AI & Cloud Spend Are Up—But Basic Cyber Hygiene Is Lagging

Pulling from a recent survey of 1,000 senior IT and business leaders, the article highlights a persistent gap between innovation spend and foundational security—identity, recovery, and zero trust. 85% of respondents admit their strategies are too reactive, even as most plan to pour more budget into GenAI.  

Source

Key Takeaways:

Zero trust: Only 62% have or are setting up ZTNA.

Recovery discipline: Just 61% prioritize post-incident recovery. 

MDR adoption: Only 45% deploy or plan to deploy MDR. 

Identity/IAM: Only 42% use or plan to use digital identity & access management—despite credential abuse being a top attack vector. 

Strategy posture: 85% say their cyber programs are too reactive. 

GenAI spend vs. ROI: 78% plan to increase GenAI spend, but only 45% are “very satisfied” with ROI.

AI in defense: 67% of AI-using companies apply it to detect cyberattacks; 47% say security/compliance is the biggest AI adoption hurdle. 

Quantum readiness: 71% feel unprepared for post-quantum threats; just 14% say their IT can support PQC today. NIST urges planning crypto migration now. 

Why it matters 

Identity is still the front door. Underpowered IAM + rapid cloud expansion = more identity-based breaches. 

Resilience isn’t practiced enough. If recovery isn’t engineered and tested, outages and costs spike when—not if—an incident lands. 

AI amplifies both sides. Defenders gain speed, but governance, model risk, and data exposure can cancel those wins without controls. 

Quantum isn’t tomorrow’s problem. Inventory and migration take years; late starters face concentrated risk. 

What to do next 

Close identity gaps: Enforce phishing-resistant MFA, least privilege, and continuous access reviews; add session-level risk checks. 

Stand up (or upgrade) MDR: 24×7 detection + rapid triage shrinks dwell time and business impact.

Make recovery muscle-memory: Define RTO/RPO, test restores, and measure time-to-remediation as a board-visible KPI. 

Operationalize zero trust: Start with identities and workloads; segment access to critical apps and data. 

Govern AI early: Treat models and prompts as systems handling sensitive data—risk-assess, monitor, and document.

Begin PQC discovery: Inventory where public-key crypto lives; draft a phased migration plan per NIST guidance. 

How InfoSight can help

Identity & Access Hardening (IAM)

Inventory machine/human identities, tighten privileged access, deploy phishing-resistant MFA, and institute continuous access reviews—so cloud growth doesn’t outpace control.

Managed Detection & Response (MDR / SOCaaS)

24×7 monitoring, threat hunting, and incident triage, with executive-ready reporting to move your program from reactive to measurable. (Addresses the low MDR adoption cited.)

Zero Trust Roadmaps

Practical sequencing for identity-first ZTNA, workload segmentation, and policy enforcement tied to critical business services.

Recovery Engineering & TTR Reporting

Backup validation, restore testing, runbooks, and dashboards for time-to-remediation and executive communications.

AI Governance, Risk & Compliance (AI GRC)

Use-case reviews, risk assessments, controls mapping (e.g., NIST AI RMF), and monitoring so AI adds value without new liability.

Post-Quantum Readiness

Crypto inventory, risk-based migration planning, and program governance aligned to NIST PQC guidance.