Len McAuliffe is used to change. 

As a cybersecurity partner with PwC Ireland, McAuliffe spends his time helping companies develop and implement plans to bolster their cyber resilience.

A key part of the job is helping businesses to prevent attacks before they happen. But it also involves developing strategies to prevent, respond and recover from, breaches when they invariably occur.    

The way McAuliffe sees it, cybersecurity is a perpetually changing environment, and it is his job to adapt to those changes – and to help companies do likewise.

“There’s no silver bullet,” he says. “You can’t protect everything. You have to take a pragmatic approach. And that means being ready to adapt and change.”

McAuliffe has been working in Cyber Security for over 20 years. During that time, the number of cyberattacks has increased significantly – both in terms of frequency and complexity.  

As a global tech hub, Ireland is facing more cybersecurity challenges than ever before. New technologies such as GenAI have given hackers new ways of breaching systems, while simultaneously offering new greater safeguards and defences. New ways of working have also altered the risk profile for companies.  

Meanwhile, new legislation such as the Digital Operational Resilience Act (DORA) and the Network and Information Security Directive 2 (NIS2) have increased regulatory oversight and created additional compliance costs.

McAuliffe has witnessed the impact of all of these changes on business. 

But, in this ever-changing environment, McAuliffe is adamant that one thing has remained constant: companies need to be prepared.

People, processes, technology

The global average cost of a data breach is now estimated to be $4.49 million. 

For many businesses, it can be the difference between success and failure. 

And yet, despite the high cost of cyber breaches, less than one in three Irish organisations have implemented robust cyber resilience across their business. 

That is according to PwC’s 2025 Digital Trust Insights Survey, the longest-running and the largest annual survey worldwide on cyber security trends. 

The study surveyed more than 4,000 businesses and tech executives across 71 countries, including Ireland. However, while just 28 per cent of Irish respondents have a robust cyber resilience programme in operation, some 66 per cent expect their cyber budget to increase over the next 12 months, while 74 per cent of Irish organisations are prioritising cyber risk mitigation over the year ahead.  

In the latest episode of The Tech Agenda podcast series, McAuliffe said the increase in spending was being driven partly by new cyber regulations such as DORA and NIS2.

“I have been doing cyber security for more than 20 years now. I have been banging the drum about increased investment. However, the new regulations have really woken up executives and boards,” he said.

McAuliffe said that cyber had traditionally been near the top of risk registers for companies. However, the new regulations have prompted companies to bolster their budgets and take more proactive steps, he said.

In addition, he said that the increase in the volume of attacks – the Digital Trust Insights Survey 2025 revealed that 38 per cent of respondents experienced a data breach costing their organisation over €500,000 – was also driving increased focus on the area. 

The PwC numbers are backed up by new data from the National Cyber Security Centre, which received 5,276 reports last year. Of those, 721 were confirmed as cybersecurity incidents. The agency said many of the incidents were carried out by criminal groups seeking financial gain and primarily involved phishing attacks and malware distribution, usually via email.

“The issue of cyber resilience is very much on the agenda,” McAuliffe said. “In 2025, you will see more investment go into the area of cyber resilience than ever before.”

McAuliffe accepted that “cyber resilience” was difficult to define and that many in the industry were not able to articulate it properly. At its core, he said that it is an organisation’s ability “to prevent, withstand and recover from a cyber attack or a cyber incident”.

PwC, he said, helps clients with all three elements.

In relation to prevention, he said it is often about simulating what a hacker might do and then putting in place the systems to thwart it. “You’re hardening and securing your systems, you are patching your systems,” he said “You’re running vulnerability scans to see if there are weaknesses in your network. So you’re preparing for it, and trying to prevent it so it doesn’t happen.”

Despite this, however, he said that it is inevitable that some incidents would occur given the constant development of new vulnerabilities in software code and systems. 

“You will get an incident. So then it’s your ability to respond and withstand that,” according to McAuliffe. 

This might involve early detection of a cyber attack or a procedure in place to isolate segregated networks in the event of a breach. 

After the attack has been contained, McAuliffe said the focus then shifts to the recovery phase.

“Now we’ve contained it, how do we recover? So that incident response and crisis management plan, getting systems back up, restored and recovered, and getting your business operating effectively again, that’s the real resilience,” he said. 

McAuliffe argues cyber resilience goes beyond security technology used by a company, and also encompasses its people and its processes.

“When we start with an organisation, we will look at technology. We look at someone’s cyber security capabilities. So across the domains of security, whether it’s network security, identity and access management, whether it’s your governance and your strategy and your policies, we look at all the capabilities. But we look across people, processes and technology within those capabilities,” he said.

McAuliffe said a company might have great security software solutions, but lack the people or processes to make the best use of it.

“You may be able to monitor everything. But then your processes could be poor and you may not have enough skilled people to react to those incidents. The tech is there, but the process and the people might not be,” he said.

Budgets, threats, and GenAI

Most companies acknowledge they need to invest more resources to improve cyber resilience. However, McAuliffe accepts many executives are unsure of just how much they need to allocate. 

Over the years, he said that company leaders on multiple occasions have been surprised at how big the cyber budget should be or how many people they needed in their security team.

However, McAuliffe argued that it is not just about allocating resources – it is about allocating them smartly.

“Every organisation is different,” he said. “So you need to know the critical assets that you are trying to protect. Otherwise, you could spend millions protecting the wrong things.”

“We need to know what assets to protect and we will look at the likely threats to those assets. We look at different threat scenarios. Is it phishing? Is it ransomware? Is this about protecting intellectual property?” he said

He added: “We look at the threat scenarios that are most likely for that organization, and we focus on those – we say, ‘ let’s protect your critical assets, not everything’. And then we help build in a control framework that will help mitigate those specific threats and scenarios.

“We can’t protect everything to the same degree. It’ll cost too much. We look at the critical assets, we look at the critical data, or the critical business processes and we will focus on them.”

According to the 2025 Digital Trust Insights Survey, third-party breaches remain the number one cyber concern for Irish organisations. McAuliffe said this is understandable given that many companies use third-party providers for everything from finance to HR to tech to marketing.

Irish companies are also concerned about ransomware and cloud-related threats, he said, citing the PwC survey. “DORA’s new regulations and NIS2 are stipulating more of a focus on your third-party relationships, especially when they’re providing critical services to your organisation,” McAuliffe said.  

“There’s been a lot of large-scale cyber attacks exploiting vulnerabilities in third-party software. So people are getting very wary, not just from regulation, but also of high-profile attacks based on weaknesses exploited in a third party.” 

In many cases, McAuliffe said that companies are being exploited by a weakness in a third-party service and not in their own systems. 

“You can be exposed to a third-party weakness. There’s a lot of different angles from third parties that you need to manage the risk on,” he said. 

As companies contend with cyber security concerns, 78 per cent of business leaders surveyed by PwC said they have ramped up their investment in GenAI over the last 12 months.  

The PwC survey found that GenAI is being prioritised in cyber defence activities such as threat detection, threat intelligence, and malware and phishing detection. At the same time, leaders said that GenAI had increased cyber attack vulnerabilities over the last 12 months.

McAuliffe acknowledged that GenAI was a “double-edged sword” when it came to cyber security. 

“From the attacker’s point of view, the entry point is getting easier,” he said, adding that a normal member of the public could now instruct GenAI to write malware or a virus.

He said that PwC is also seeing a huge increase in deepfakes as a result of GenAI. 

“It’s got very advanced from that attacker point of view, but also from the defence element as well. It’s getting easier to use these tools for threat detection, and behavioural analytics on your networks,” he said. 

“So it’s working both ways, for offence and defence.”

The Tech Agenda with Ian Kehoe podcast series is sponsored by PwC.