A global survey of 4,042 business and technology executives suggests that much work remains to be done to ensure the cyber resiliency of organizations and prioritize how resources are allocated based on the actual risk cybersecurity threats represent.

Conducted by PwC, the survey finds only 39% of respondents work for organizations that have or plan to implement cyber recovery solutions such as immutable backups of data. Slightly less (34%) have or plan to build a cross-functional cyber resilience team and only 35% have or plan to define a cyber-recovery playbook. Less than 42% said their organization has fully implemented any cyber resiliency technology investment, and only 2% said claimed their organization has implemented a cyber resiliency plan across all areas.

More troubling still, only 15% report they are actually measuring cyber risk even though 88% acknowledge it’s crucial to prioritize cyber risk investments.

Michelle Horton, partner leader for cyber risk and regulatory marketing for PwC, said that when it comes to cybersecurity far too many organizations are still reactive rather than proactive. For most organizations, it’s more a question of when there will be an incident rather than if, she added. The longer it takes to respond the more costly that incident will be, noted Horton.

On the plus side, however, more than three-quarters (77%) of respondents expect their cybersecurity budget to increase over the next year, with 30% anticipating a 6-10% increase while 19% expect an increase of 11% or more. Drivers of that investment include customer trust (57%), brand integrity (49%) and business growth opportunities (46%).

However, less than half of respondents said their organization’s CISO is involved in strategic planning for cyber investments, board reporting or overseeing technology deployments and less than half of the business executives surveyed ranked cybersecurity as a top risk to the organization.

There is also a disconnect in cybersecurity priorities, with many business executives identifying data protection/trust is their top cyber investment priority (48%), followed by technology modernization and optimization. In contrast, cloud security is the top priority (34%) for technology executives followed by data protection and trust (28%).

The survey also finds that many organizations are most often concerned about the areas they are least prepared to address. For example, 42% of respondents are most concerned about cloud-related threats, with 34% ranking those threats among the least they are prepared to handle. Similarly, 38% ranked data leaks and other breaches of their environments as a major concern, with a quarter (25%) ranking this threat among the challenges they are least prepared to meet.

In general, organizations need to improve their cybersecurity hygiene as the overall size of the attack surface that needs to be defended continues to expand, noted Horton. Many organizations are also starting to invest in generative artificial intelligence (AI) without fully appreciating all the implications of an emerging technology that is a double-edged sword, she added. In the absence of strong cybersecurity measures, the data being exposed to AI models could easily be inadvertently exposed, noted Horton.

There is, of course, no such thing as perfect security. Cybersecurity professionals, as always, will do their best to prevent a breach but the reality of the situation is that there needs to be a lot more focus on what needs to be done to contain and recover from a data breach that is all but inevitable.