Cybersecurity has become a constant boardroom presence — but one that’s still too often reactive rather than strategic. 

According to PwC’s 2026 Global Digital Trust Insights survey, more than half (57 per cent) of Irish firms have increased their investment in cyber risk management over the past year, reflecting a shared urgency to strengthen defences.  

Yet just 8 per cent of Irish organisations spend significantly more on proactive cybersecurity than reactive measures — far below the global figure of 24 per cent. 

The numbers reveal a paradox: Irish companies recognise the threat, but they remain less ready than peers to meet it. The same survey shows that while AI is now the top global investment priority for cybersecurity (36 per cent), Irish firms face greater challenges adopting it for cyber defence. More than half (52 per cent) cite an unclear risk appetite as the main barrier, well above the global average of 39 per cent. 

There are gaps elsewhere, too. Only 8 per cent of Irish companies are actively implementing quantum-resistant technologies, compared with 22 per cent globally — a worrying lag given that quantum computing could break existing encryption systems by 2030. 

So what’s behind the trust gap, and how can businesses move from reaction to resilience? 

To unpack the findings, I sat down with Len McAuliffe, Cybersecurity Partner with PwC Ireland, and Moira Cronin, Digital Risk and Resilience Partner with PwC Ireland, for the latest episode of The Tech Agenda podcast.  

The two PwC partners outlined the evolving threats, the regulatory pressures, and the cultural shifts now reshaping how companies protect themselves. 

*****

 Len McAuliffe doesn’t talk about cyber risk in theory—he sees it in action. As a PwC partner, he witnesses it firsthand—in the systems that keep Ireland’s utilities running, the networks that safeguard its data, and the boardrooms increasingly recognising that cybersecurity is no longer just a technical issue, but a strategic imperative. 

“The old traditional threats of ransomware, which everybody fears, are still there,” he begins. “Distributed denial of service attacks are also still prevalent in Ireland, and there’s been a focus on some of our banking clients recently as well.” 

That hasn’t changed. What has changed, he says, is the scale, speed, and sophistication of attacks — particularly those exploiting the cloud.  

“Cloud security misconfigurations is one of the main issues,” McAuliffe says. “People are spinning up systems in the cloud very easily, and sometimes it’s hard to control that environment… there’s also confusion too between who’s managing the technical pathway through the cloud.” 

The result is a dangerous ambiguity, McAuliffe says. 

“Sometimes there’s confusion as to who’s responsible for the configuration of all of these, because it is quite complex when a service is being provided,” he adds. “You’ve got to get that very clear and who’s responsible for what.” 

It’s not just about the cloud. McAuliffe points to a growing geopolitical edge to cyber activity. “Organisations running critical infrastructure, like electricity, water and gas, are experiencing an increase in attacks,” he says. “Across Europe now… all of their systems are constantly being probed to see if there are weaknesses.” 

The risk, he notes, isn’t theoretical. “There was one in the US where a water treatment facility was hacked, and if you play around with the chemicals and poison the water, you could cause a major physical attack, not just a virtual attack.” 

The new definition of resilience

Moira Cronin, PwC’s Digital Risk and Resilience partner, sees the same problem from a different angle: the challenge of ensuring organisations can withstand, respond and recover from the shocks that technology now delivers daily. 

“When I think of the word resilience, it’s no longer about just responding and recovering to a crisis that happens, right? It is now about actually learning from what happened and preparing for something like that to happen again,” Cronin says. 

Moira Cronin PwC
PwC partner Moira Cronin

That means knowing — precisely — what matters most.  

“You’re really trying to pick out what are your most critical services and products, because you can’t look at absolutely everything, ” she says. “If we’re down tomorrow, we’ve no systems, what are  the systems supporting our most critical service or the product that you want back up first?” 

Regulators are already forcing the issue. “A lot of the regs that have come out of late, so DORA being one, NIS2 being another, are very much pushing organisations in that way,” Cronin notes.  

She stresses the growing importance of third-party risk — the vulnerabilities introduced by suppliers, outsourcers, and even intra-group entities. “A lot of the incidents that we’ve seen in the media in the last number of months and years,  are through third parties. They’re not necessarily within the organisation themselves, but the reputational risk obviously falls on the organisation that’s servicing the end customer service,” she says. 

The only way to truly understand exposure, she argues, is to map it end-to-end: “You have to talk through how the service or product gets delivered… You start off with the business process of this is how it works in practice. So, I want to be able to make payments for my customers. What business processes and systems do I have in there that actually execute those payments?” 

A shift in the boardroom

McAuliffe says this kind of thinking has now reached the top table. “Cybersecurity is front of mind for boards nowadays because, with regulations like NIS2, Boards are accountable, so they are asking questions like ‘What are our real cyber risks?” he says. “And then ‘Okay, what are the threat scenarios that are related to those risks that would really affect my company? ‘” 

That accountability has transformed how cybersecurity is reported. “We map out their key risks, we map out all of the different threat scenarios that we know hackers are using in their industry and what they’re targeting, and then… we map those threat scenarios to their controls framework to see are their controls are operating effectively to mitigate those risks,” McAuliffe explains. “That’s been a big change; that’s what’s being reported to the Boards now.” 

He’s right: in the wake of regulations like DORA and NIS2, Board directors can no longer claim ignorance. The questions have become sharper, and the evidence is expected to be more tangible. “Before it used to be a quarterly update from the chief information security officer… now they’re looking for real data,” McAuliffe says. “I had a client only three weeks ago where the Board had said ‘Okay, operationally prove to me that you are mitigating these threats that you’re talking about.’” 

That demand for proof is reshaping the way companies manage and measure risk. “We have a Software as s Service (SaaS) solution that identifies your risks, maps your threat scenarios, maps your controls, and then identifies how to mitigate those threat scenarios… so you can actually drill down,” he explains. “If they said ‘Okay, why is this risk out of risk appetite this month?’… you can really drill down and see that. That’s what Boards are looking for now.” 

Cronin agrees. “Particularly from a regulatory standpoint, we have a lot of fatigue, particularly in the financial services sector, right, where we have just a lot of regs coming at organisations, and they are struggling to stay on top of the compliance angle,” she says. “The question that’s coming from the Boards is ‘Well, we’ve given so much money to implement DORA, we’ve given these resources to implement operational resilience, where are we getting a return on our investment here? Where is the value?” 

The leading companies, she says, are turning that compliance work into driving strategic decision making “We actually understand our environment, we understand what’s driving our products and services and how they are being delivered, and we can see things that we haven’t seen before,” she says. “So, I can now see that I’ve got multiple third parties across the globe that are actually doing the same thing for me – how can we consolidate this – get better value from a strategic perspective.  

AI: both threat and defence

No conversation on digital trust can ignore artificial intelligence, and McAuliffe doesn’t try. There are two sides to the story, he says: “From an attack point of view we’re seeing a big uptake in the usage of AI for phishing and social engineering… AI can look through all of your social media and then create these hyper-personalised phishing emails that are catching people out.” 

He lists the new frontiers: deep-fake audio and video used to impersonate executives; AI-generated malware that anyone can request from a public chatbot; algorithms that can hunt for unknown software flaws — the so-called zero-day exploits — at machine speed. 

“Now you can use AI to look for flaws or vulnerabilities in code automatically, and people find these zero day exploits easily,” McAuliffe warns. 

Cronin ties that escalation back to the basics. “When you see the level of sophistication that we’re seeing in AI… you really have to come back to understanding what’s going on in your organisation, what’s driving your services, what’s driving your products, and what are the risk that it could go wrong and really have a very clear understanding of that. That’s the only way that you can begin to start preparing to fight this,” she says. 

Plugging the skills gap

Every layer of this conversation comes back to people — and the shortage of them. McAuliffe sees the skills gap as one of the defining constraints on Irish cybersecurity. 

“We see teams right across Ireland struggling to recruit and retain cyber security people, and this is a major problem for everybody and the competition out there as well,” he says.  

The solution for many firms, he adds, lies in managed services: outsourcing the repetitive but essential tasks such as monitoring and testing third party suppliers. 

“Areas like third-party risk management where it’s a repetitive task… we’re seeing a big uptake on managed services.”  

He lists examples: threat and vulnerability management, where external partners continuously scan systems, and “security architecture as a service” for projects that need senior expertise on demand. 

Cronin sees the same pattern from a compliance perspective. “There’s a regulatory requirement to do a lot of this testing, and there’s a lot of firms that are in scope for the likes of DORA and NIS2 that just wouldn’t have the bodies or expertise on the ground,” she says. “Rather than bringing them in-house… it is almost a better business decision to actually think ‘Well, let me play to my strengths  and let me outsource this.’” 

The key, she adds, is partnering wisely. “Yes, it does create another third party that you have to look after, but at the same time… it is  someone who is  doing it every single day of the week.” 

Both speakers agree that resilience isn’t a document — it’s a discipline. Cronin puts it plainly: “You can enter a company at any point. They could be in the middle of a crisis, or… just getting their house in order. It really depends on where you join an organisation on their journey.” 

The web of third parties

Cronin returns to the theme of external exposure. “From a third-party perspective, it really is that you have somebody outside your own organisation… that is actually supporting part of your service,” she says.

“It is a risk, because they don’t necessarily comply with the same policies and procedures that you have in-house, and therefore it needs a level of risk management and organisation to be able to do that.” 

McAuliffe adds: “Attackers are looking at weaknesses in your supply chain. You could be the best in the world… but if you have a third-party  providing a service, that’s what attackers will attack, and then find a backdoor into your organisation.” 

The complacency of old, he says, is gone. “Before people would say ‘Oh here’s my 100 or 1,000 third parties, I’ll do a review…’ and they have them on a spreadsheet and nothing ever gets done about it,” he says. “Now… we have people reviewing all of these constantly, and now the new thing, we have real time monitoring of these third parties to see if they had any incidents as well.” 

A landscape in flux

As the conversation winds down, both McAuliffe and Cronin return to the wider picture — a world where every advance creates a new exposure. 

“It’s how fast the world is changing,” Cronin says. “What was applicable two or three years ago is very different to what’s going to be applicable in three- or four-years’ time… you really have to understand what you’re trying to protect, and make sure that you’re protecting that properly.” 

McAuliffe nods. “There’s been massive change in the world from an economic point of view, from a geopolitical point of view. The threats have increased. I think AI has proliferated that as well.” 

That constant churn, he says, makes it harder for organisations to adapt, upskill, and manage risk — but it’s not impossible. It demands foresight, not hindsight. 

As Cronin puts it, the core principle is simple but uncompromising: “Make sure you know what your risks are,  prevent those from materialising and ensure you have a plan in place for when they do” 

PwC New branding The Tech Agenda 23.09.25 (1)
PwC New branding The Tech Agenda 23.09.25 (1)

The Tech Agenda with Ian Kehoe podcast series is sponsored by PwC.