EY on CISOs' Role in Strategic Value Creation
Chief information security officers (CISOs) are responsible for contributing between 11% and 20% of the value in enterprise-wide projects, equating to a median value of US$36m per project they support, according to the 2025 EY Global Cybersecurity Leadership Insights Study.
Despite these contributions, the study uncovers a critical disconnect: only 13% of CISOs are involved early in strategic decision-making, a stage where their insights could amplify project outcomes.
Surprisingly, cybersecurity budgets have reduced from 1.1% to 0.6% of annual revenue over the last two years, impacting the implementation of effective security strategies despite their proven value.
According to the report, co-authored by Richard Watson, EY Global Consulting Cybersecurity Leader, and Richard Bergman, EY Global Cyber Transformation Leader, the findings reflect “the evolution of the cybersecurity function and the CISO” from traditional protection-focused roles to “key enablers of business growth”: a transformation which has occurred alongside broad digital transformation, cloud migration and AI adoption across enterprises.
This transition aligns with enterprises adopting digital transformation, migrating to the cloud, and integrating AI into their operations.
How ‘Secure Creators’ can be value leaders
The study identifies organisations referred to as ‘Secure Creators,’ which implement robust cybersecurity measures earlier and more effectively than others.
These organisations have shown a positive impact on external brand perceptions with a rate of 72%, far surpassing the 56% by other enterprises.
This indicates that proactive cybersecurity not only avoids reputational damage but also plays a critical role in maintaining brand integrity in customers' eyes.
An example highlighted was the prevention of losses from ransomware attacks, which bolstered client trust and attracted new customers prioritising data security.
Furthermore, Secure Creators showed greater participation in enhancing customer experience initiatives (53% compared to 42% among their peers), addressing consumer concerns related to AI and data privacy.
The EY AI Sentiment Index Study indicates that 64% of consumers are concerned about AI systems utilising personal data without consent, showcasing the necessity of integrating security at consumer touchpoints.
- CISOs generate a median US$36m in value for each strategic initiative they support
- Only 13% of CISOs are consulted early when urgent strategic decisions are made
- Cybersecurity budgets have decreased from 1.1% to 0.6% of annual revenue over two years
- AI automation has reduced mean time to detect and respond by 28% on average
Jeremy Pizzala, EY Asia-Pacific Cybersecurity Consulting Leader, explains: “Cybersecurity isn’t just about protecting new product and service value – it’s about creating it. When cybersecurity teams are embedded early in product development, they help build trust into core offerings. That trust becomes a differentiator in the market and a catalyst for growth.”
AI automation drives cost reduction
Beyond adding value, automation and the simplification of cybersecurity processes brought about US$1.7m in annual savings for organisations, with potential for further growth as AI solutions become more mature.
Gen AI use in cybersecurity is currently low, as only 6% of functions have adopted AI tools, but innovations such as CrowdStrike’s AI, powered by Nvidia, show promise in automating threat detection and resolution.
The research, which surveyed 550 C-suite and cybersecurity leaders, emphasizes the importance of cybersecurity not just as protective measures but as key elements for innovation and trust-building in new products and services.
CISOs seek strategic transformation
CISOs face challenges articulating their value beyond mere risk mitigation even while participating extensively in projects that drive technological and business innovation.
The study reveals that in mergers and acquisitions (M&A), cybersecurity has become increasingly critical.
According to the EY Private Equity Value Creation Benchmark Survey, private equity firms are 2.3 times more likely to prioritise cybersecurity in due diligence compared to previous years.
Rudrani Djwalapersad, EY Global Cyber Risk and Cyber Resilience Lead, says: “When CISOs are given a seat at the table early in strategic initiatives, they not only embed security into business planning from the ground up, but they add value by increasing speed of adoption and by building trust with consumers.”
