Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

WEF Report Reveals Growing Cyber Resilience Divide Between Public and Private Sectors

WEF’s Global Cybersecurity Outlook 2025 report highlights key challenges like the skills gap, third-party risks, and resilience disparities between businesses and private sectors.

WEF Report

The World Economic Forum (WEF) Global Cybersecurity Outlook 2025 report examines the challenges and effects caused by an increasingly complex global cybersecurity landscape.

The challenges primarily come from new technology, increasing criminal sophistication (both financially motivated and nation-affiliated groups), lengthening supply chains, geopolitical tensions, regulations, and the continuing skills gap. The primary effect is a lack of sufficient resilience among companies, and even nations.

The need for resilience in cybersecurity is a major theme of the report. However, the effect of the challenges on the different levels of corporate and national readiness leads to a wide disparity in this cyber resilience. 

For example, according to WEF, resilience in small companies is decreasing. Thirty-five percent believe it is currently inadequate – but that is a sevenfold increase since 2022. Meanwhile, resilience in larger companies has almost halved.

There is a similar disparity between the public and private sectors. Thirty-eight percent of public sector respondents reported insufficient resilience, while just 10% of medium to large private sector firms reported similar. Almost half of the public sector organizations also suggested that the skills gap is perhaps the primary cause; up from one-third of organizations last year.

WEF agrees with this skills assessment: “All of these challenges are exacerbated by a widening skills gap, making it extremely challenging to manage cyber risks effectively.” But the so-called ‘skills gap’ is a nebulous catch-all phrase often used as an excuse. It is less that skilled people don’t exist and more that they aren’t being employed – probably through a reticence to fill a vacancy by anyone who is not 100% entirely perfect for a precisely defined position, combining the right academic qualifications with the right experience and willing to accept a low start-up salary.

An unwillingness or inability to pay an acceptable salary to negate the skills gap is confirmed by it being primarily a problem for small organizations and the public sector rather than medium and large organizations.

Apart from this skills gap, the primary causes for a lack of resilience are third-party risk management, the complexity of the threat landscape, and the complexity of the internal IT ecosphere (the merging of IT and OT). Perhaps surprisingly, a lack of incidence response preparedness is only a major problem for small companies.

Advertisement. Scroll to continue reading.

The weakness of the WEF report is that it primarily tells us what the security profession already knows. This is not surprising since the information it provides for the security profession was gathered from the security profession.

For example, to counter the third party risk, we need to increase visibility and improve third party risk management (which is hardly a new suggestion). We need to adopt new AI technologies to counter the new AI threats (even though the two probably already negate each other leading to AI manufacturers being the primary beneficiary). We need to strengthen our regulatory compliance (even though doing so diverts resources to a complex and not always consistent web of state, national and international requirements that does not, in itself, secure what needs to be secured). For economic resilience we need to adopt cyberinsurance (even though the insurance industry must take more money out of the insureds than it pays out to the insureds).

Released one week before the WEF’s Annual Meeting in Davos-Klosters, Switzerland, the report was primarily compiled from a questionnaire completed by 321 respondents, 43 one-on-one interviews with C-Suite executives, two 90-minute workshops, and discussions with 170 executives attending the WEF’s Annual Meeting on Cybersecurity in November 2024.

While this sounds impressive, the report is primarily generated from a survey; and all surveys suffer from a similar weakness: they amount to subjective opinions from a very tiny subset of everyone concerned. It is not as impressive as it appears. For example, any professional cybersecurity practitioner not already aware of the complexities of cybersecurity and the steps necessary to address these problems should not be a professional practitioner.

The real problem that needs to be addressed is neither why nor how the cybersecurity outlook is so difficult – we already know that, and the reasons for it – but why are companies failing (or not being allowed) to solve or mitigate these problems. And the answer to that may be outside the remit of the cybersecurity professionals and more inside the wider WEF remit of global economic conditions.

Related: The Cybersecurity Resilience Quotient: Measuring Security Effectiveness

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Software giant Atlassian has named David Cross as its new CISO.

Dan Pagel has been named the new CEO of risk management and remediation firm Brinqa.

The City of Phoenix has promoted Mitch Kohlbecker to the role of Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.