In cybersecurity matters, whether you’re a CEO or a CISO, you tend to prioritise preventing financial losses or ensuring operational resilience.
There’s nothing extraordinary about this observation. Yet it finds a notable illustration in the World Economic Forum’s latest Global Cybersecurity Outlook report. From one year to the next, the main concerns expressed have indeed diverged between the two roles.
In 2025, the ransomwares topped the list for both CEOs and CISOs. The former cited fraud/phishing and supply chain disruptions next. The latter did the same, but in the reverse order.
This year, the ransomwares remain the principal concern for CISOs (ahead of supply chain disruptions and the exploitation of software vulnerabilities). They are, however, no longer in the top 3 for CEOs, who are primarily worried about fraud and phishing; followed by AI vulnerabilities and software vulnerabilities.
There are also differences between organizations depending on the level of cyber resilience estimated. Respondents* who rate it as high tend to fear primarily supply chain disruptions. Conversely, they place AI vulnerabilities last on their list. However, if this sample is restricted to CEOs, vulnerabilities become the number-one concern…
This “CEO effect” is less significant among organizations whose level of cyber resilience is deemed insufficient.
GenAI, now the primary concern for data leaks
When focusing on GenAI, CEOs’ concerns align more closely with those of the overall sample.
| (One answer allowed) | Data leaks | Development of attacker capabilities | Technical security of AI systems | Governance complexity | Software supply chain risks | Intellectual property and accountability |
| Overall | 34% | 29% | 13% | 12% | 7% | 4% |
| CEO | 30% | 28% | 15% | 13% | 9% | 6% |
Across the full sample, the item “data leaks” is selected much more than last year (+12 percentage points).
When asked which risks are growing, respondents predominantly cited AI vulnerabilities (87%). They are followed by:
- Fraud / phishing
- Supply chain disruptions
- Software vulnerabilities
- Ransomware attacks
- Insider threats
- Denial of service
Facing supply chain risk, the security function is often involved in the procurement process
Regarding the risk to the supply chain, the hierarchy of risk-management methods is similar across levels of cyber resilience, but with a gap of 20 to 30 points.
| Assessment of suppliers’ cyber maturity | Security function involvement in procurement processes | Threat intelligence sharing with partners | Mapping partners’ exposure levels | Incident simulation and/or recovery exercises with partners | |
| Overall | 68% | 65% | 38% | 33% | 27% |
| High resilience | 74% | 76% | 53% | 44% | 44% |
| Insufficient resilience | 48% | 53% | 31% | 23% | 16% |
| CEO, high resilience | 59% | 70% | 30% | 48% | 44% |
| CEO, insufficient resilience | 31% | 31% | 38% | 31% | 6% |
AI adoption in cybersecurity most often serves to detect phishing and other threats in email (52% of respondents selected this answer among up to three). Following are:
- Intrusion detection and response or anomaly detection (46%)
- Automation of operations (43%)
- User behavior analysis and detection of insider threats (40%)
- Threat intelligence triage and risk prioritization (39%)
- Other objectives (8%)
In 64% of organizations represented here, AI tools are evaluated before deployment (one-time review for 24%, periodic for 40%). This rate rises to 45% among those where the level of cyber resilience is deemed insufficient.
The lack of knowledge and/or skills is the primary obstacle to adopting these tools. 54% of respondents cite it. 41% mention the need for human validation of AI responses before implementation.
* 804 respondents including 544 C-levels among whom 316 CISOs and 105 CEOs.
