Introduction
AI continues to reshape both cyber defenses and cyber threats. With this shift, chief technology officers (CTOs) are confident in the ability of their organizations’ tools and architectures to cope with the threats and opportunities of the evolving cyber landscape. But confidence in the availability of the skillsets, processes, and behaviors needed to use these technologies effectively is another matter. These are the insights from LevelBlue’s latest cybersecurity research, which finds that, over the coming 12 months, technology leaders intend to focus on unifying their organizations to bolster resilience. In this persona spotlight, we examine how the CTO’s attitude and priorities can improve alignment on cyber resilience across all levels of the enterprise.Methodology
The research is based on a quantitative survey that was carried out by FT Longitude in January 2025 and the subsequent reports were developed in partnership with FT Longitude and LevelBlue. There were a total of 1,500 C-suite and senior executives surveyed, across 14 countries and seven industries: energy and utilities, financial services, healthcare, manufacturing, retail, transportation, and US SLED (state, local government, and higher education). To be counted as a cyber resilient organization, respondents must have met the qualifications listed under “Five Characteristics of a Cyber Resilient Organization.” Totals in some charts may not add up to 100% due to rounding.CTOs identify human misalignment as a key shortcoming in the cyber resilience strategy
CTOs believe that greater collaboration could improve the effectiveness of their cyber resilience strategies. Only slightly over one quarter (27%) say their enterprise displays very close alignment, compared with about a third who say they are very competent in areas relating to cybersecurity and cyber resilience. LevelBlue’s data indicates that 75% of CTOs (compared with 61% of the overall sample) say lack of clarity around responsibility for cyber resilience often impairs strategy. A lack of clear ownership blurs accountability, delays incident response, and disconnects cyber decisions from business risk appetite. Despite strong technical defenses, this leaves organizations more exposed. CTOs recognize these shortcomings and are already taking steps to embed change management approaches. Integrating cybersecurity into lines of business and across all projects is their number-one priority, by far, for the next 12 months. Fifty-seven percent identify this need, while the second-highest priority, cited by 43% of CTOs, is to implement new processes, procedures, or technologies. CTOs are also turning to outside expertise to help improve processes. Four in 10 intend to prioritize consultant services in the coming year. And the data shows that improvements are required as a matter of urgency. One in five CTOs says the organization has suffered a security breach within the past 12 months, and more than one third (36%) have seen a significant year-on-year rise in cyberattacks.
CTOs are concerned about threats targeting the workforce
CTOs have identified a serious need for cybersecurity education across the enterprise. As many as 60% believe it is becoming more difficult for employees to discern genuine interactions from fake, which poses a significant threat to defenses. Little wonder that over the next 12 months the top four most likely types of attack all arise from workforce vulnerabilities. For example, 57% say ransomware attacks are imminent, and 50% say the same about business email compromise. But there is good news. CTOs believe their efforts to manage these threats are starting to show results, with about 60% saying they have robust threat management processes in place (see Figure 3). However, they must be careful not to overlook new and emerging threats that are also likely to exploit workforce vulnerabilities. For example, 39% of CTOs believe that AI-powered threats are imminent but only 24% are confident that they have the plan in place to deal with them.39% of CTOs believe that AI-powered threats are imminent but only 24% are confident that they have the plan in place to deal with them.


Better workforce education and strategic alignment would boost resilience
Workforce training will be vital to managing fast-evolving threats. But currently, just 22% say educating the workforce about cyber resilience is a key priority for the coming year. And while more than three quarters (77%) of CTOs say they are educating the workforce about social engineering tactics, only 62% of the overall sample agrees. More clarity from the CTO on the aims and objectives of training could improve outcomes.The data also shows that better alignment of company leadership on the realities of cyber resilience will be essential to prepare for new and emerging cyber threats. Whereas 42% of CTOs say they are investing significantly in cyber-resilience processes across the business, just 33% of the total sample say the same. This gap indicates the ambitious nature of CTOs’ plans for a more unified organization.To achieve this alignment, CTOs should focus on calibrating cybersecurity risk management with business risk appetite (more than a third describe current measures as stalling or ineffective) and defining metrics and KPIs that connect cybersecurity with business outcomes (33% say current efforts are inadequate).
CTOs must monitor human-related threats in the software supply chain
While technical vulnerabilities relating to code and dependencies in the software supply chain are key areas of focus, the human element – developers, maintainers, partners, and internal teams – are often an equally significant source of risk.CTOs understand this and identify third parties as a particularly risky element of the software supply chain. Specifically, 60% are concerned about third party software distribution channels and half are concerned about third-party risk management. But they are failing to prepare a robust response. Just 21% recognize the imperative to identify a comprehensive list of third-party ingredients in source code and only 22% say they should have a confidence benchmark for suppliers. And only one in four (27%) CTOs says they have very high visibility of the software supply chain.Only 22% say they should have a confidence benchmark for suppliers








