EY

68% of healthcare executives indicated that identity and access management would be the top priority for increasing investments in the coming fiscal year.

81% of healthcare executives believe that prioritizing cybersecurity in their business strategy is effective in overcoming challenges.

59% of healthcare organizations faced clinical consequences from cyber incidents, including delayed treatments and compromised patient trust.

60% of healthcare organizations reported operational disruptions due to cyber incidents.

81% of healthcare organizations believe that integrating cybersecurity into the core business strategy is effective in improving operational efficiencies to deliver better outcomes.

Healthcare organizations experienced an average of five different types of cyber threats that impacted their organizations in the past year.

72% of healthcare organizations experienced a moderate to severe financial impact from cyber incidents in the past two years.

Over 70% of healthcare organizations reported significant financial, operational, or clinical disruptions due to cyber threats in the past year.

52% of healthcare executives stated that training and upskilling personnel is an effective tool to combat cyber challenges.

Improving cybersecurity is a top priority for 54% of state and local government IT leaders for the current fiscal year. This is seen as a higher priority than modernising legacy systems.

When it comes to challenges faced by government IT leaders in using private sector innovations, cybersecurity concerns are the most often cited barrier, mentioned by 39%.

A significant concern regarding AI is cyberattacks becoming more sophisticated due to AI, noted by 82% of state and local government IT leaders.

Only 43% of cybersecurity functions are meaningfully involved in helping other functions adopt AI.

37% of organizations are utilizing over 50 cybersecurity tools.

58% of CISOs and cybersecurity executives say it is difficult to articulate their value beyond risk mitigation.

73% of the study's cohort of "Secure Creators" (organizations with more advanced cybersecurity functions than their peers) believe their ability to add value will grow in the future.

23% of study respondents completed a technology rationalization effort in the last two years.

"Secure Creators" (organizations with more advanced cybersecurity functions than their peers) were more likely to help other business functions implement AI than "Prone Enterprises" (48% vs. 31%).

Cybersecurity contributes 11% to 20% in value to each enterprise-wide strategic initiative it is involved in.

41% of respondents are undertaking a technology rationalization effort.

Only 13% of CISOs in the study said they were consulted early when urgent strategic decisions were being made.

For each initiative that involves cybersecurity, the median value creation figure is US$36m. This figure varies significantly by organization size, ranging from a median of US$11m per project for organizations with US$1b-US$4.9b in revenue, up to US$154m for companies with US$20b or more in annual revenue6.

41% of respondents are in the process of simplifying their tech platform.

"Secure Creators" (organizations with more advanced cybersecurity functions than their peers) require smaller budgets — 10% smaller on average — and are less likely to cite budgets as a key challenge.

"Secure Creators" (organizations with more advanced cybersecurity functions than their peers) were more likely to have positively impacted how external stakeholders perceive their brand (72% vs. 56% of Prone Enterprises).

The study found that cybersecurity simplification and automation have led to direct cost savings, with a median US$1.7m saved annually.

"Secure Creators" (organizations with more advanced cybersecurity functions than their peers) were more involved in efforts to improve customer experience than their peers (53% vs. 42%).

Cybersecurity contributes 11% to 20% in value to each enterprise-wide strategic initiative it is involved in.

Automation efforts have decreased respondents' mean time to detect (MTTD) and mean time to respond (MTTR) by 28%, on average.

74% of respondents reported they invested savings from optimization, automation, and outsourcing to address control weakness.

46% of respondents used savings from optimization, automation, and outsourcing to increase coverage of the attack surface.

Organizations use a median of 35 different cyber tools.

18% of respondents have simplified their tech platform.

Two-thirds (68%) of respondents used the cost savings generated from optimization on innovation and other AI initiatives.

Six in 10 respondents point to increased visibility across attack surfaces due to automation efforts.

Cybersecurity budgets as a percent of annual revenue have decreased over the last two years, from 1.1% to 0.6%.

57% of CISOs are more likely than the rest of the C-suite (47%) to say their organisation has experienced a cybersecurity incident due to cybercriminals in the past three years.

84% of C-suite leaders report that their organisation experienced a cybersecurity incident in the past three years.

75% of CISOs say their organisation experienced a decrease in cybersecurity incidents following increased investment in AI, compared to the rest of the C-suite (68%).

21% of C-suite leaders say their organisation currently invests more than 10% of their IT budget in cybersecurity. This number is expected to roughly double to 38% next year

Two-thirds (66%) of CISOs say they are worried that the cybersecurity threats their organisation is facing are more advanced than their defences, which is significantly more than their C-suite counterparts (56%).

47% of CISOs say their organisation has experienced a cybersecurity incident due to inside threats in the past three years, compared to the rest of the C-suite (31%).

Russell 3000 companies experiencing a cyber incident typically see their stock price decrease by 1.5% over the following 90 days.

68% of CISOs are more likely than the rest of the C-suite (57%) to express concern about senior leaders at their organisation underestimating the dangers of cybersecurity threats.

The rest of the C-suite (77%) is more likely than CISOs (69%) to attribute success in decreased cybersecurity incidents to increased investments in employee cybersecurity training.