Security 2030

Security is still too often treated as an add-on: a late-stage review, a control list, a compliance exercise. Recent incidents globally show how system vulnerabilities and cascading failures can overwhelm current response and governance models. This research examines what it will take for infrastructure institutions to actually be ready.

This research was designed for the people who carry the real burden of outcomes — infrastructure owners and operators, government leaders, planners, designers, and security executives working inside budget constraints, delivery pressure, and organisational silos.

Why we did this research

Are institutions actually prepared for what's coming, and if not, what's really holding them back?

Security is still too often treated as an add-on: a late-stage review, a control list, a compliance exercise. But recent incidents globally show how system vulnerabilities and cascading failures can overwhelm current response and governance models. The theoretical case for security-by-design is well-established. What the field hadn't examined was how senior leaders inside infrastructure, government, and critical-systems organisations describe their own readiness — and where, in their own words, the gap actually sits.

We conducted this research because the institutions most exposed to 2030 threat conditions are also the ones operating inside budget constraints, delivery pressure, and organisational silos. Understanding how leaders in those organisations assess their own position, in direct executive judgement rather than vendor reports or abstract maturity models, was the gap this research was designed to close.

What we did

Core42 conducted a targeted survey of 17 senior security leaders and advisors across global markets between June and July 2025. The intent was not statistical representation — it was directional executive intelligence from people with direct influence over risk posture, investment decisions, and cross-sector coordination.

The survey tested five strategic domains critical to 2030 readiness:

• Current security paradigm — confidence, adequacy, and design integration
• Emerging threats and technologies — AI, OT, supply chain, hybrid attacks
• Interdependencies and coordination — cross-system, cross-agency, cross-border
• Investment and workforce priorities — where budget goes, where it doesn't
• Success metrics and strategic vision — what leaders think "prepared for 2030" looks like

The instrument combined Likert scoring with ranked priorities and open-ended responses, designed to identify both the numbers and the patterns behind them.

What we found

Five patterns surfaced consistently across the dataset. Each one points to the same underlying observation: threat recognition is outpacing organisational adaptation.

Security-by-design is the weakest link

Security integration into early design scored the lowest of all capability areas at ~2.3/5. Retrofit measures and late-stage cost-compromise decisions remain the default. The capability leaders most want is also the one least present in their own organisations.

The AI paradox: "transformative" but not ready

88% of respondents identified AI and machine learning as the most impactful technology by 2030. No organisation rated itself "very prepared" for what that shift requires. Awareness is present. The gap sits in governance, implementation capability, and oversight. Leaders can see the technology curve clearly; they cannot yet see their own institutional response to it.

Coordination failure is a bigger risk than "tech gaps"

Stakeholder collaboration scored below acceptable thresholds across the board, including government-to-government relationships at ~2.6/5. When asked for the single biggest obstacle to coordination, respondents pointed to organisational silos and unclear responsibilities (47%) and budget constraints (35%). Technical compatibility and regulation did not register. The constraint sits in how the people and institutions around the systems are structured.

Everyone understands interdependence — but investment doesn't match

Respondents identified energy distribution and smart-grid networks alongside transportation as most vulnerable to cascading failure (both 65%), followed by telecommunications and data networks (59%). Investment priorities clustered around OT cybersecurity (65%), cross-system coordination platforms (59%), and resilience and recovery capability (53%). Yet workforce development was under-prioritised at just 35%, despite strong agreement across the sample that future skills demand is the deeper constraint.

Threat recognition is outpacing organisational adaptation

The top 2030 threat vectors identified were cyberattacks on operational technology (71%), supply chain vulnerabilities (65%), and physical–cyber hybrid attacks (53%). Leaders can see these threats. What institutions lack is confidence in the frameworks they would need to respond. Converging threats are described clearly; response frameworks are not.

What it means

Security transformation by 2030 won't be achieved through technology alone. The most material gains will come from governance reform, coordination capacity, workforce capability, and institutional adaptability — embedded early in planning and maintained over time.

The research suggests a specific reframing for boards, delivery owners, and government leaders: treat security as an upstream governance question. The organisations most likely to be ready in 2030 are those that have already redesigned how decisions about risk get made, who participates in them, and what success is measured against. Tools are secondary.

Benchmark your organisation against the research

The 2030 Readiness Roadmap is calibrated directly from this research. Five minutes returns a personalised assessment: where your organisation sits against the 17-leader sample, the capability gaps most likely to matter at your level, and the next moves that match your current position.