Innovating vs reacting – taking cybersecurity to the next level

Published June 24, 2024

  • Cybersecurity

The 2024 Cybersecurity landscape

Protection against cyberattacks is one of the major challenges of our time. Today, although precise estimations of the cost of cyberattacks are always difficult to calculate, no one can deny that cybersecurity is a topic that must be dealt with. Too often we hear of organizations being subject to cyber threats with attackers seeking to spread disinformation, make fraudulent money, destabilize critical infrastructure or espionage. Cyber attackers whether criminals, government or hacktivist now have more means to act: more resources and greater incentives and are using every angle they can, up to improving their attack with the use of AI.

To add to this escalating challenge, geopolitical crises have dramatically exacerbated the threat situation around the globe. This has led to companies exploring the decoupling of their information system to cope with the more stringent regulations that requires a different approach in specific countries.  

Additionally, many industries have strict regulation and compliance requirements to maintain, with many more on the horizon: the AI Act/ AI Exec order from Biden, DORA, FCA/PRA OpRes, NIS2 and critical infrastructure regulations all over the world.  

Cybersecurity professionals are challenged to address these topics quickly, effectively, and cost-efficiently. The way to do this is to rethink cybersecurity: from a reactive defense function to an enabling and accelerating function for progress and innovation. It is only through this mindset shift of cybersecurity that companies can differentiate themselves from their competitors and generate decisive advantages. 

Here’s 3 recommendations to facilitate this shift:  

Cyber Resilience has become an absolute must in recent years, with many regulations entering the market on many different angles notably DORA, NIS2, CRA (Cyber Shield in the US).

Despite growing investment, the degree of maturity in this area remains low, with significant disparities between organizations and sectors.

Our new cybersecurity benchmark* indicates that the overall maturity of companies is increasing, with the Financial Services sector coming out on top, with a maturity level of 60% (vs an average of 53%).

What differences can be observed across highly regulated vs non-regulated industries?

Heavily regulated industries, such as the finance, energy sector and life sciences, tend to have greater cyber maturity due to high investments and regulatory scrutiny. For finance, this is because of traditionally high investments and scrutiny from regulations, notably DORA, NIS2, CRA (Cyber Shield in the US).

If you’re operating in a regulated industry, companies must focus on effective pragmatic testing that highlights gaps in maturity and on ‘convergent coverage’.

Although unregulated industries are not yet under the same pressure, in the medium term it will be crucial for everyone to do what is necessary rather than what is required when it comes to cybersecurity. Be on the lookout for future regulation, get involved in wider industry groups to learn best practices from peers and use awareness campaigns, training and crisis exercises to highlight the importance of cyber maturity to your organisation.

Continual improvement on your compliance and resilience is key. Embed strong programme management, continuously improve processes, secure funding and be on the lookout of future regulations.

To sum up

To take your cybersecurity to the next level; focus on these three things. Firstly stay in the game when it comes to regulation, threat landscape and new tech arrival. Second; change the perception of cybersecurity across your entire organization and show the value cyber is bringing to the table. Finally make sure you drive change in the field to ensure resilience of your business and its ability to grow years over years.

*Maturity levels were measured against international standards (NIST CSF / ISO 27001/2) during assessment missions carried out by Wavestone consultants. The sample, dated June 1, 2024, includes over 150 organizations, representing almost 7 million employees.


  • Gérôme Billois

    Partner – France, Paris