Deloitte has published the 5th edition of its Global Future of Cyber research, revealing five critical paradoxes that are changing the way organizations approach cybersecurity strategy.

Based on responses from more than 1.Based on the responses of more than 1,000 cybersecurity executives and business leaders across 43 countries, 5 industries and 23 sub-sectors, the report contains useful insights for navigating an ever-changing digital landscape.

At a time when cyber threats are becoming increasingly complex and technologies such as AI are transforming both defensive capabilities and the scope of risk, cybersecurity is emerging as an issue of operational resilience, trust and value creation.

The key finding of the survey is that organisations have made significant strides in securing strong management support, as well as access to funding and formulating more mature cybersecurity strategies. However, this progress does not always translate into corresponding operational readiness. Deloitte identifies five “paradoxes” that reveal where organisations are challenged to bridge the gap between strategy and practice.

The 5 paradoxes shaping the future of cybersecurity:

1st Paradox: High confidence, but no corresponding readiness

According to the survey, 85% of respondents say they have a fair or very high level of confidence in their organization’s cybersecurity strategy. At the same time, however, 70% report that they have implemented cybersecurity actions to a great or very great extent. This discrepancy creates a 15 percentage point gap between confidence and actual preparedness.

This finding shows that while organizations have strengthened their strategic approach, there are still critical gaps in implementation, especially in terms of operational alignment, third-party provider management, skills and adaptation to new threats.

2nd Paradox: Cybersecurity has support from leadership, but not the same influence on the day-to-day operations of organizations

Cybersecurity has now earned a place on the senior management agenda. The survey shows that it remains a clear priority, with most respondents reporting strong relationships between Chief Information Security Officers (CISOs) and C-suite, CEO or Board of Directors.

However, this influence has yet to trickle down to day-to-day operations. Cybersecurity remains more strongly tied to IT and risk management, but less integrated into areas such as business strategy, product development, customer experience, supply chain and human resources. The next step for organizations is to transform cybersecurity from a management priority to a true “co-ownership” mechanism within their operations.

3rd Paradox: Organizations want fewer suppliers, but need more

The increasing complexity of the threat environment, the need for new technology capabilities, and the integration of AI are driving many organizations to expand their partner ecosystem. According to the survey, 74% of respondents report an increase in cybersecurity partners. At the same time, 79% expect further growth in the next three years and 85% in the next five.

The paradox is that while many organizations are seeking vendor consolidation to reduce complexity and costs, the need for specialized solutions and new capabilities often drives them in the opposite direction. The challenge is not simply to reduce the number of vendors, but to strategically assess their true value, avoid duplication and enhance the architectural coherence of their infrastructure.

4th Paradox: Violations remain persistent, but business impact is limited

Cyber attacks and security breaches remain part of the business reality. The survey records that 78% of respondents reported at least one publicly reported breach incident in 2025.

At the same time, however, organizations appear to have improved their ability to mitigate the negative consequences of such incidents. Deloitte points out that evaluating the performance of cybersecurity systems should not be based solely on the number of incidents, but on attack patterns, detection and response time, the extent of the impact and the organisation’s ability to maintain business continuity. In other words, resilience is measured not only by whether an organism is attacked, but by how quickly it detects, mitigates and recovers from attacks.

5th Paradox: Stable budgets in a volatile cybersecurity environment

The survey shows that cybersecurity funding remains robust and relatively predictable, in contrast to the rapidly changing threat environment. 85% of respondents report that related budgets have increased year-on-year, while 88% plan further increases in the next 12 months.

However, stable or increasing funding is not enough on its own. In an environment where threats, as well as technologies and regulatory requirements, are constantly evolving, organizations need to be able to justify their investments with clear business criteria. As the research notes, when cybersecurity leaders can quantify risks in financial terms, funding discussions gain greater clarity, focus and sense of urgency.

From strategic intent to operational resilience

The survey findings show that the next phase of cybersecurity is not just about strengthening tools, technologies and budgets. It is primarily about moving from strategic intent to operational implementation, with cybersecurity becoming more deeply embedded in critical operations, technology architectures and risk management decisions.

Christos Vidakis, Partner, Cyber Leader, Deloitte Greece noted, “Cybersecurity has entered a new phase of maturity. It is no longer enough for organizations to have a strategy, technology tools and funding. They need to be able to turn strategy into real operational readiness and resilience, as data security is now an integral part of value creation. The challenge for businesses – including in our country – is to move from a simple sense of security to a measurable and ever-evolving ability to protect, respond and recover.”