Executives say cybersecurity has outgrown the IT department
Cybersecurity has moved from a technical problem to a boardroom concern tied to survival. A global Rimini Street study of senior executives shows security risk shaping decisions on technology, talent, and long term planning across industries that keep economies running.
Cyber risk tops the threat list
Security threats rank as the most pressing external risk facing organizations. 54% of respondents list cybersecurity threats as their top concern, ahead of supply chain disruption, regulatory shifts, and economic downturns. This view holds steady across regions and industries, indicating that security exposure is treated as a shared business condition.
Financial services leaders place regulatory change and cybersecurity at the top of their risk priorities, while telecom and energy executives rank cyber threats first. These sectors rely on continuous system availability and interconnected digital supply chains, which increases sensitivity to outages and data loss.
Executives report taking structured steps to prepare for disruption. Business continuity planning ranks among the most common actions, cited by 45% of respondents. Risk frameworks and formal registers follow, along with scenario planning and alternative sourcing strategies. Security planning now sits within broader enterprise risk management instead of remaining isolated within IT teams.
Outsourcing becomes a security strategy
Many organizations now rely on external partners to manage parts of their security workload. 43% of respondents already outsource cybersecurity services, and another 46% say they are considering it in the near future. This pattern reflects pressure on internal teams and ongoing difficulty hiring and retaining specialized security staff.
Security outsourcing appears most often in regulated and infrastructure heavy sectors. Financial services firms list cybersecurity among their most outsourced IT services, alongside infrastructure management and application support. Telecom operators report similar approaches driven by the need to protect large scale communications networks.
Executives describe outsourcing as a way to stabilize security operations while internal teams focus on strategic initiatives. The findings suggest organizations use external security support to maintain continuity under staffing and budget constraints.
Talent shortages widen security gaps
The survey shows widespread concern about access to skilled IT staff. Executives report that talent shortages interfere with their ability to execute technology plans, and many link these gaps to increased security exposure. Staffing constraints leave technical weaknesses harder to detect and address.
Workload pressure adds to the risk. Leaders describe teams stretched thin by ongoing system maintenance, which reduces time available for security monitoring and incident response. Routine upkeep continues to consume attention that could otherwise support defensive improvements.
Cost pressure compounds the challenge. Executives cite higher expenses tied to hiring, turnover, and delayed projects, all of which affect security operations. In sectors with elevated risk, security teams protect expanding environments with limited staffing, increasing strain across the organization.
Security influences technology priorities
Cybersecurity influences how leaders assess new technology investments. Security capabilities rank high among desired features, with executives linking these investments to financial impact, reputational protection, and regulatory accountability.
CISOs often evaluate technology decisions through a financial lens. Security spending carries expectations of measurable business value, including reduced incident costs, improved resilience, and lower exposure to downstream financial risk.
Return expectations for security investments extend over multiple years. Security programs now receive evaluation alongside other enterprise initiatives, with leadership applying similar standards for value realization and accountability.
Vendor pressure adds to risk concerns
Many executives express frustration with software vendor constraints that affect security planning. 35% cite vendor lock in and forced upgrades as a source of pressure. Limited flexibility can delay patching, complicate integrations, and divert budgets away from security priorities.
This frustration appears strongly in telecom, manufacturing, and energy sectors, where long lived systems support critical operations. Leaders report reassessing vendor relationships as part of their risk strategy, seeking greater control over update schedules and security configurations.
The findings indicate a preference for security planning aligned with business needs instead of external roadmaps. Leaders associate inflexible software models with increased operational risk during periods of rapid threat change.
“Executives want the freedom to modernize and innovate on their own terms, breaking free from vendor-driven upgrade cycles that consume budget without delivering proportional value. By stabilizing and maximizing the ERP foundation already in place, organizations can redirect time and resources toward strategic AI-driven initiatives that generate more meaningful results,” said Rimini Street’s Global CIO, Joe Locandro.
Industry exposure varies but patterns hold
Security concerns cut across sectors, though emphasis differs. Financial services firms prioritize regulatory compliance alongside cybersecurity, reflecting regulatory oversight and customer expectations. Telecom companies focus on network security and service continuity due to exposure to large scale disruptions.
Energy and utilities executives emphasize cybersecurity as their primary external threat, paired with supply chain risk. These organizations rely on operational technology environments where cyber incidents can affect physical infrastructure.
Across sectors, leaders combine internal controls, external support, risk frameworks, and continuity planning. This approach reflects recognition that cyber risk affects technology, operations, and trust at the same time.