EY Study Reveals Progress in C-suite Cybersecurity Awareness, but Gaps Remain in Perception & Action

Key Takeaways

• C-suite awareness of cybersecurity is rising: 84% of C-suite leaders say their organization’s cybersecurity focus has increased in the past three years, with 85% expecting further growth.
• Cyber incidents are on the rise: 84% of organizations have faced a cybersecurity incident in the past three years, including spyware, domain spoofing, and zero-day exploits.
• Disconnect between CISOs and the C-suite: CISOs are more concerned about cybersecurity threats (66%) compared to other executives (56%) and worry that senior leaders underestimate the risks (68% vs. 57%).
• Cybersecurity budgets differ: 67% of CISOs report a seven-figure cybersecurity budget, compared to 45% of other C-suite leaders. The gap widens for next year’s budgets (82% vs. 53%).
• AI and employee training are key: 75% of CISOs attribute decreased cyber incidents to AI investment, while 77% of other executives emphasize the importance of employee cybersecurity training.

Deep Dive

Cybersecurity is no longer just an IT problem, it’s a business problem. And yet, despite all the headlines and constant warnings, a concerning gap remains between the leaders of organizations and the people tasked with defending them from cyber threats. New research from Ernst & Young LLP (EY) has uncovered this alarming disconnect, revealing how the divide between C-suite executives and Chief Information Security Officers (CISOs) is putting organizations at risk.

The good news is that cybersecurity is getting the attention it deserves at the highest levels. According to EY’s 2025 Cybersecurity Study, 84% of C-suite leaders say their organization’s focus on cybersecurity has grown in the past three years. Even more promising, 85% say this focus will continue to grow in the year ahead. But here’s the rub: this increased focus isn't always aligned with the reality of the threats at hand.

Despite the heightened attention, the study also reveals a troubling truth, 84% of organizations have experienced a cybersecurity incident in the last three years. These breaches aren’t just one-off cases either. The most common incidents reported this past year include spyware, domain name spoofing, and zero-day exploits, where cybercriminals capitalize on unknown flaws in systems. The type of attack may evolve, but the result is the same: lasting damage to the business.

What’s more, EY’s analysis shows that the financial fallout from these incidents can linger for months. Stock prices of affected companies tend to drop in the days following a breach, and the damage often extends up to 90 days later. These aren’t just recoverable costs. They are a reminder that cyber incidents have a long-lasting impact that stretches far beyond the immediate recovery phase.

CISOs vs. the C-suite

Now, here’s where it gets really interesting and a bit troubling. The study highlights a significant disconnect between CISOs and other C-suite executives regarding the perception of cyber threats and the adequacy of cybersecurity defenses.

Take, for example, how the two groups view the severity of cyber threats. While 66% of CISOs worry that their organization’s defenses aren’t keeping pace with the evolving threat landscape, only 56% of other C-suite leaders share that same concern. CISOs also feel that senior leadership underestimates the risks, with 68% expressing worry over their colleagues not fully appreciating the gravity of cyber threats. For many CISOs, it’s not a question of “if” a breach will happen, but “when.”

The numbers speak for themselves. Experience has a way of heightening concern. Those who have faced cyber incidents firsthand show higher levels of apprehension about future threats, which, in many ways, reflects a reactive mindset rather than a proactive one.

Who’s Paying for Cybersecurity?

Another key issue is the discrepancy in how much organizations are willing to invest in cybersecurity. The study shows a significant divide when it comes to cybersecurity budgets. While 67% of CISOs report their organization’s cybersecurity budget is at least seven figures, only 45% of other C-suite executives agree. This gap becomes even more pronounced when looking ahead to next year: 82% of CISOs expect an increased cybersecurity budget, while only 53% of the rest of the C-suite share that optimism.

This divide points to a broader issue within organizations: many companies still treat cybersecurity as an afterthought, lumping it into the broader IT budget instead of giving it its own, distinct financial backing. When cybersecurity is buried within the IT budget, it’s difficult for executives to see the full scope of investment—or the return on that investment.

Interestingly, CISOs are particularly optimistic about the role of artificial intelligence (AI) in their cybersecurity strategy. A full 90% of CISOs see AI as a game-changer in cybersecurity, compared to 81% of other executives. But even with this optimism, the disconnect remains clear. While AI might be part of the solution, there’s no consensus on how much organizations should invest in AI versus talent or technology solutions.

So, what’s actually making a difference in reducing cyber incidents? Interestingly, CISOs and other C-suite executives have different takes. CISOs are most likely to attribute a decrease in cybersecurity incidents to increased investment in AI, with 75% saying AI made a real impact. On the flip side, 77% of other executives believe that better employee training is the key to reducing breaches. It seems there’s a bit of a tug-of-war between investing in cutting-edge technology and investing in people.

CISOs also point out that they are much more likely to experience breaches caused by internal threats, employees intentionally leaking or stealing information, than their C-suite counterparts recognize. While 47% of CISOs report insider threats, only 31% of other C-suite leaders acknowledge them. This lack of understanding about the source of cyber incidents only complicates efforts to build stronger defenses for the future.

Bridging the Cybersecurity Gap

This research brings to light a crucial need for change. The disconnect between CISOs and the rest of the C-suite is more than just an inconvenience—it’s a risk. The study suggests that organizations must bridge this gap to build a truly resilient cybersecurity strategy.

Here are four key actions the C-suite can take to improve their organization's cybersecurity posture:

1. Increase investment in cybersecurity talent: Focus on both hiring and upskilling employees to stay ahead of emerging threats.
2. Leverage AI-driven security solutions: Integrate artificial intelligence to improve threat detection and response.
3. Build a comprehensive cybersecurity strategy: Ensure all parts of the organization understand and align with cybersecurity goals.
4. Align the C-suite on cybersecurity priorities: Establish a shared understanding of the risks and the resources needed to tackle them.

Cybersecurity isn’t just an IT problem. It’s a business challenge that demands unified leadership, clear communication, and, most importantly, a strategic approach. The cost of inaction is too high, and the threat landscape is only getting more complex. It’s time for the C-suite to get on the same page and make cybersecurity a top priority for the organization before the next breach happens.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.