2026 Global Digital Trust Insights: C-suite playbook and findings

New world, new rules: Cybersecurity in an era of uncertainty

Close-up of woman smiling, holding a tablet
  • Insight
  • October 08, 2025
62%

Australian organisations increasing cyber risk investment in response to geopolitical volatility

11%

of Australian organisations are deprioritising the implementation of data governance controls, in contrast to just 4% globally

Top 2

challenges to implementing AI for cyber defence are knowledge and skills gaps for Global and Australia

Cybersecurity is entering uncharted waters. A rapidly shifting world order and threat environment ― powered by recent, exponential leaps in technology ― is putting cyber strategies to the test. 

Organisations are confronting the new reality of a post-globalisation era, one that’s marked by fractured alliances, weakened global institutions, tariff shocks and disrupted supply chains. We’re witnessing unprecedented technology advances that are expanding the attack surface and introducing novel cyber threats, many of them state sponsored. 

PwC’s 2026 Global Digital Trust Insights survey of 3,887 business and tech executives across 72 countries reveals how leaders are handling this era of uncertainty, where they’re falling short, and what they might do differently to better meet the challenge. Among the key findings: 

  • Geopolitical risk is shaping strategy: 62% of Australian business and tech leaders rank cyber risk investment in their top three strategic priorities in response to ongoing geopolitical uncertainty, with 74% of Australian organisations predicting an increase in their cyber budget for 2026. 
  • Data risk management diverges: Australian organisations show varied approaches to data protection, with 10% reporting no plans to implement encryption, tokenisation, or anonymisation at scale around 5% behind APAC and global. Additionally, 11% are deprioritising data controls across the data lifecycle, a notable 7% gap to global respondents that could impact the effective adoption of emerging technologies including AI. 
  • Resilience is a work in progress: Given the current geopolitical landscape, less than half say their organisation is at best only ‘somewhat capable’ of withstanding cyber attacks targeting specific vulnerabilities. With Global and APAC most concerned about cloud-related cyber threats, Australian organisations are equally concerned about connected products and third-party breaches. Additionally, Australia is even more concerned about software supply-chain compromise than global organisations.
  • Waiting for trouble: Only 21% of Australian organisations are spending significantly more on proactive measures (e.g., monitoring, assessments, testing, controls) than reactive measures (incident response, fines, recovery), which is a more ideal spend ratio. Most companies (26%) are spending roughly equal amounts on both categories, which can result in higher longer-term costs and increased risk.
  • AI agents for cyber defence: Agentic AI ranks among the top AI security capabilities Australian organisations are prioritising over the next 12 months. They plan to deploy these agents for cyber defence and operations, security testing, data protection and cloud security, among other priority areas.
  • The quantum clock is ticking: Although quantum computing ranks as the top threat Australian organisations are least prepared to address, fewer than 10% prioritise it in budgets and 1 in 5 Australian organisations have not conducted a feasibility analysis.
  • Rethinking the cyber talent crisis: Skills shortages remain one of the biggest barriers to cyber progress. Over half (52%) are prioritising cybersecurity tool consolidation and looking to AI and machine learning tools to help close capability gaps. Specialised managed services are also becoming strategic accelerators to provide expertise and scale.
  • Australian CISOs are setting the pace in cyber security leadership: Australian CISOs are driving leadership in cyber security, taking the lead globally and in APAC by establishing security controls for transformation initiatives alongside the CTO, regularly reporting to the Board, and equipping their CEOs with the right information to guide strategic decisions.
  • Operational technology under pressure: Securing operational technology (OT) and industrial IoT (IIoT) systems poses significant challenges for Australian organisations, with 44% reporting a lack of clear governance and accountability, along with insufficient funding and executive backing for these cybersecurity efforts. Additionally, 40% highlight gaps in understanding the full scope of OT/IIoT cyber risks, underscoring the urgent need for stronger strategies and resources to protect our nation’s most critical infrastructure and services.

Meeting the moment will require renewed urgency, creativity and different approaches — not a business-as-usual mindset. Our C-suite playbook translates this year’s findings into practical steps, helping key stakeholders strengthen their foundational security practices and implement future-ready measures calibrated to the new world we’re in.

Risk and threat landscape Geopolitics are reshaping cyber vulnerabilities

Today’s cyber risks are shaped as much by geopolitics as by disruptive technologies. Upended alliances, trade disputes, weakened international institutions and other destabilising trends in this new era of strategic competition are reshaping the threat environment, as well as traditional methods of doing business.

Responding to this geopolitical climate, 62% of Australian business and tech leaders are making cyber risk investment one of their top three strategic priorities for the year ahead. They’re also prioritising changes in critical infrastructure location (41%), trade and operating policies (31%) and cyber insurance policies (43%). With disruption now the norm, cyber is a critical lever for resilience.

Against this backdrop, confidence in cyber readiness is split. While about half of respondents say their organisations are ‘very capable’ of withstanding cyber attacks targeting specific vulnerabilities surveyed, just as many aren’t prepared. What’s more, only 6% say they’re very capable across all vulnerabilities surveyed. 

Cyber strategy changes in response to current geopolitical landscape​
(% that ranked in their top 3 areas)

Increase cyber risk investment Change in critical infrastructure Change in trade and operating policies Change in cyber insurance policies Change where business in conducted Change in vendors No significant changes 62% 41% 31% 43% 26% 23% 15%

Q2. Over the next 12 months, which of the following areas of your organisation's cyber strategy is changing in response to the current geopolitical landscape? Base: All respondents=3887
Source: PwC 2026 Global Digital Trust Insights

Risk and threat landscape Strengthening data protection in Australia's AI era

AI technologies are rapidly advancing, and high-profile data breaches have intensified scrutiny on how Australian organisations manage their data. Leading the charge globally, over half of Australian companies have implemented Data Loss Prevention strategies, and 40% have embraced responsible AI practices, both above the global average.

However, challenges remain. Australia trails in applying robust data classification policies and lifecycle controls, with 17% of organisations lacking data classification policies and 5% having no plans to adopt them. Nearly a quarter (23%) have yet to enforce data controls across the entire lifecycle.

The financial impact is substantial, with recent breaches costing Australian organisations an average of $3.9 million, closely aligned with the global average of $4.2 million. Despite growing emphasis on data quality and minimisation, there is a pressing need to accelerate preventative measures and fortify data protection, ensuring Australian data is secure in an increasingly complex digital landscape.

The extent organisations have implemented measures to address data risk

implemented across the organisation planning to implement in the next 12 months no plans Data controls across the entire data life cycle 43% 30% 13% 11% 49% 29% 11% 10% Data quality capabilities 50% 32% 11% 5% Data discovery and cataloguing across structured and unstructured data 43% 38% 11% 6% Responsible AI practices 41% 37% 16% 4% Data loss prevention across keyegress channels 51% 30% 10% 6% Data classification policies 45% 38% 12% 5% implemented in the parts of the organisation Data minimisation approaches 50% 28% 15% 1%

Q5. To what extent has your organisation implemented or is planning to implement any of the following measures to address data risk across the enterprise? 
Source: PwC 2026 Global Digital Trust Insights

Cyber strategy and operations Where investment meets impact

Cybersecurity is about readiness. It means planning ahead and investing in proactive measures like monitoring, assessments, testing, controls and training — before a crisis happens. The alternative, relying primarily on reactive measures (e.g., response, customer care, remediation, recovery, litigation and fines), is more costly, risky and unsustainable.

Almost three quarters (71%) of Australian organisations say their proactive/reactive cost ratio is roughly even — spending about the same on proactive and reactive cyber measures or slightly more on either. Few (21%) are in the sweet spot of investing significantly more on proactive steps. What’s more, those numbers likely underestimate the true cost of reacting. While proactive spending sits in the security leader’s budget and is easy to track, reactive costs are dispersed across the business — legal, communications, operations, IT, product, marketing, government relations — and include harder-to-quantify costs such as lost opportunities and reputational damage.

Spending on reactive vs proactive measures​

Slightly more on reactive measures 14% Reactive:Response, customer care, remediation, recovery, litigation, fines, etc Proactive:Monitoring, assessments, testing, controls, training, governance, etc. 7% About the same 21% Slightly more on proactive measures 32% Have a roughly equal spending ratio 2% selected unsure 67% Significantly more on proactive measures 24%

Q13. Is your organisation spending more resources on reactive or proactive cybersecurity measures? Base: All respondents=3887
Source: PwC 2026 Global Digital Trust Insights

AI in cybersecurity From promise to priority

AI’s potential for transforming cyber capabilities is clear and far-reaching. That’s why it ranks highest in several categories we surveyed. AI enablement of key cyber capabilities is the top priority for allocating cyber budgets, using managed cybersecurity services and addressing cyber talent gaps. 

To bolster their AI-enabled security capabilities over the next 12 months, Australian security leaders rank event detection and behavioural analytics threat hunting as their top priority (49%), significantly higher than Global security leaders who view it as their third priority (36%). They’re also pursuing other capabilities such as agentic solutions, AI threat hunting, identity and access management, and vulnerability scanning and assessments.

AI security capabilities organisations are prioritising over the next 12 months (ordered by top 3)

Q18. Which of the following AI security capabilities will your organisation prioritise over the next 12 months? Base: Security leaders=1740
Source: PwC 2026 Global Digital Trust Insights

Quantum computing readiness Preparing for next-level threats

Although quantum isn’t an immediate cyber threat, those who delay the transition to post-quantum cryptography may be exposing their sensitive data, authentication services and cryptographic systems. With implementation timelines stretching into years, establishing the foundations for quantum-resistant security demands early action today to avoid adversarial disruption tomorrow. 

Some Australian organisations are making initial progress, with 30% in piloting and testing stages. However, only 24% have moved beyond piloting, and almost half (46%) haven’t considered or started implementing any quantum-resistant security measures. What’s holding them back? For many, it’s a lack of understanding around post-quantum risks, combined with limited internal resources and competing demands.

Quantum-resistant security progress​

Implementing: we are implementing quantum-resistant security measures. 22% Unable to confirm at this time. 7% Not started to consider and no plans to do so: our organisation has not started to consider quantum-resistant security measures and has no plans do so. 9% 33% Not implementing or no planned activity 49% Piloting and testing: we have begun implementation and are at piloting and testing stage. 29%

Q21: How far along is your organisation when it comes to quantum-resistant security measures? Base: All respondents=3887
Source: PwC 2026 Global Digital Trust Insights

Cyber talent and skills Managed services move to the front line

Cybersecurity workforce shortages continue to impede progress, especially as organisations push to operationalise AI, secure complex environments and prepare for next-generation threats.

Knowledge and skills gaps were the top two barriers to implementing AI for cyber defence over the past year, forcing organisations to rethink how they scale capabilities. Whilst AI and machine learning tools are key priorities, Australia trails behind both Global (53%) and Asia-Pacific (55%) who consider it their number one priority, as the third highest priority (49%). Comparatively, Australia leads in cybersecurity tool consolidation efforts at 52%, exceeding Global (47%) and Asia-Pacific (50%) figures, possibly driven by cost-efficiency goals. Additionally, Australian organisations are focused on upskilling and reskilling, security automation tooling, and managed services.

AI and cloud are the top use cases for specialised managed security services, with identity and access management notably higher for Australia (23%) compared to Global (18%). Organisations are using managed services for more than outsourcing capabilities. They’re partnering with providers to modernise the way critical systems get delivered. 

Cybersecurity priorities for the use of managed services over the next 12 months

Q15. Which, if any, of the following areas of your cybersecurity programs is your organisation prioritising to utilise managed services over the next 12 months? Base: Security leaders=1740
Source: PwC 2026 Global Digital Trust Insights

New world, new rules: The 2026 Global Digital Trust Insights

How can you turn this year’s findings into practical steps to confront uncertainty? Start by fostering foundational resilience and advancing a secure-by-design mindset. Get the full C-suite playbook and more of the latest findings for 2026.

The 2026 Global Digital Trust Insights is a survey of 3,887 business and technology executives conducted in the May through July 2025 period.

One-third of the executives (33%) are from large companies with $5 billion or more in revenues. Respondents operate in a range of industries, including financial services (21%); industrial manufacturing and automotive (21%); tech, media and telecom (19%); retail and consumer markets (16%); healthcare (10%); energy, utilities and resources (9%); and government and public services (4%).

Respondents are based in 72 countries. The regional breakdown is Western Europe (32%), North America (27%), Asia Pacific (18%), Latin America (11%), Central and Eastern Europe (6%), Africa (4%) and the Middle East (3%).

The Global Digital Trust Insights survey had been known as the Global State of Information Security Survey (GSISS). Now in its 28th year, it’s the longest-running annual survey on cybersecurity trends. It’s also the largest survey in the cybersecurity industry and the only one that draws participation from senior business executives, not just security and technology executives.

PwC Research, PwC’s global Centre of Excellence for market research and insight, conducted this survey.

Contact us

Robert Di Pietro
Robert Di Pietro

Cybersecurity & Privacy, Partner, PwC Australia

Peter Malan
Peter Malan

Partner, Cybersecurity & Privacy Lead, PwC Australia

Follow PwC Australia

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Policy and that you consent to our processing data in accordance with the Privacy Policy (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Hide