C-suite divides on cybersecurity threats pose organisational risks, study finds

EY study has found that c-suite divides on cybersecurity threats pose organisational risks. (Photo: kathayut kongmanee/ Shutterstock)

An Ernst & Young (EY US) C-suite cybersecurity study has highlighted financial risks from cybersecurity threats and revealed significant C-suite disconnects, with 84% of C-suite leaders reporting a cybersecurity incident in their organisation over the past three years. Additionally, an EY US analysis of Russell 3000 companies indicated that firms experiencing a cyber incident typically witness a 1.5% decline in stock price over the subsequent 90 days, highlighting the tangible impact of cyber incidents on market capitalisation.

The EY 2025 Cybersecurity Study: Bridging the C-suite Disconnect surveyed 800 C-level executives in the US, including 300 chief information security officers (CISOs) and 500 other C-suite leaders, to evaluate cybersecurity investment, emerging threats, and risk preparedness. The results show CISOs are more concerned than their C-suite peers, with 66% of CISOs worried about advanced cybersecurity threats compared to 56% of other executives.

“Companies need to move beyond a ‘check the box’ mentality and recognise cybersecurity as a strategic investment, not simply a cost centre,” said EY Americas cybersecurity leader Jim Guinn, II. “It’s time to take the bull by the horns and push for not just the resources but the authority for cyber leaders to build truly resilient organisations. The cost of inaction is simply too high.”

The study reveals a significant divide between CISOs and other C-suite members in understanding cybersecurity threats. CISOs are more likely to believe senior leaders underestimate these dangers, with 68% of CISOs expressing this concern compared to 57% of other executives. This gap poses a risk due to a lack of comprehension of potential dangers.

There are also differences in perceptions of threat origins. While 57% of CISOs attribute cybersecurity incidents to cybercriminals, only 47% of other C-suite members agree. Additionally, 47% of CISOs identify insider threats as a source of incidents, compared to 31% of other executives. This discrepancy in understanding past threat sources complicates efforts to strengthen defences against future risks.

Cybersecurity investments set to increase amid rising threats

CISOs are more inclined to credit reduced cyber incidents to investments in AI, with 75% of CISOs noting a decrease following AI investment, compared to 68% of other C-suite members. In contrast, 77% of other executives attribute success to employee cybersecurity training, compared to 69% of CISOs.

“CISOs see escalating threats and vulnerabilities, while the C-suite appears to often believe cybersecurity is handled,” said Guinn. “Cybersecurity incidents carry significant and far-reaching financial repercussions beyond immediate recovery costs. Our research reinforces the urgent need for leaders to come together and develop a comprehensive cybersecurity strategy that addresses the evolving threat landscape and includes clear communication, a shared understanding of the risks and opportunities, and priority areas for investment.”

Despite these disconnects, there is an increase in cybersecurity investments. Currently, 21% of C-suite leaders allocate over 10% of their IT budget to cybersecurity, a figure expected to rise to 38% next year. The EY US Cybersecurity team advises elevating the CISO role to a strategic position, aligning cybersecurity investments with business objectives, adopting innovative technologies like AI, and promoting a culture of cybersecurity awareness throughout organisations.

Read more: Cybersecurity remains top investment for manufacturers amid widening digital maturity gap