PwC’s 2026 Global Digital Trust Insights report flags OT, IIoT and talent gaps as top cybersecurity challenges
A new report from PwC identified that OT (operational technology) and IIoT (Industrial Internet of Things) have become pressure points in the current security landscape. Nearly half (47%) of leaders cite a lack of qualified personnel as their top challenge, while 39% point to unclear governance and ownership. Together, the PwC’s 2026 Global Digital Trust Insights reported that these discrepancies expose a deeper issue, that many organisations still lack the structure and expertise to manage increasingly connected operational systems with confidence.
The 31-page PwC’s 2026 Global Digital Trust Insights report revealed that 60% of organizations are increasing their investment in cyber risk management in response to geopolitical volatility. Only 6% have fully implemented all the data risk measures included in the survey. The top two challenges to implementing AI for cyber defense are gaps in knowledge and skills.
The 2026 Global Digital Trust Insights survey gathered responses from 3,887 business and technology executives between May and July 2025. A third of participants (33%) represent large companies with annual revenues of at least $5 billion. Respondents span multiple industries, including financial services (21%), industrial manufacturing and automotive (21%), technology, media and telecommunications (19%), retail and consumer markets (16%), healthcare (10%), energy, utilities and resources (9%), and government and public services (4%).
Executives came from 72 countries. Regionally, responses were distributed across Western Europe (32%), North America (27%), Asia Pacific (18%), Latin America (11%), Central and Eastern Europe (6%), Africa (4%), and the Middle East (3%).
The survey highlights several pressing themes. Geopolitical risk is reshaping strategy, with 60% of business and technology leaders ranking cyber risk investment among their top three priorities in response to rising global uncertainty. Yet resilience remains a work in progress. About half of executives say their organisations are at best only ‘somewhat capable’ of withstanding attacks aimed at specific vulnerabilities, and just 6% express confidence across all areas surveyed.
Spending patterns also point to lingering weaknesses. Only 24% of organisations devote significantly more resources to proactive measures such as monitoring, assessments, testing and controls—the ideal ratio—while 67% split investments evenly between proactive and reactive measures. That approach may prove more costly and risky over time.
Artificial intelligence is emerging as a cornerstone of defence. Agentic AI ranks among the top security capabilities that organisations plan to prioritise over the next year, with intended use cases spanning cloud security, data protection, cyber defence and operations.
Quantum computing presents another looming challenge. Although it ranks among the five threats organisations feel least prepared to address, fewer than 10% are prioritising it in their budgets, and only 3% have implemented leading quantum-resistant measures.
The cyber talent crisis continues to weigh on progress. Skills shortages remain a top barrier, prompting more than half of organisations (53%) to prioritise AI and machine learning tools to help close capability gaps. Specialized managed services are also emerging as a strategic way to provide expertise and scale.
The top obstacles organizations face in securing OT and IIoT systems, based on the percentage of respondents who ranked each in their top three challenges, include gaps in OT skillsets and resources needed to implement cybersecurity initiatives, cited by 47%. Forty-one % identified a lack of network segmentation between OT/IIoT and IT environments as a key challenge.
Furthermore, gaps in understanding the scope of OT/IIoT cyber risk were reported by 40%, while 39% noted a lack of governance and clear responsibility for OT/IIoT cybersecurity. Inadequate funding and limited executive support for implementing OT/IIoT cybersecurity initiatives were highlighted by 38%, and 35% reported insufficient visibility of OT/IIoT assets. Only 6% of respondents indicated that their organization has no significant OT/IIoT footprint.
The PwC’s 2026 Global Digital Trust Insights identified that “AI and cloud are not only the top cybersecurity investment areas, they’re also the top use cases for specialised managed security services. Organisations are using managed services for more than outsourcing capabilities. They’re partnering with providers to modernize the way critical systems get delivered.”
It added that managed services are becoming strategic accelerators, stepping in to compensate for a lack of skills, apart from delivering speed, scale, and specialized knowledge. In a threat environment that’s growing more complex by the day, they offer a way to modernize defences without diverting focus from innovation and growth.
The PwC 2026 Global Digital Trust Insights survey found that organizations are prioritizing several areas of their cybersecurity programs for the use of managed services over the next 12 months. Thirty-eight percent of respondents ranked artificial intelligence as a top priority, followed by cloud security at 32% and threat management at 28%.
Data protection and data trust were cited by 27%, network security and zero trust by 24%, and endpoint security by 19%. Identity and access management ranked at 18%, supply chain and third-party risk management at 17%, application security at 16%, connected products at 13%, operational technology security at 12%, quantum computing at 11%, mobile security at 9%, security awareness training at 9%, and API security at 8%.
“Our survey shows that U.S. business leaders see cybersecurity as a top strategic priority in an era of rapid tech change and geopolitical uncertainty,” Avinash Rajeev, cyber, data and tech risk leader at PwC US, said. “While most organizations recognize the urgency, many still admit resilience is a work in progress, with only a handful truly confident in their defenses. AI is emerging as a powerful tool to bridge gaps, but talent shortages, underinvestment in proactive measures, and the looming quantum threat leave businesses exposed. The message is clear: business-as-usual won’t cut it—leaders need bold, future-ready approaches to stay secure.”
“In a threat landscape defined by nation-state adversaries and increasingly sophisticated cyber-criminal groups, resilience depends on mastering the fundamentals: identity and access management, network segmentation, securing cloud environments, third-party risk management and building robust response plans,” Brett Leatherman, FBI Assistant Director, Cyber Division, identified in the report. “Exercising those plans and building trusted partnerships with law enforcement turns preparation into muscle memory. Every investment in prevention, detection and workforce skills narrows the gaps adversaries aim to exploit.”
“Moving from reactive defense to proactive resilience is a real opportunity for leaders to drive strategic business growth,” said Nick Godfrey, senior director and global head at the Office of the CISO for Google Cloud. “It requires a commitment to C-suite collaboration and investment, using powerful technologies like AI and cloud to help security teams work smarter, not just harder. We’re optimistic about this future, and it’s a mission we champion alongside our customers.”
The PwC report highlighted that the ability to translate complex cyber risks into business terms and effectively communicate that cybersecurity is a shared responsibility is essential for securing C-suite buy-in and collaboration. This shared understanding supports foundational governance, resilience, regulatory compliance, and incident response practices. Going forward, organizations should proactively address emerging risks by adopting a secure-by-design approach and using data to identify and justify where cyber investments are most needed.
The report identified that although quantum isn’t an immediate cyber threat, those who delay the transition to post-quantum cryptography may be exposing their sensitive data, authentication services, and cryptographic systems. “With implementation timelines stretching into years, establishing the foundations for quantum-resistant security demands early action today to avoid adversarial disruption tomorrow.
Some organisations are making initial progress, with 29% in piloting and testing stages.” However, it added that only 22% have moved beyond piloting, and almost half (49%) haven’t considered or started implementing any quantum-resistant security measures. For many, the main obstacles are a lack of understanding around post-quantum risks, combined with limited internal resources and competing demands.
The PwC’s 2026 Global Digital Trust Insights disclosed that cybersecurity workforce shortages continue to impede progress, especially as organisations push to operationalise AI, secure complex environments, and prepare for next-generation threats.
Knowledge and skills gaps were the top two barriers to implementing AI for cyber defence over the past year, forcing organisations to rethink how they scale capabilities. Many are exploring new ways to gain proficiency, including AI tools (53%), security automation tools (48%), cyber tool consolidation (47%), and upskilling or reskilling (47%). They are also prioritising specialized managed services, especially those organisations that have experienced a major attack (48%).
The report mentioned that AI and cloud are the top use cases for specialized managed security services. Organisations are using managed services for more than outsourcing capabilities. They’re partnering with providers to modernize the way critical systems get delivered.
