The World Economic Forum (WEF) Global Cybersecurity Outlook 2025 report examines the challenges and effects caused by an increasingly complex global cybersecurity landscape.

The challenges primarily come from new technology, increasing criminal sophistication (both financially motivated and nation-affiliated groups), lengthening supply chains, geopolitical tensions, regulations, and the continuing skills gap. The primary effect is a lack of sufficient resilience among companies, and even nations.

The need for resilience in cybersecurity is a major theme of the report. However, the effect of the challenges on the different levels of corporate and national readiness leads to a wide disparity in this cyber resilience. 

For example, according to WEF, resilience in small companies is decreasing. Thirty-five percent believe it is currently inadequate – but that is a sevenfold increase since 2022. Meanwhile, resilience in larger companies has almost halved.

There is a similar disparity between the public and private sectors. Thirty-eight percent of public sector respondents reported insufficient resilience, while just 10% of medium to large private sector firms reported similar. Almost half of the public sector organizations also suggested that the skills gap is perhaps the primary cause; up from one-third of organizations last year.

WEF agrees with this skills assessment: “All of these challenges are exacerbated by a widening skills gap, making it extremely challenging to manage cyber risks effectively.” But the so-called ‘skills gap’ is a nebulous catch-all phrase often used as an excuse. It is less that skilled people don’t exist and more that they aren’t being employed – probably through a reticence to fill a vacancy by anyone who is not 100% entirely perfect for a precisely defined position, combining the right academic qualifications with the right experience and willing to accept a low start-up salary.

An unwillingness or inability to pay an acceptable salary to negate the skills gap is confirmed by it being primarily a problem for small organizations and the public sector rather than medium and large organizations.

Apart from this skills gap, the primary causes for a lack of resilience are third-party risk management, the complexity of the threat landscape, and the complexity of the internal IT ecosphere (the merging of IT and OT). Perhaps surprisingly, a lack of incidence response preparedness is only a major problem for small companies.

The weakness of the WEF report is that it primarily tells us what the security profession already knows. This is not surprising since the information it provides for the security profession was gathered from the security profession.

For example, to counter the third party risk, we need to increase visibility and improve third party risk management (which is hardly a new suggestion). We need to adopt new AI technologies to counter the new AI threats (even though the two probably already negate each other leading to AI manufacturers being the primary beneficiary). We need to strengthen our regulatory compliance (even though doing so diverts resources to a complex and not always consistent web of state, national and international requirements that does not, in itself, secure what needs to be secured). For economic resilience we need to adopt cyberinsurance (even though the insurance industry must take more money out of the insureds than it pays out to the insureds).

Released one week before the WEF’s Annual Meeting in Davos-Klosters, Switzerland, the report was primarily compiled from a questionnaire completed by 321 respondents, 43 one-on-one interviews with C-Suite executives, two 90-minute workshops, and discussions with 170 executives attending the WEF’s Annual Meeting on Cybersecurity in November 2024.

While this sounds impressive, the report is primarily generated from a survey; and all surveys suffer from a similar weakness: they amount to subjective opinions from a very tiny subset of everyone concerned. It is not as impressive as it appears. For example, any professional cybersecurity practitioner not already aware of the complexities of cybersecurity and the steps necessary to address these problems should not be a professional practitioner.

The real problem that needs to be addressed is neither why nor how the cybersecurity outlook is so difficult – we already know that, and the reasons for it – but why are companies failing (or not being allowed) to solve or mitigate these problems. And the answer to that may be outside the remit of the cybersecurity professionals and more inside the wider WEF remit of global economic conditions.

Related: The Cybersecurity Resilience Quotient: Measuring Security Effectiveness