EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
Recent Searches
Cyber leaders confront burnout. Can Ireland re-engineer resilience before the next breach strikes?
In brief
- 83% of Irish organisations enhanced their cybersecurity measures over the past six months, yet 72% struggle to fund staff training.
- Cyber leaders face rising anxiety; 27% say threats impair performance and 26% report negative mental health impacts.
- AI adoption surges, but budget allocation gaps and third-party risks expose strategic vulnerabilities in cybersecurity planning.
Cybersecurity is now a frontline issue. The EY Ireland Cyber Leaders Index 2025: The Rise of the Trust Architect sets the new benchmark for how Irish businesses are responding. In just six months, 83% of respondents to our survey have taken steps to strengthen their cybersecurity preparedness. The focus is clear: 95% are prioritising protection of their data and their organisation.
The Index draws insights from 165 cyber leaders across Ireland. It shows a cybersecurity discipline in transition where strategic ambition is strong, but challenges persist. Mental health concerns, budget gaps, talent development issues, and compliance pressures are holding organisations back.
While cybersecurity budgets have remained stable or even increased, allocation gaps continue, particularly in areas such as staff training, AI/data security, and talent acquisition. The study also highlights the strategic importance of integrating AI into cybersecurity efforts as well as the need to focus on risks associated with third-party vendors.
Cyber leaders need to move from technical execution to become trust architects with a place at the top table, where strategic decisions and budgets are shaped. The EY Ireland Cyber Leaders Index delivers a timely analysis of how cyber leadership is being redefined and calls for a reset in priorities and mindset.
Human cost of heightened cyber threats
Cyber budgets hold steady, but vulnerabilities remain ignored
Are cyber programmes regulation ready?
Cyber defence needs focus on talent
AI needs cyber leaders at the helm
Is third-party risk the cyber blind spot?
1
Chapter 1
Human cost of heightened cyber threats
Half of the respondents indicated that they do not plan to outsource any cyber capabilities over the next 12 months.
Cyber fatigue is emerging as Ireland’s next resilience risk with strong evidence of burnout among cyber leaders. This directly increases risk exposure and diminishes ability to respond.
More than a third (37%) of the cyber leaders surveyed report anxiety in relation to key aspects of cybersecurity being overlooked. This is having tangible consequences for workplace performance and mental health, with nearly three in 10 respondents saying the heightened threat environment is impairing their ability to perform at their best in their role (27%) and is having a negative impact on their mental health and wellbeing (26%). Equally concerning is the finding that 19% of respondents say that it is causing stress in their personal lives.
These findings underscore the urgent need for a shift in how cyber leadership is approached.
These findings are a wake-up call for all organisations. Cyber threats now impact not just financial and organisational performance, but also employee wellbeing. No company would tolerate a workplace where a third of the team showed up physically injured, yet mental health often goes overlooked. Employers have a duty of care to ensure staff feel safe at work, and that extends to their mental health.
These pressures may drive cyber leaders to exit the field at a time when organisations can least afford to lose them. This will further widen the existing skills gap
Grit Young
EY-Parthenon Partner and EY Ireland Technology, Media & Entertainment and Telecommunications Industry Leader
The high levels of stress and anxiety are likely linked to the rapid pace at which the threat environment is evolving. This was identified as the single greatest cybersecurity challenge facing cyber leaders.
The impact of the heightened threat environment is even more pronounced in the government sector.
This may relate to the highly sensitive nature of the personal data held by government departments and agencies and the severe consequences any breach would have on citizens.
The increased levels of anxiety could have longer-term implications for the wellbeing of cyber leaders and their teams. In addition to providing extra resources, organisations should consider offering support mechanisms such as counselling to help staff manage potential mental health challenges. If left unaddressed, cyber professionals may struggle to maintain a healthy balance between demanding workloads and personal wellbeing. This imbalance can impair decision-making quality and leadership effectiveness while also negatively affecting employee relations and retention
Ronan Glynn
EY Ireland Partner and Health Sector Leader
This problem needs an urgent response.
A lack of resources doesn’t appear to be the issue. Cybersecurity budgets have either remained the same or increased in the majority of the cases. One factor at play may be the feeling on the part of cyber leaders that they are not in control of either the situation they face or the levers to address it. This may point to a need to rethink the nature of cyber leadership.
Cyber leaders today operate under constant pressure with responsibilities that now span the entire business. Cyber is no longer a siloed function. It helps deliver services, builds trust, and creates value.
Need for trust architects: Behind the statistics are real people facing unsustainable pressure. Addressing the root causes of stress and disengagement among cyber leaders requires organisations to consider a fundamental redefinition of the cyber leader’s role.
The Chief Information Security Officer (CISO) role is relatively new with many organisations delegating responsibility for cyber security to other members of the C-suite. In its early stages, the cyber discipline often sees leaders focused on technical and engineering tasks, rather than the broader value they can bring to the wider business.
Cultivating a rightsourcing mindset: Finally, there is a question of mindset, probably associated with the relative immaturity of the cyber discipline. Half of the respondents to our survey said they are not planning to outsource any cyber capabilities during the next 12 months. This may add to stress levels. Cyber leaders should consider outsourcing routine capabilities and pursuing automation, allowing teams to focus on higher-value, more fulfilling work.
Recommendation:
Organisations and boards can no longer overlook the human cost of cybersecurity. They must recognise their responsibility for the mental wellbeing of cyber teams and ensure that cyber leaders are actively involved in strategic decision-making.
2
Chapter 2
Cyber budgets hold steady, but vulnerabilities remain ignored
Most organisations allocate under 3% of cyber budgets to compliance, exposing a gap between strategic intent and actual investment in regulatory readiness.
Among the most encouraging findings of the EY Ireland Cyber Leaders Index is the high level of satisfaction with cybersecurity budgets. Nearly all organisations either maintained or increased their budgets over the past 12 months, with only 1% reporting a decrease. Two-thirds held steady, and 12% of those increasing budgets did so by more than 10%.
Only 18% cited budgetary constraints as a significant challenge in managing cybersecurity in their organisations.
The findings suggests that organisations are recognising the importance of cybersecurity and are committed to sustaining or enhancing their investment.
There were notable variations between the sectors surveyed. Some 42% of general business and 30% of government respondents reported increases while just 23% of life sciences respondents reported an increase. This may be an indication of the relative maturity of the cyber functions in each of the sectors.
Cyber leaders who make a clear case for funding and show how it will be used are getting what they ask for.
However, resilience is being undermined by poor budget allocation. Priority areas like staff training, AI and data security, and talent acquisition often struggle to secure funding, even though cyber leaders consistently rank them as essential.
Compliance initiatives like NIS2 are also underfunded, with most organisations allocating less than 3% of their cyber budgets. This reveals a disconnect between strategic intent and actual investment.
Is AI adoption chipping away at cyber budgets? In another finding, there appears to be very little diversion of cyber budgets to AI. Only 12% of respondents say they’ve shifted funding to AI. A third report increased cyber budgets, suggesting AI investment hasn’t led to meaningful reductions.
Cyber budgets may be holding steady, but organisations are still facing constraints. Funding remains difficult to secure for essential areas like staff cyber awareness training, continuous security assessment (58%), and incident response planning (51%), despite their central role in resilience.
Recommendation:
Organisations must shift from reactive spending to intentional investment fully aligned with the priorities of their cyber leaders.
3
Chapter 3
Are cyber programmes regulation ready?
58% of respondents say their organisations have invested in the automation of cybersecurity compliance and assessment.
While 62% of respondents identified compliance with regulations as one of the biggest challenges in managing cybersecurity, nearly three-quarters said they were either fully (49%) or partially (24%) prepared for independent review of their compliance levels. The highest level of preparedness was in the government sector where 78% of respondents said they were either fully or partially prepared for an independent review.
The heightened level of preparedness on the part of government organisations is very welcome. It suggests that lessons have been learned from previous cyber incidents and indicates a determination to ensure they are not repeated
Luke Hardcastle
EY Ireland Government & Infrastructure Partner
Only 13% considered evolving regulations a major cause for concern. This reflects confidence in regulatory compliance within cybersecurity programmes.
This is noteworthy given the expanding regulatory landscape, including GDPR, the Cybersecurity Act, NIS21, DORA, and the AI Act. In fact, compliance with NIS2 and other relevant regulations and privacy laws was cited as a cyber programme priority by 39% of respondents.
However, this confidence may be masking a deeper fragility. Despite the perceived readiness, 44% of respondents indicated that less than 3% of their cyber budget is allocated to compliance initiatives. This very low level of investment raises questions about whether organisations are truly prepared or simply believe they are. If organisations claim readiness for NIS2 and AI Act reviews but dedicate minimal funding to compliance, it suggests a blind spot: one where compliance is underfunded but overestimated, especially in the context of rising AI-related risks.
In many instances low levels of direct investment in cyber compliance will not translate into increased risk. Effective regulatory compliance should be an outcome of the cyber measures, processes and policies in place in an organisation rather than the result of any direct investment in the compliance effort
Tavengwa Tavengwa
EY Ireland IT Risk and Assurance Partner
It is also noteworthy that 58% of respondents say their organisations have invested in the automation of cybersecurity compliance and assessment.
Critical Entities Resilience (CER) regulations and the Cyber Resilience Act will introduce new demands. Preparedness will require fresh investment, and trust architects should move early to secure the necessary resources.
Recommendation:
As regulation accelerates, compliance must evolve from periodic audits to dynamic oversight. Cyber leaders should implement continuous monitoring to maintain trust and resilience across every control layer
4
Chapter 4
Cyber defence needs focus on talent
30% see talent gaps as a key challenge, highlighting an opportunity to invest in hiring and retention to strengthen cyber resilience.
Nearly three-quarters (72%) of respondents reported difficulty securing budget for staff cyber training and awareness, making it the top budgetary concern. Two in five cyber leaders identify talent as their next step in preparedness, yet funding for training remains elusive suggesting a disconnect that will potentially threaten organisation resilience.
This is particularly striking given that staff training is widely recognised as a critically important, if not the most essential, component of cybersecurity. It also suggests that cyber training is still seen as a one-off exercise. But the human side of cybersecurity needs consistent investment.
Cyber leaders are also facing challenges when it comes to hiring and retaining talent for their teams. 30% of respondents identified a lack of skilled personnel as a key challenge. This is not surprising given the general shortage of skilled and qualified IT professionals across the economy.
The cyber market in Ireland is currently experiencing heightened activity. This makes it imperative for cyber leaders to focus on recruitment, training and retention of top talent. Given their unique understanding of organisational needs, cyber leaders are best positioned to identify the skills and capabilities required. They must proactively forecast talent demand and design development programmes accordingly as the technology and business environment continues to evolve
This issue was most acute in the life sciences sector where 36% of respondents identified a lack of skilled personnel as a key challenge. This may reflect the combination of industry specific and cyber skills required by the sector.
The consequences could be particularly severe with two in five (40%) respondents saying hiring and retaining talent is one of the steps they plan to take to enhance their cyber preparedness over the next 12 months.
One effective response to the cybersecurity talent shortage is to cultivate talent from within. Numerous upskilling programmes, such as those offered by Enterprise Ireland and Skillnet Ireland, provide accessible pathways for organisations to train employees in cybersecurity and related digital skills.
Recommendation:
Today’s technological environment demands more than automation. It requires human insight. Organisations must reinvest in their people to ensure cyber talent evolves in step with the technologies it protects.
5
Chapter 5
AI needs cyber leaders at the helm
To secure influence and funding, cyber leaders need to take charge of AI adoption positioning cybersecurity as central to innovation and enterprise growth.
The acceleration of AI adoption is reshaping cyber priorities. 48% of respondents now rank AI and data security as a top focus for the year ahead.
There is a symbiotic relationship between AI and cybersecurity. Embedding AI into cybersecurity improves threat detection, accelerates response times, and strengthens overall security effectiveness. Equally, embedding cybersecurity into AI systems is essential for safeguarding sensitive data and ensuring the integrity of AI-driven solutions. Organisations that overlook this critical integration risk exposing themselves to vulnerabilities in an increasingly interconnected digital world
Bronagh Riordan
EY Ireland AI & Data Partner
The EU AI Act is already having an impact with nearly half (47%) of the organisations surveyed claiming to have updated their data handling and monitoring practices in response to the legislation. In addition, 39% have updated their data protection impact assessment systems.
Somewhat surprisingly, 44% of respondents identified AI and data security as an area of challenge when it comes to obtaining budget allocations and approvals. This may reflect internal competition for limited AI budgets, not reluctance to invest in cybersecurity. Leaders want impact, and every team wants a share.
Cyber leaders need to lead AI adoption to protect their own budgets and claim their share of what will surely be an expanding AI budget. Embedding cybersecurity into AI efforts positions the function as a driver of growth and advantage. There is already some evidence of cyber budgets being diverted to AI with 12% of respondents saying it has occurred.
Recommendation:
Cybersecurity and AI are fundamentally interconnected. Organisations must involve cyber leaders in AI initiatives to ensure security is integral to strategy, not an afterthought.
6
Chapter 6
Is third-party risk the cyber blind spot?
27% plan to enhance supply chain security in the next year, yet just 4% view third-party vendor risk as a top concern.
While 68% of respondents say that protecting against supply chain and third-party cyberattacks is a top priority, only 4% list third-party vendor risk as a main concern. Cyber leaders fight for budget, with 21% stating that funding is hard to secure, but fail to treat the issue as strategic.
The gap between awareness and prioritisation is especially alarming in light of the recent cyberattack that caused days of disruption at several European airports after the check-in system used by many airlines and airports was hit by a ransomware attack2.
This is where cyber leaders need to act as champions of trust. They must partner with other business leaders and procurement to ensure that sufficient focus is given to third party risk and that appropriate measures are in place to sustain organisational resilience in the event of a supply chain compromise
Jason Guy
EY Ireland Cybersecurity Partner
Our survey further shows that 27% of respondents plan to strengthen supply chain security in the next year. Life sciences leads at 30%, while government lags at 22%, likely due to more rigid procurement processes rather than lack of focus.
These findings suggest that Ireland’s cyber leaders are underestimating the supply chain threat. They acknowledge its existence but don’t follow through when prioritising actions and initiatives.
Third-party cyber risk remains loosely regulated unless a breach triggers GDPR or privacy penalties. New frameworks like NIS2 and the EU AI Act are increasing accountability, but enforcement is uneven. M&A activity also introduces external vulnerabilities that organisations need to manage carefully.
Recommendation:
Third-party cyber risk cannot be managed by policy alone; it must be treated as a priority. Cyber due diligence should be built into every deal, not discovered after a breach or relegated to an afterthought.
Summary
Cyber threats are escalating, and Irish organisations are responding. 83% have strengthened defences, yet critical gaps persist in leadership, budget allocation, talent, and compliance. Mental health strain among cyber leaders is widespread with anxiety and burnout threatening resilience. AI adoption is surging, but organisations risk being exposed to new threats unless cyber leaders lead its safe integration. Third-party risks remain dangerously deprioritised. Urgent action is required.
In the future, Ireland’s most resilient organisations will be those where cyber leaders take on broader leadership roles, security and preparedness are built into board-level decisions, and AI is used responsibly to strengthen business performance.
About the Survey/Methodology
Research for the EY Ireland Cyber Leaders Index 2025 was commissioned by EY and conducted by Empathy Research between July and August 2025. The study used Computer Aided Telephone Interviews (CATI) to gather insights from 165 senior cyber leaders across Ireland. Respondents represented a wide range of organisations. The survey covered three key sectors including health and life sciences, government, and business consumers (encompassed advanced manufacturing and digital infrastructure).
Related articles
Why cyber resilience and trust must anchor Ireland’s €275-billion NDP
The NDP is an opportunity to embed AI as a foundational element and hardwire citizen trust into critical infrastructure amidst rising cyber threats. Find out how.
How CISOs can nurture a cyber-informed workforce in the age of AI
CISOs need to strike a balance between achieving optimal security and unlocking the value that AI adoption can bring to the organisation. Find out how.
How EY can help
-
Our cybersecurity team works with the client to create, improve and operate cybersecurity capabilities and thereby improve the client’s risk posture
Read more -
Discover how EY's Cybersecurity Transformation solution can help your organization design, deliver, and maintain cybersecurity programs.
Read more -
Discover EY’s technology insights, people and services and how they can help your business improve performance, manage risk and drive innovation.
Read more