Technology Insights HOME | Perspectives on Technology Trends

Technology Insights HOME

Perspectives on Technology Trends

Search

POST

4 mins to read

Why Cyber Risk Quantification Is Essential in Today’s Risk Landscape

In any volatile business environment, risk and opportunity are two sides of...
Sameer Ansari

Managing Director - Security and Privacy

Daniel Stone

Director - Technology Risk & Resilience

Views
Larger Font
4 minutes to read

In any volatile business environment, risk and opportunity are two sides of the same coin. The newly released 2026 Executive Perspectives on Top Risks and Opportunities — the 14th annual edition from Protiviti and NC State University’s ERM Initiative — offers a sweeping view of what’s on the minds of board members and C-suite executives worldwide. The message is clear: organizations that treat risk management as a catalyst for innovation and growth are best positioned to thrive.

But as digital transformation accelerates, one risk stands at the top: cybersecurity. This year, cyber threats are ranked as the top global near-term risk and the top investment priority for organizations seeking resilience and growth.

Source: Protiviti’s 2026 Top Risks Survey

Cybersecurity: the universal risk

Across industries, geographies and organization sizes, cyber threats are the most consistently ranked concern. Board members, CEOs and CISOs alike recognize the risk posed by digital vulnerabilities transcends functional boundaries. In a recent webinar covering this survey, Sameer Ansari, Protiviti’s global lead for security and privacy, cited the following key drivers of this increased visibility for cyber threats:

  • Executives and boards are thinking more in terms of “when we do have an event, how will we be able to respond and recover?
  • Cybersecurity is a foundation for trust, enabling revenue growth or leading to lost sales if not carefully maintained.
  • AI is putting pressure on foundational cyber capabilities to improve their depth and effectiveness.

Third-party risks, closely tied to cyber concerns, rank second among global near-term concerns. As organizations expand strategic alliances and partnerships (62 percent of organizations indicated they plan to expand their ecosystem partnerships), the complexity of managing external dependencies grows. This interconnectedness amplifies the potential impact of cyber incidents, making robust third-party risk management frameworks essential.

This universal prioritization reflects a growing recognition that cybersecurity impacts brand reputation, operational continuity and regulatory compliance. The report’s findings show that 43 percent of executives identify cybersecurity as their top strategic investment priority, well ahead of other areas.

Top strategic investment priorities. Source: Protiviti’s 2026 Top Risks Survey

AI and the expanding attack surface

The Top Risks report highlights how the rapid adoption of AI and ecosystem expansion are reshaping the risk landscape. AI is both a transformative growth driver and a complex challenge. This year’s report includes a section focused on the top priorities related to the impact of AI specifically and with no surprises there, the impact of data and cyber exposure relating to AI use was the top priority of 31 percent of respondents.

Interestingly, when diving into the individual respondents’ data, equipping the workforce to realize AI’s value proposition is the top priority of the board and CEO roles, though cyber threats relating to AI were close behind.

The data show that organizations’ want to deploy effective AI and realize value from it, and one possible risk to achieving that goal is inadequate cybersecurity investment.

Investment planning: cybersecurity as a fiduciary obligation

The survey also shows a decisive shift in investment priorities. Capital is being dedicated to fixing the operational core, ensuring security compliance and building the infrastructure needed to scale AI and other digital capabilities. With regulatory requirements constantly evolving, investment in privacy infrastructure is inseparable from security.

For CFOs and COOs, cybersecurity and data privacy are non-negotiable costs of fiduciary duty. For CIOs and CISOs, these investments form the technical defense layer needed to manage increasing complex and fragmented regulatory oversight. The report’s industry analysis confirms that sectors dealing with highly sensitive data or critical infrastructure place an existential premium on defense.

Why cyber risk quantification — and FAIR — are imperative

Despite the survey responses highlighting the importance of cybersecurity investments, Protiviti’s Sameer Ansari also highlighted in a recent webinar that CISOs are “seeing their budgets are staying flat – maybe up two or three percent. CISOs are hoping their organizations’ revenue growth will help drive their budgets to increase more dramatically” to address these risks in 2026. It is clear that CISOs may need to continue doing “more with less,” though optimism in revenue growth is strong.

At the same time, many organizations still rely on qualitative assessments including heat maps and color-coded dashboards that fail to answer the most pressing question: is the investment our organization makes in cybersecurity reducing our risk in financial terms?

This is where Factor Analysis of Information Risk (FAIR) becomes indispensable. By breaking risk into measurable components such as loss event frequency and loss magnitude, FAIR transforms vague risk statements into actionable insights.

Instead of saying “ransomware risk is high,” FAIR enables us to confidently say, hypothetically:
“Our average annualized loss exposure for ransomware is $8.2M (for example), which is our top risk. Based on our analysis, since we show that identity and backup technology investments have the biggest effect on reducing this risk, we should allocate up to 60 percent of our additional new funding to these areas for 2026. Additional funding could be better used to address other top risks.”

This level of precision empowers leadership to make informed decisions about where to invest, what to prioritize and how to justify cybersecurity budgets.

Linking data to action: how FAIR supports investment planning

The report’s findings underscore the need for risk-based prioritization. With cyber threats as the top risk and investment priority, organizations must ensure that every dollar spent delivers measurable risk reduction. FAIR enables organizations to intelligently deliver:

  • Cost-benefit analysis: quantify how a $500K investment in advanced identity management and authentication capabilities reduces annualized loss expectancy by millions.
  • Scenario modeling: compare the impact of investing in Zero Trust versus expanding backup recovery capabilities.
  • Strategic alignment: present cybersecurity initiatives as enablers of business resilience and cost efficiencies, not just technical upgrades.

This approach transforms budget conversations from defensive cost-justification to proactive business enablement.

The call to action: start small, scale fast

Cyber risk is business risk, and a top investment priority for organizations. Treating it as such requires moving beyond qualitative guesswork to quantitative clarity. Organizations don’t need a massive overhaul to begin quantifying risk. Start with a pilot:

  • Identify three to five critical risk scenarios for the organization (e.g., ransomware, third-party breach).
  • Gather data from internal sources and industry benchmarks or use a quantification platform with these insights natively included.
  • Run a FAIR analysis to estimate annualized loss expectancy and prioritize controls.

From there, scale to a full cyber risk quantification program integrated with governance, risk and compliance processes.

To learn more about Protiviti’s 2026 Top Risks survey or our cyber risk quantification consulting services, contact us.

Was this post helpful to you?

Thanks for your feedback!

Subscribe to the Tech Insights Blog

Stay on top of the latest technology trends to keep your business ahead of the pack.

In this Post

Find a similar post by topics

Authors

Sameer Ansari

By Sameer Ansari

Verified Expert at Protiviti

Visit Sameer Ansari's profile

Sameer Ansari is a Managing Director and leader of Protiviti’s Security and Privacy Practice. Sameer brings more than...

Daniel Stone

By Daniel Stone

Verified Expert at Protiviti

Visit Daniel Stone's profile

No noise.
Just insights.

Subscribe now

By providing my personal information, I agree to the Protiviti Terms of Use and Privacy Notice.

Related posts

Post

What is it about

Microsoft’s Digital Defense Report 2025 reinforces what we see every day with our clients: attacks are faster, AI is elevating...

Post

What is it about

When a software firm announces end-of-life support for a key software solution, the event often signals a difficult transition ahead...

Post

What is it about

Enterprise IT disaster recovery (ITDR) planning and architecture is changing dramatically with proliferating threat and failure scenarios, an ever-increasing number...