The latest data from PwC’s annual cybersecurity survey (the longest-running of its kind, now in its 28th year) has landed, and the top-line numbers paint a picture of executive action. New world, new rules: Cybersecurity in an era of uncertainty - The C-suite playbook - PwC, polling nearly 4,000 global executives, tells us that 60% are boosting cyber investment specifically in response to geopolitical volatility. The boardroom, it seems, is finally awake. The low hum of the projector displays charts with rising red bars labeled "Cybersecurity Budget," and nods of approval ripple through the room.
On the surface, this looks like progress. A rational response to an unstable world. But my job is to look past the headline figures that make it into the press release and into the structural integrity of the data beneath. And when you do that, the picture changes. The narrative of a proactive, newly-alert C-suite begins to fray, revealing a deep and frankly alarming disconnect between spending and actual preparedness. The data doesn't suggest a coherent strategy is taking hold; it suggests a panicked reaction, a frantic allocation of capital without a clear plan.
The core discrepancy is staggering. While a majority are spending more, a vanishingly small fraction of these organizations believe they are actually secure. A mere 6% of leaders feel confident and fully capable of withstanding cyber attacks. Let that number sink in. Six percent. The other 94% exist on a spectrum of uncertainty, with roughly half admitting they are only "somewhat capable." This isn't a confidence gap; it's a chasm.
What could possibly explain this? How can a company sign off on millions in new spending while its leaders privately harbor deep-seated doubts about its effectiveness? The answer, as always, is in the allocation data. The report shows that 67% of organizations—a full two-thirds—spend their budgets roughly equally between proactive and reactive measures. This is like a city spending as much on its fire department as it does on its fire code inspectors and architects. It’s a fundamentally broken model. The ideal, according to the report, is a heavy investment in proactive defense (monitoring, testing, controls), a model followed by only 24% of respondents. Most companies are still waiting for the fire to start before they really spring into action.
The Anatomy of Inaction
This isn't just a misallocation; it's a symptom of a deeper strategic paralysis. Organizations are locked in a reactive loop, treating cybersecurity as a series of emergencies to be managed rather than a foundational architecture to be built. They are buying more expensive fire extinguishers and placing them in a building with faulty, outdated wiring. It's a performative act of security that looks good on an annual report but does little to prevent the inevitable blaze.
And this is the part of the report that I find genuinely puzzling. The survey respondents aren't junior managers; a third are from companies with over $5 billion in revenue. These are sophisticated organizations with entire departments dedicated to risk management. Why does this profound discrepancy between stated priorities and operational reality persist year after year? Is it a failure of the C-suite to grasp the technical fundamentals, or is it a more cynical calculation—that the appearance of action is sufficient for shareholders?
The FBI’s Brett Leatherman cuts straight to the heart of it, stating that resilience depends on "mastering fundamentals" like identity management and network segmentation. These are the unglamorous, difficult, and expensive architectural changes that don’t make for exciting press releases. They are the digital equivalent of replacing a building’s plumbing. No one sees it, but it prevents a catastrophic flood. Instead, the data shows us that leadership is being drawn toward the new and the novel, mistaking technological complexity for strategic maturity.
This brings me to a necessary methodological critique of the survey itself. When we see data from 3,887 "business and technology executives," it's crucial to ask who, precisely, is answering these questions. Is it the Chief Information Security Officer (CISO), who understands the technical debt and foundational weaknesses? Or is it the CEO, who hears about "Agentic AI" in a briefing and now lists it as a top priority? Aggregating these voices can mask the deep internal conflicts and knowledge gaps that are the true source of this strategic inertia. We don't know the breakdown, and that missing detail is critical.
The Seductive Distraction of 'Next-Gen' Threats
The allure of the "next big thing" is a powerful force in the corporate world, and it's distorting the cyber defense landscape. The report shows that Agentic AI is a top priority for deployment, yet the primary challenge cited is a lack of knowledge and skills. This is a classic case of ambition outstripping capability. Executives want to deploy advanced AI defenses before they've mastered the basics Leatherman pointed to. They're trying to install a hyper-advanced AI-powered drone security system on a house with unlocked doors and open windows.
Nowhere is this failure of long-term thinking more evident than in the data on quantum computing. It’s listed as a top-five threat that organizations feel least prepared for. This is a known, horizon-level, "break the entire internet" class of risk. The rational response would be a steady, deliberate, multi-year plan to implement quantum-resistant cryptography.
The reality? Fewer than 10% prioritize it in their budgets. Roughly half have done nothing—to be more exact, 49% have not started implementing any of the leading quantum-resistant measures. This isn't a calculated risk; it's an abdication of responsibility. The threat is acknowledged, but the action is deferred indefinitely. It’s the ultimate expression of the reactive mindset that plagues the industry. Why fix the wiring today when the fire might not start for another five years?
This is where the commentary from industry leaders like Google's Nick Godfrey, who speaks of moving from "reactive defense to proactive resilience," feels disconnected from the evidence. He frames it as an opportunity for strategic growth, which it is. But the data from this very report shows that the vast majority of his potential customers are failing to make that transition. They are mired in the reactive present, distracted by the AI-powered future, and utterly ignoring the quantum-computing cliff edge just over the horizon.
The Illusion of Progress
The numbers in the 2026 PwC report don't lie, but they do tell a misleading story if you only read the cover. The increased spending isn't a sign of a maturing industry. It’s the signature of fear. It’s panicked capital being deployed without a sound, underlying strategy. We are witnessing the widespread institutionalization of "cybersecurity theater"—expensive, visible actions that create the illusion of progress while the foundational rot remains. The real story here isn't one of growing awareness, but of a dangerous and deepening strategic paralysis. Executives are writing the checks, but they haven't bought resilience. They've just purchased a more expensive sense of anxiety.