Risk Management

Significant gaps exist between perceptions of cyber resilience among top security executives and C-suite leadership, according to a report published by PwC.

More than two-thirds of technology leaders see cybersecurity as their top risk for mitigation, compared with only 48% for business leaders, according to the 2025 Global Digital Trust Insights report. The research is based on a survey of more than 4,000 business and technology executives across 77 countries. 

Less than half of executives said their CISOs were heavily involved in strategic planning, reporting to the board and overseeing technology deployment. In addition, there is a gap between CISOs and top C-suite executives over the company’s ability to comply with regulations, particularly those involving AI and critical infrastructure.

The research highlights a troubling gap between security executives and the C-suite at a time when the security industry has been pushing businesses to embrace cyber risk as a core business risk. 

“This gap can be concerning because it indicates that security and IT executives, who are more attuned to the day-to-day operational difficulties and potential vulnerabilities, may not be effectively communicating these risks to the leadership team—or may not have the opportunity to do so,” Matt Gorham, leader of PwC’s Cyber & Privacy Innovation Institute, said via email. 

The report indicates a misalignment between IT security leaders and the C-suite on their perceptions of cyber risk, as well as the top priorities necessary to address these issues.

According to the report, cloud security is the top investment priority for tech leaders, followed by data protection and trust. In contrast, nearly half of business executives in the study said that data protection is their top business priority, followed by tech modernization.  

More than a year has passed since the Securities and Exchange Commission voted to adopt rules requiring businesses to disclose material cyber incidents to investors. Those rules also require companies to disclose cyber strategies and risks. 

Prior studies show that while CISOs have gained more access to the C-suite and corporate boards, the various stakeholders have competing sets of priorities. 

A report released in May from Trend Micro shows that CISOs have felt pressure from corporate boards to downplay the severity of cyber risk facing their organizations. 

Companies need to take ownership of cybersecurity risk at the highest levels of corporate governance, including senior management and at the board level, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said in a blog post. 

Companies need to embrace cybersecurity as a strategic business risk, Easterly said. They can no longer afford to relegate that responsibility to their IT department or corporate CISO without the awareness and participation of the C-suite and corporate directors. 

“The time is now for CEOs and boards to actively embrace corporate cyber responsibility as a matter of good governance, recognizing that every organization has an obligation to reasonably assure the safety of their employees, partners and customers,” Easterly said in the post. 

The push for stronger cybersecurity governance comes at a time when the U.S. is facing sophisticated cyberattacks against critical infrastructure from nation-state adversaries, including China and Russia. 

CISA in 2023 partnered with the National Association of Corporate Directors and the Internet Security Alliance last year on a handbook that addresses how to manage cyber risk.  

Easterly is scheduled to step down as CISA director when the Trump administration takes office.

The concerns raised by Easterly came just a day after National Cyber Director Harry Coker Jr. warned the U.S. needs to step up deterrence efforts to counter malicious cyber activity sponsored by China, Russia and other adversaries. 

Coker noted that the role of the private sector is critically important, because much of the nation’s critical infrastructure is run by private sector organizations. Therefore authorities need the private sector to maintain strong network defenses and share threat intelligence. 

About 260 companies have signed CISA’s Secure by Design pledge, which is a voluntary effort to get technology and other companies to adhere to secure development practices in an effort to make sure software is safe out of the box. 

Easterly said board members need to take several actions to make sure cybersecurity is a priority:

• Ensure CISOs are fully empowered and given the proper influence and resources to prioritize cybersecurity within the organization. 
• Make sure senior executives are educated on cyber risk and that cyber risk considerations are fully baked into business, technology and software acquisition decisions. 
• Review the company’s cyber risk framework and ensure the development of common standards. 

 

Sponsored content

By Wind River eLxr Pro

As the Linux market is set to soar to nearly USD 100 billion by 2032,¹ businesses are facing mounting challenges in managing increasingly complex workloads spanning from the cloud to the edge. Traditional Linux distributions are not built to meet the specific demands of these modern use cases, creating an urgent need for a more specialized, enterprise-grade solution.

Historically, enterprises have depended on general-purpose Linux distributions operating across racked servers and hybrid data centers to centrally store and process their data. But with the rapid rise of edge computing and the Internet of Things (IoT), real-time data processing closer to the source has become mission-critical. Industries like healthcare, telecommunications, industrial automation and defense now require localized, lightning-fast processing to make real-time decisions.

This shift to edge computing and connected IoT has sparked a surge of use cases that demand specialized solutions to address unique operational requirements such as size, performance, serviceability and security. For instance, the telecommunications sector demands carrier-grade Linux (CGL) and edge vRAN solutions with reliability requirements exceeding 99.999% uptime.

Yet, traditional enterprise Linux distributions—while robust for central data centers—are too general to meet the diverse, exacting needs of IoT and edge environments. Linux offerings are continuing to expand beyond conventional distributions like Debian, Ubuntu and Fedora, but the market lacks a unified platform that can effectively bridge the gap between edge and cloud workloads.

Today’s complex computing needs demand a unified solution

To stay competitive, businesses need computing solutions that process time-sensitive data at the edge, connect intelligent devices and seamlessly share insights across cloud environments. But no single Linux provider has yet bridged the cloud-to-edge divide—until now.

Introducing eLxr Pro: one seamless solution for all enterprise-grade workloads

Wind River® eLxr Pro breaks new ground as the industry’s first end-to-end Linux solution that connects enterprise-grade workloads from the cloud to the edge. By delivering unmatched commercial support for the open source eLxr project, Wind River has revolutionized how businesses manage critical workloads across distributed environments—unlocking new levels of efficiency and scalability.

As a founding member and leading contributor to the eLxr project, Wind River ensures the eLxr project’s enterprise-grade Debian-derivative distribution meets the evolving needs of mission-critical environments. This deep integration provides customers with unparalleled community influence and support, making Wind River the go-to provider for secure, reliable, enterprise-grade Linux deployments.

Why eLxr Pro is a game-changing solution

Built on the stable foundation of Debian, eLxr Pro offers the proven reliability and hardware compatibility needed for the most demanding use cases. Whether you're managing centralized cloud applications or distributed edge systems, eLxr Pro delivers a tailored solution backed by expert commercial support, streamlining operations and accelerating innovation.

This breakthrough solution is the result of Wind River’s 20-year leadership in the open source community and embedded systems market. By bridging critical gaps for enterprises, eLxr Pro empowers businesses to scale seamlessly, innovate faster and thrive in a connected world.

The eLxr Project: Expanding access to cutting-edge technologies

The eLxr project is a community-driven initiative that offers an open source, enterprise-grade Debian-derivative distribution. This platform empowers enterprises to adopt scalable, secure and reliable Linux solutions for cloud-to-edge deployments.

• Upstream-first approach: Fully aligns with Debian’s open governance, ensuring a free operating system that preserves software freedom
• Cloud-native-ready: Optimized for containerized workloads and supported across a range of modern runtimes
• Performance-optimized: Ready for commercial off-the-shelf (COTS) hardware and prioritizing support for silicon accelerators
• Security-first: Continuous security monitoring throughout package lifecycles
• Compact and extensible: Right-sized packages adaptable to industry-specific needs

5 ways the eLxr Project helps close the gap

1. One platform for every use case: Deploy a unified Linux solution that scales effortlessly across environments, from cloud to edge, enabling smooth usage and the adoption of diverse hardware and new technologies.
2. Unmatched flexibility for innovation: Control your innovation roadmap with the eLxr project’s fully open source, upstream-first approach, eliminating vendor lock-in and putting the pace of progress in your hands.
3. Built for scalability: Whether you're scaling up in data centers or optimizing lightweight edge devices, the eLxr project is engineered to adapt, ensuring seamless performance across every infrastructure.
4. Optimized for cost efficiency: With a minimal footprint and a tailored feature set, the eLxr project reduces complexity, cuts operational expenses and enhances power efficiency, particularly in resource-constrained environments.
5. Enterprise-ready support: Gain confidence in your deployments with comprehensive lifecycle support, ensuring your Linux platform is always secure, up-to-date and backed by dedicated Wind River experts.

Partner with Wind River to drive cloud-to-edge success

With two decades of expertise in Linux and open source solutions, Wind River is uniquely positioned to help you succeed in even the most demanding cloud-to-edge deployments. eLxr Pro offers the flexibility, support and innovation necessary to stay ahead in a rapidly evolving digital landscape. Ready to close the gap between the cloud and the edge? Visit Wind River to discover how eLxr Pro can transform your operations.

---

¹ Fortune Business Insights. “Linux Operating System Market Size, Share & Industry Analysis, By Distribution (Virtual Machines, Servers, and Desktops), By End-use (Commercial/Enterprise and Individual), and Regional Forecast: 2024-2032.” August 2024. www.fortunebusinessinsights.com/linux-operating-system-market-103037.

Less than a month before the U.S. presidential election, 3 in 4 C-suite executives consider cybersecurity a moderate or serious risk, making it the biggest overall concern among potential business risks, according to a report from PwC. 

About one-third of executives consider technology, AI and data regulation the top three policy risks, no matter which major candidate wins the presidential election.The report is based on a survey of 709 U.S. executives conducted between Sept. 12-19.  

Beyond cyber, business leaders are concerned about geopolitical tensions and how pressure on profit margins may impact earnings, according to PwC.

The risk concerns echo previous studies showing cybersecurity as one of the top concerns of senior business leaders. 

Cyber risk has become a growing problem in recent years, as attacks disrupt supply chains, lead to customer and investor litigation and cause reputational damage. 

U.S. businesses have accumulated technical debt over the years, and still rely on outdated technologies and business tools that are not secure. 

Organizations need to “continue investing in cybersecurity to confirm that their solutions keep pace with evolving threats,” Matt Gorham, leader of PwC’s Cyber & Privacy Innovation Institute, said via email. “For example, while GenAI is spurring new types of phishing attacks, it is also being integrated into cybersecurity solutions by leading vendors.”

The U.S. has made significant progress improving its cybersecurity posture, implementing about 80% of the recommendations the Cyberspace Solarium Commission detailed in 2020, according to a report. But more work is still required to shore up additional efforts related to critical infrastructure and economic security. 

Among the key remaining priorities is a push to identify the "minimum security burdens" of critical infrastructure entities that have a "disproportionate impact on U.S. national security," the report said. The commission called on the next administration to detail intelligence and information-sharing benefits, alongside security burdens, to these “systemically important entities.”

The U.S. needs to develop an economic continuity plan that would operate as an incident response and resilience plan in case of a catastrophic cyber event or other crisis, the commission said. Federal authorities also need to codify a joint collective plan for sharing threat information between government, private industry and international intelligence partners.

The report comes at a critical time for the federal government. The Biden administration has already begun to roll out the initial phase of the national cybersecurity strategy. The initial plans have focused on strengthening key sectors, including schools, water utilities and healthcare. 

Sen. Angus King, speaking at a panel discussion in Washington D.C. last week, said a major focus of CSC 2.0 has been to strengthen the level of collaboration between the government and the private sector. 

The vast majority of the nation’s critical infrastructure is owned or controlled by the private sector, and in order for the U.S. to be able to collect and share critical threat information, they need to gain the trust of industry stakeholders. 

King said accomplishing that is a top priority, but he recognized that getting the private sector to fully trust government authorities would not be an easy accomplishment. 

“And what we’re trying to do is something that’s somewhat against history,” said King, co-chair of CSC 2.0. “We’re trying to get the private sector to trust the U.S. government.”

King noted there were similar tensions during the early years of the Cybersecurity and Infrastructure Security Agency, where state officials did not trust the agency.

Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Technologies, emphasized the need to set priorities on which are the most systemically important entities, like key ports and transportation systems and boost their resilience.  

“It’s good to fix the entire cyber ecosystem, that would be fantastic, but that’s like boiling the ocean,” Montgomery said. 

The report notes that other important work still remains, for example discussions with various stakeholders have begun on a potential federal backstop for catastrophic cyber insurance. White House and U.S. Treasury officials told Cybersecurity Dive earlier this month they were working on a plan to address catastrophic risk

Discover Financial Services is taking a calculated approach to generative AI. 

From experiments and pilots to use cases across the business, the financial institution evaluates how to best use generative AI by assigning specific guardrails based on risk. The process enables adoption with an unobscured lens to better identify value and prioritize projects, whether the technology is customer-facing or intended for back-office tasks. 

The approach also grants Discover more protection from the outsized risks generative AI brings.

“All of that is meeting our standards, expectations and our policies around that, but it’s still ‘human in the loop,’” Discover CIO Jason Strle told CIO Dive. “That’s a really big part of how we mitigate that risk, [and] that will last for a certain period of time.”

Discover’s risk reduction strategy closely follows the guidance laid out by the National Institute of Standards and Technology, which released a draft of its generative AI risk management framework in July. 

“The NIST AI risk management framework is very, very consistent with financial risk management, non-financial risk management or the operational risk management that banks need to do,” Strle said. “The pattern is very familiar.” 

As enterprises approach generative AI with caution, NIST’s risk mitigation guidance is a jumping-off point for businesses trying to determine the best place to start as the technology rapidly evolves. Even as leaders are eager to reap the potential rewards of wide-reaching, large-scale generative AI integration, they are prioritizing efforts to avoid missteps and shape holistic adoption plans. 

The popularity of the NIST framework is not coincidental. The government agency has worked for years to fortify standards for cybersecurity, which are recognized broadly, and is now setting the stage to become the standards body for generative AI, too. 

An abundance of options

For Discover, Strle distilled NIST’s voluntary framework into three steps: 

• Identify where capabilities create risk.
• Prove the organization understands how to quantify and mitigate the risk.
• Monitor on a daily basis.  

The final version of NIST’s text, which was the result of President Joe Biden’s executive order last October, offers just over 200 risk-mitigating actions for organizations deploying and developing generative AI. It's a slimmed down version of the 400 steps in the initial iteration published in April.  

The NIST AI guidance focuses on a set of a dozen broad risks, including information integrity, security, data privacy, harmful bias, hallucinations and environmental impacts. The framework provides organizations with ways to contextualize and mitigate risks. 

To prevent incorrect generated outputs, for example, NIST provides around 19 different actions enterprises can take, such as establishing minimum thresholds for performance and review as part of deployment approval policies. 

NIST is not alone in its effort to provide generative AI adoption guidance.

As vendors rushed to embed generative AI into solutions, industry groups and advocacy agencies worked to clear the confusion around model evaluations, risk management and responsible processes. 

Those efforts have resulted in an abundance of guidelines, policy recommendations and guardrail options, but no single source of truth. 

The International Organization for Standardization released an AI-focused management system standard in December. MIT launched an AI risk database calling attention to more than 700 threats in August and several professional services firms have created governance frameworks.

Whether the growing list of options made the waters murky for CIOs or is actually helpful, depends on who you ask. 

“I don’t think it’s a straightforward answer,” Strle said. Having more ways to mitigate threats is not always inherently productive, so it's up to enterprise leaders to decipher what the business needs to be protected. 

Standing on the sidelines is only an option for so long. 

Executives are contending with tightening regulations on AI around the world, from the European Union’s AI Act to California’s contentious Senate Bill 1047, which California Gov. Gavin Newsom vetoed. The majority of leaders expect stricter requirements in the future, and businesses are reviewing and updating their existing practices to get on track. 

“I have to stay prepared because, eventually, it’s going to make it to the other states,” said Shohreh Abedi, EVP, chief operations and technology officer, membership experience at AAA - The Auto Club Group. The organization has focused on embedding generative AI over the last year, operating across 14 states, a Canadian province, Puerto Rico and the U.S. Virgin Islands. 

“We can’t put our heads in the sand,” Abedi said. 

Where CIOs draw the line

CIOs are growing tired of seemingly empty promises of what generative AI might do and want to turn talk into action. The technology’s laundry list of risks, however, calls for a more meticulous security overview, requiring new frameworks, best practices and training.

While there are hundreds of ways to mitigate generative AI’s risk, technology leaders don’t necessarily need to rush to deploy them all, analysts told CIO Dive.

CIOs should identify the most critical risks, whether it's reputational damage or from an intellectual property perspective, Thomas Humphreys, compliance expert and content manager at Prevalent, said. “Thinking like that will start to help shape which of those mitigation techniques are most useful to a business.”

Protecting intellectual property when using generative AI tools has become a persistent point of contention as ease of access to third-party tools and employee eagerness have led to a proliferation of shadow AI. 

Gartner analysts predict enterprise spending to curb IP loss will hurt ROI and slow adoption in the next two years. 

NIST recommends organizations periodically monitor and address sensitive data exposure. At AAA’s second-largest North America club, Abedi said the organization forbids employees to freely put sensitive information into models or use proprietary data to train models.

“The first thing we said was, you can’t use any of our assets to go do your own generative AI,” Abedi told CIO Dive. “We will be monitoring, and if we see that you’ve done an account off my assets, we’re going to come to you and shut it down.” 

Employees are encouraged to bring forth use case ideas that solve pain points, Abedi said, but the organization isn’t willing to potentially allow unauthorized third-party providers full access to its host of proprietary information. 

That balance was struck after conversations with stakeholders and risk assessments, a strategy NIST highlighted in its guidance as well. 

Understanding risk tolerance

NIST recommends organizations base risk mitigation on their level of risk tolerance as a core governing principle.

“An amicable and acceptable approach will be to first evaluate the business needs where AI is implemented and not just dump all AI risk mitigation guidance as a silver bullet,” said Rahul Vishwakarma, senior member of the Institute of Electrical and Electronics Engineers.

When Discover considers adding generative AI to workflows, the business keeps in mind where it currently draws the line.

“If it’s completely autonomous and it’s answering where the nearest ATM is, that’s one kind of risk profile,” Strle said. “Complete autonomy when you’re making a decision that’s going to affect the customer’s financial livelihood or financial outcomes, well, that’s a very, very high set of risk profiles to manage and we’re not there yet.”

Discover has controls and guardrails in place, but it relies on its workers, who have gone through training and have access to usage policies and procedure guidelines, to distinguish the value of generative AI’s outputs. It’s a tactic NIST recommends in its guidance, too.

“A lot of what we’re doing in the contact center is ‘human in the loop,’ where you can leverage these generative AI capabilities and that’s happening parallel to a contact center agent doing their job,” Strle said. “The final decision is with the human, who’s adhering to all the training and processes.”

When generative AI does have a level of autonomy in a particular use case, CIOs need a plan for what happens if models go awry. For some tech leaders having an off-switch is vital. 

The City of Glendale, Arizona, turned to generative AI to solve a pressing support issue as the city moved to approve a major renovation to its City Hall, according to former CIO and CISO Feroz Merchhiya, who is now the CIO position of the City of Santa Monica, California.  

“I had full control of the data and I had control of the system in terms of if it didn’t work or fired off wrong advice, I could turn it off,” Merchhiya said, referring to the company’s enterprise-focused IT support copilot tool. “And I had a mechanism to rectify the problem by deploying a human resource to solve the problem.” 

Risk mitigation and implementation plans work best when devised together, technology leaders told CIO Dive. 

Strle said Discover's upfront work to understand how to best use generative AI in the contact center was coupled with an assessment of the risks tied to identified use cases.

“All controls that we create — and financial services have to be sustainable over an indefinite period of time — it [must] take into account all the dynamics of the industry in which we operate, which is constantly changing,” Strle said. “The NIST framework is an extension, in my mind, of that same basic pattern.”

Next up for CIOs

While there are enterprises making progress in risk management, studies have shown consistent discrepancies between the number of businesses deploying generative AI and the prevalence of responsible, secure practices. 

Analysts attribute the lag to the quick pace of technological innovation and adoption.

“What I’m seeing with CIOs is that they are more challenged because they are having to make very difficult decisions about technology, even more than they always have because of how quickly these tools, techniques and models are developing,” Rowan Curran, senior analyst at Forrester, said. 

Though it commands enterprise interest, generative AI is still evolving and its best practices are not yet solidified. 

Plus, managing risks isn’t always simple. More than 3 in 5 executives expect to see a significant increase in the level of risk they will be responsible for in the next three to five years, according to a recent KPMG survey. Around 2 in 5 anticipate more than half of their risk management budget will go to technology. 

“There are no prescriptive standards set yet, but these will evolve over time,” Freshworks CIO Ashwin Ballal told CIO Dive. “Right now, it’s like we all have a hammer with AI and we think everything is a nail.”

But a shift is afoot. 

Enterprises are quickly growing tired of experimentation and pilot stages. The hype-filled veil is lifting for early adopters as leaders connect use cases to metrics of success. 

Interest in generative AI has dipped among senior executives and board of directors since the beginning of this year, according to Deloitte research published in August. 

Fortune 500 companies are also more likely to cite AI as a potential risk factor in securities filings than to highlight its benefits or use cases, according to Arize AI research, which analyzed each businesses’ most recent annual report.

The dip in enthusiasm comes as most organizations grapple with adoption roadblocks related to tech debt and inadequate infrastructure, on top of risk management. Still, enterprises are hopeful their AI initiatives can deliver results, using frameworks like NIST's suggested actions to curb adoption risks.

“You have to come to the leadership table with recommendations and suggestions,” Curran said. “Be the one that educates about how this technology can make a difference, how it ties to the business goals and what’s the path to get there.”

AI-assisted attacks were the top emerging business risk through the first three quarters of the year, Gartner said in a report. Four in 5 executives Gartner surveyed named AI-enhanced malicious attacks as the top emerging risk in Q3.

The report, based on a survey of 286 senior risk and assurance executives, forecasts potential future risk — scenarios that haven’t been realized by enterprises but could bear a significant impact in time.

The remaining top five most commonly cited emerging risks include AI-assisted misinformation, escalating political polarization, globally consequential risk and a misaligned organizational talent profile.

Worries about threat groups using AI in a meaningful way in cyberattacks continue to outpace reality. Researchers have not identified AI-engineered cyberattack campaigns, but there is widespread speculation that will change.

“I personally don’t see any evidence of it yet. I’m sure it’ll happen but I can’t quite predict how they might use it in the future,” Mandiant Consulting CTO Charles Carmakal said earlier this year during a media briefing at the RSA Conference.

The No. 1 concern is that attackers are using AI for social engineering and to overcome language barriers, Mandiant Chief Analyst John Hultquist said during the media briefing.

For now, security leaders at many of the top cybersecurity and enterprise technology firms, including Google Cloud, insist or at least remain hopeful AI will give defenders an advantage over attackers.

In Gartner’s study, AI-assisted misinformation and escalating political polarization were new emerging risks respondents cited, which reflect growing concern and uncertainty about global elections and their potential impact on enterprise.

“While the upcoming U.S. election generates headlines over the candidates’ regulatory, trade and other proposals, organizations have difficulty considering the actual risk implications from the many scenarios that might unfold,” Zachary Ginsburg, senior director of research in Gartner’s Risk and Audit Practice, said in the report.