EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
How EY can help
-
Learn more about how organizations are accelerating transformation and strengthening cybersecurity at the same time.
Read more
Decision factors today
Slowing budget growth
The growth momentum of the cybersecurity budget is declining. Recent reports show that the annual growth rate of cyber budgets has dropped from 16% in 2021 to just 8% in 2024, and when factoring for inflation, the real growth in investment in cybersecurity measures has effectively dropped to 5%1 last year. This decline in funding introduces tough choices among which cybersecurity measures to implement, leaving organizations more vulnerable to emerging threats.
Resource shortages
Ongoing and prolonged shortages of skilled cybersecurity professionals are introducing additional challenges. Many organizations struggle to find individuals with the technical expertise and risk foundations needed to effectively manage cybersecurity threats and compliance requirements. Businesses are increasingly turning to an ecosystem of third parties to fill this gap, which can potentially strain internal resources via competing needs for capital allocation.
Evolving regulatory expectations
Despite current trending toward federal deregulation, the patchwork of state rules regulating cyber and technology prevails. While federal rules such as the Cybersecurity Maturity Model Certification (CMMC) 2.0 standards and an updated Federal Risk Authorization Management Program (FedRAMP) are being rolled back, state governments are stepping in to provide direction (e.g., Arkansas Cybersecurity Act of 2025). Organizations are navigating a complex and evolving maze of regulatory requirements and updates to existing ones, including the New York Department of Financial Services (NY DFS) Cybersecurity Regulation, the Digital Operational Resilience Act (DORA), the California Consumer Privacy Act (CCPA) and the EU Cyber Resilience Act (CRA). Emerging AI regulations, too, like the EU AI Act, require organizations to adapt quickly, complicating their cybersecurity strategies and shifting priorities.
Geopolitical tensions
Geopolitical tensions and uncertainties are creating volatility in financial markets, significantly impacting cybersecurity strategies and supporting investments. As firms preempt and react to shifting US administration policies, international events and fluctuating relations, there is a greater need for agility to underpin an organization’s approach to cybersecurity. In uncertain periods, experienced third parties can serve as trusted advisors to help organizations navigate the complexities of cybersecurity investment.
Increased attack sophistication
Cyber attacks are becoming more sophisticated, with adversaries using artificial intelligence (AI) to enhance their tactics. For example, AI-generated phishing emails have been shown to have higher click rates than those created by humans2. Additionally, advanced persistent threats pose significant risks to critical infrastructure and financial services organizations, although they can impact every industry. This creates substantial challenges for organizations in prioritizing their cybersecurity defenses.
Strategic considerations to meet the moment
To effectively address these challenges, organizations can adopt a proactive cybersecurity approach that allows them to achieve more with fewer resources. Businesses should consider embedding cyber risk management into enterprise-wide risk management (ERM); governance, risk and compliance (GRC); operational risk management (ORM); and technology/IT risk functions to drive efficiency and alignment with business, risk and regulatory priorities. Consider the following steps:
1. Integrating cyber risk into enterprise risk management (ERM)
Organizations can achieve greater alignment between business operations, IT and cybersecurity. Integrating cyber risk into ERM programs enables firms to unify siloed cybersecurity efforts and reinforce a broader understanding of the cyber landscape across functions. To do so, organizations need to:
- Define the operating model: This model must define roles, responsibilities and processes for managing cyber risks within the context of enterprise operations.
- Establish methodology: A unified and standard approach for cyber, IT and enterprise risk to identify and assess threats, test controls and treat, and report out.
- Operationalize metrics and reporting: Cyber and IT risk metrics need to be defined and integrated with the goal to be understood by business leadership.
- Enable technology: Business and IT may need to consolidate technologies that support the initially separate risk management processes or choose a tool if not using one originally.
- Cross-skill resources: Involved resources must have both business and risk context and the right cybersecurity and technology skills to identify cyber risk, define treatment, execute on risk mitigation actions and apply discipline for continuous improvement.
2. Aligning risk appetite with threat landscape
Firms can evaluate and determine their acceptable cyber risk tolerance based on established baselines from their ERM programs. By identifying and understanding the threats that drive these risks, organizations can make informed decisions about their cybersecurity investments.
3. Choosing a framework
Selecting the right framework can increase the effectiveness of cybersecurity risk management. Organizations can then evaluate which industry framework aligns best with their risk appetites and operational needs, such as the Cyber Risk Index (CRI), NIST Cybersecurity Framework (CSF) and ISO standards. This may involve adopting a single framework or a combination of several to better integrate capabilities, operations and requirements across both technology risk and cyber risk. We typically advise a combination, given many of the shared objectives across risk, technology and security organizations. Once the framework is established and implemented, it can inform leading practices for defining standards, policies and risk assessments to drive action.
4. Embracing a threat-led approach
To preempt evolving threats, organizations can adopt a threat-led approach to risk management. This means integrating threat intelligence, security information and event management (SIEM) data, regulatory updates, and other relevant information into risk assessments, leveraging AI to continuously aggregate and correlate the data to define plausible top risk scenarios. Coupling generative AI-driven analytics to enhance predictive risk capabilities with agentic AI tvo enable proactive responses to current threats and anticipated future vulnerabilities further hardens an organization’s risk posture. Bridging the gap between traditional risk management and threat intelligence programs allows firms to proactively identify, assess and remediate risks in the context of organization-specific threats.
What comes next?
Managing cyber risks today and tomorrow means establishing or merging and continuously improving a program that integrates ERM, GRC, ORM and technology risk with cybersecurity capabilities. This approach enables organizations to better identify risks within operational and strategic business activities, align management with their risk appetite and threat landscape, and enhance board visibility to compel swift action within resource constraints.
The views reflected in this article are those of the author and do not necessarily reflect the views of Ernst & Young LLP or other members of the global EY organization.