EY Study: How Cybersecurity Adds $36m Value per Initiative

Chief information security officers contribute between 11% and 20% of the value produced by enterprise-wide initiatives, generating a median US$36m in value for each project they support, according to the 2025 EY Global Cybersecurity Leadership Insights Study.

However the research also reveals a major disconnect between the value CISOs create and their influence in organisational decision-making, with the report finding just 13% of CISOs report being consulted early when urgent strategic decisions are made, while cybersecurity budgets as a percentage of annual revenue have decreased over the past two years, from 1.1% to 0.6%.

According to the report, co-authored by Richard Watson, EY Global Consulting Cybersecurity Leader, and Richard Bergman, EY Global Cyber Transformation Leader, the findings reflect “the evolution of the cybersecurity function and the CISO” from traditional protection-focused roles to “key enablers of business growth”: a transformation which has occurred alongside broad digital transformation, cloud migration and AI adoption across enterprises.

The study identified value creation across six key initiative areas: adopting and building technology, strengthening brand trust and reputation, improving customer experience, transforming and innovating across the business, expanding to new markets and developing new products and services.

How ‘Secure Creators’ can be value leaders

The study revealed a group termed ‘Secure Creators’ – organisations with advanced cybersecurity functions that engage earlier and more deeply in business initiatives than their peers.

Secure Creators are more likely to help other business functions implement AI than what EY’s report describes as ‘Prone Enterprises’ (48% versus 31%), with this closer collaboration with technology initiatives helping establish better relationships between CISOs and front-office business leaders.

The research shows Secure Creators positively impact external brand perception at a rate of 72%, compared to 56% of Prone Enterprises. This relationship extends beyond preventing reputation-damaging breaches to positioning cybersecurity closer to customer touchpoints that determine brand reliability. Examples from survey respondents include avoiding losses during ransomware attacks and ensuring secure data transfers, resulting in increased trust with current clients and attraction of new customers who value data protection.

Secure Creators also demonstrate higher involvement in customer experience improvement efforts (53% versus 42%). This engagement addresses consumer concerns about AI systems, with 64% of consumers worried about personal data use in AI systems without consent, according to the EY AI Sentiment Index Study.

Jeremy Pizzala, EY Asia-Pacific Cybersecurity Consulting Leader, explains: “Cybersecurity isn’t just about protecting new product and service value – it’s about creating it. When cybersecurity teams are embedded early in product development, they help build trust into core offerings. That trust becomes a differentiator in the market and a catalyst for growth.”

AI automation drives cost reduction

Beyond value creation, the study also examined cost and time savings from cybersecurity simplification and automation. Organisations report a median US$1.7m in annual savings from these initiatives, with expectations for rapid growth as AI programmes mature.

Currently, only 6% of cybersecurity functions actively use generative AI tools, according to a 2024 CrowdStrike study referenced in the research. However, agentic AI developments, such as Crowdstrike’s Charlotte AI powered by Nvidia NIM microservices, demonstrate capability to handle complete workflows from threat detection to resolution without human intervention.

About the research

EY conducted the study in March and April 2025, surveying 550 C-suite and cybersecurity leaders across 16 sectors and 19 countries. Building on findings from 2023 and 2024 studies, EY used statistical modelling to identify Secure Creators based on cybersecurity metrics including mean time to detect, mean time to respond, incident numbers, organisational integration and impact on innovation. Secure Creators comprised 47% of the survey sample, with Prone Enterprises making up 53%.

Organisations currently use a median of 35 different cyber tools, with 37% utilising over 50 cybersecurity tools. Technology rationalisation efforts are underway, with 23% of study respondents completing such initiatives in the past two years and 41% currently undertaking them. Similarly, 18% have simplified their technology platforms, with 41% in process.

Secure Creators operate with budgets 10% smaller on average than their peers while maintaining more advanced cybersecurity functions. They are also less likely to cite budgets as a key challenge, demonstrating the efficiency gains possible through strategic optimisation.

AI and machine learning deployment across cybersecurity priorities has decreased mean time to detect and mean time to respond by 28% on average. Six in 10 respondents report increased visibility across attack surfaces as a result of automation efforts.

CISOs seek strategic transformation

The research reveals that 58% of CISOs and cybersecurity executives find it difficult to articulate their value beyond risk mitigation. This challenge occurs despite widespread involvement in value-adding business initiatives such as enterprise-wide technology adoption, business innovation and new market expansion.

Cybersecurity importance in mergers and acquisitions is increasing, with private equity firms 2.3 times more likely to focus on cybersecurity during due diligence than two years ago, according to the EY Private Equity Value Creation Benchmark Survey.

Rudrani Djwalapersad, EY Global Cyber Risk and Cyber Resilience Lead, says: “When CISOs are given a seat at the table early in strategic initiatives, they not only embed security into business planning from the ground up, but they add value by increasing speed of adoption and by building trust with consumers.”

Explore the latest edition of Technology Magazine and be part of the conversation at our global conference series, Tech & AI LIVE.

Discover all our upcoming events and secure your tickets today.

Technology Magazine is a BizClik brand