"Companies are spending more on AI and technology — but do they know how to defend what matters most?" That is the dilemma executives described to PwC, who found that "cybersecurity now ranks among the most significant business risks shaping corporate strategy," even as many firms admit they lack the capability to respond effectively amid a turbulent policy environment.
Where firms say they stand
PwC's conversations with corporate leaders reveal a stark pair of facts. On one hand, American corporations are increasing investment in artificial intelligence and broader technology. On the other, cybersecurity has risen into the top tier of business risks that shape strategic planning. Those two developments are not harmonious: executives told PwC that many companies do not feel equipped to manage those risks successfully.
The contradiction at the heart of strategy
The situation is a strategic contradiction. Firms are committing more money to tech and AI precisely because those areas promise competitive advantage and efficiency. Yet the executives PwC spoke with report a shortfall in their ability to respond to cyber threats — a shortfall made more acute by what PwC describes as a turbulent policy environment. The result, as described to PwC, is that organizations face simultaneous pressure to accelerate digital transformation and to shore up defenses they judge themselves unable to deploy quickly enough.
Why this matters from multiple viewpoints
- From a technologist's perspective: accelerating investment in AI and other technologies increases the attack surface and reliance on complex systems. If capability to detect, respond and recover does not keep pace with deployment, risk exposure grows.
- From a policymaker's perspective: a turbulent policy environment—highlighted by PwC as a complicating factor—can make it harder for corporate risk frameworks to stabilize. Uncertainty about rules, expectations and enforcement may impede coherent, long-term cybersecurity programs.
- From a user and customer perspective: when companies acknowledge limited capability to respond to cyber incidents, confidence and trust can be affected even before an incident occurs. That perception shapes customer choices and partner relationships.
- From an adversary's perspective: organizations that are rapidly adopting new technologies but recognize internal capability gaps may present more attractive targets, the executives told PwC.
Where responsibility and reality diverge
Executives' frank admission to PwC — that cybersecurity ranks high on the risk register while capabilities lag — points to a governance gap. Strategic investment decisions appear to be outrunning corresponding investments in defensive capacity, risk governance and resilience planning. The policy turbulence PwC cites compounds the problem by making it harder for boards and management teams to settle on consistent approaches.
That divergence has practical consequences. Boards and management sets strategy; security teams execute controls. When those groups are misaligned — whether through competing priorities, unclear policy signals, or insufficient resources — the promise of new technology can be undercut by increased operational and reputational risk.
Executives shared this picture with PwC; their assessments form the factual core of the firm's finding that cybersecurity has risen to a top strategic concern even as corporate readiness is uneven.
A final, uncomfortable question
Companies are spending more on AI and technology because the stakes are high. PwC's conversations with executives reveal they know the landscape has shifted — and that their defenses may not have. If organizations do not close that capability gap while policy remains unsettled, the strategic advantages of AI and technology may arrive hand-in-hand with heightened vulnerability. How many firms can afford that tradeoff?
https://www.govinfosecurity.com/pwc-cybersecurity-risk-outpaces-corporate-ability-to-manage-a-31405
