Cybersecurity has entered uncharted waters. The 2026 PwC Global Digital Trust Insights report makes this painfully clear. A rapidly shifting world, amplified by geopolitical turbulence and unprecedented technology leaps, is testing the limits of our cyber strategies.
I read the numbers and paused. Sixty percent of business and tech leaders rank cyber risk investment among their top three strategic priorities. That makes sense. Uncertainty is high, the stakes are rising, and yet, when you drill down, only 24% of organizations are spending significantly more on proactive measures than reactive ones. That’s striking.
Think about that. Monitoring, testing, assessments, and controls give you foresight. Incident response, recovery, fines - what you hope you never need to use. Unfortunately, most companies are essentially budgeting to respond after the damage is done. Reactive spending is invisible, dispersed across departments, and it is way more expensive than it looks on paper.
Being ‘Somewhat Capable’ Isn’t Enough
Resilience is another story. Roughly half of respondents say they’re only “somewhat capable” of withstanding attacks on specific vulnerabilities. A tiny 6% feel confident across all areas. Weak authentication, legacy systems, unpatched software, vulnerable connected products, and supply chain exposures all remain popular targets for attackers.
Cloud attacks and connected product vulnerabilities are top concerns, with 33% and 28% of leaders ranking them among the threats they’re least prepared to handle.
Here’s my reflection: being “somewhat capable” isn’t enough. You need layered defense, continuous assessment, and tools that amplify human expertise. That’s why AI is rising as a top priority. Threat hunting, Agentic AI, event detection, behavioral analytics, and identity and access management aren’t just shiny new ideas – they are becoming crucial parts of IT and security operations.
Over half of businesses (53%) are prioritizing AI and machine learning to address capability gaps. Cloud security is also high on the list, with over a third (34%) of respondents ranking it among their top three investment priorities. This aligns with the broader push toward modernizing security across complex environments.
Quantum-Resistant Measures Lag
Quantum computing is another wake-up call. Only three percent of entities have implemented all leading quantum-resistant measures. Nearly half (49%) haven’t even started.
Quantum may not be an immediate threat, but the risk is real. If you wait until the first attack, it’ll be too late. Data, authentication services, and cryptographic systems all require a considerable amount of time to be properly implemented.
Talent shortages are persistent and are not going anywhere soon. Knowledge and skills gaps are cited as the top barriers to implementing AI for cyber defense. Organizations are using managed services strategically, not just outsourcing, but also extending capabilities, modernizing delivery, and scaling expertise.
About 48% of companies that have experienced major attacks are now leaning on managed services. AI-enabled orchestration is increasingly part of that mix, which is where platforms like Fortra’s can make a practical difference, helping teams move faster while filling skill gaps.
What’s driving changes in cyber strategy? Geopolitical uncertainty tops the list. Sixty percent of leaders are increasing cyber risk investment. Forty-one percent are shifting critical infrastructure locations. Thirty-nine percent are adjusting trade and operating policies. And another third-nine percent are reviewing cyber insurance policies.
Cyber isn’t just IT anymore. It’s a strategic lever. Where you operate, how you do business, and whom you trust are all shaped by the risk environment.
AI Leads the Pack
Nearly 80% of firms plan to increase cyber spending next year, but that's essentially unchanged from 2024. The percentage of companies boosting budgets has plateaued at around 78%, suggesting cyber investment may be hitting a ceiling or competing with other priorities.
AI is leading the pack, with 36% of leaders ranking it as a top investment priority. Cloud security is hot on its heels at 34%, and network security or zero trust comes in at 28%. Threat management, data protection, and managed services are also high on the list, showing that leaders are thinking strategically about where to strengthen their defenses.
By contrast, endpoint security and application security sit at 15% each. That gap tells me something important: companies aren’t just patching holes. They’re prioritizing scalable, forward-looking solutions that can actually move the needle on resilience. It’s about investing in capabilities that grow with the organization, not just reacting to the latest breach.
Reflecting on past breaches offers another lesson. Companies unfortunate enough to suffer major attacks in the last three years tend to boost budgets more aggressively (88% vs 78%), lean on managed services (48% vs 39%), and update cyber insurance policies (49% vs 39%).
They’ve had to learn the hard way that resilience is built through experience, not optimism.
A Look Into the Future
So what does this mean for the future? Here’s my take:
1. Proactive beats reactive: Spend on foresight. This includes monitoring, controls, and assessments. In the long run, it costs significantly less than scrambling after the breach.
2. Resilience isn’t optional: Weak points are everywhere; they are in supply chains, legacy systems, and the cloud environments we all depend on. Layered defenses and AI-enabled orchestration are crucial.
3. Plan for the quantum future: Even if it feels like distant science fiction, post-quantum readiness takes years. Delaying is a risk no one can afford.
4. Use talent intelligently: AI and managed services aren’t replacements; they’re force multipliers. Upskill, augment, and outsource strategically.
5. Let data and experience guide investment: Cloud, AI, threat management, and data protection are priorities that show where leaders are placing their bets. Those bets will shape resilience.
Cybersecurity today is still about stopping attacks, but it’s also about helping companies navigate uncertainty and come out stronger on the other side. It’s about factoring cyber risk into every decision, understanding the impact, and moving with urgency and purpose.
AI, cloud security, and managed services are not just nice-to-haves any longer, they are the levers that let you respond, recover, and stay ahead.
The lesson is simple: think ahead. Invest smartly. Adapt quickly. Build for a world that doesn’t stand still because the threats won’t wait, and neither should your strategy.
If PWC’s findings made you rethink where your cyber strategy is headed, you’re not alone. Fortra’s research digs into what’s next, from AI-driven defense to evolving threat tactics and smarter resilience strategies.
Cybersecurity for Your Industry
Your industry is unique. Your cybersecurity stack should be, too. Fortra® offers cybersecurity solutions to meet the challenges and compliance requirements of industries around the world.
