benefit from industry-leading capabilities without carrying the full fixed cost.

We position cyber as part of outcomes-oriented managed services, not just technology operations:

Cyber managed services aligned to business outcomes
Integrated platforms (e.g., analytics, automation, AI)
Continuous improvement vs. “run-the-tools” models
Executive dashboards tied to risk, resilience, and value

The bottom line

Cyber is not a discretionary technology spend, nor merely a department that you fund. It is a core operational capability that helps protect revenue continuity, stakeholder confidence, and enterprise value. Top-performing organizations define cyber in outcomes, measure performance relentlessly, and continuously reduce exposure over time. If you want clarity on readiness and volatility, start with an outcomes baseline. Then align the operating model to measurable improvement.

Executive Action: Shift from inputs to outcomes

Want clearer answers to questions about readiness, resilience and exposure? Let’s talk, starting with a conversation about outcome baselines and an operating model that can measure what matters and help improve it.

^{1. Gartner Inc., “Gartner Says Supply Chain Cybersecurity Is at Peak of Inflated Expectations,” Gartner.com (September 29, 2025) https://www.gartner.com/en/newsroom/press-releases/2025-09-29-gartner-says-supply-chain-cybersecurity-is-at-peak-of-inflated-expectations, accessed March 19, 2026.}

Learn how PwC delivers cyber outcomes

Reduce risk. Improve resilience. Support business priorities.

Contact us