There’s no question that generative AI and AI agents have already changed the world significantly in the last six months, captivating our attention with images of futuristic skyscrapers swathed in plants and footage of humanoid robots competing in sporting events and scientific environments.

Innovations in Gen AI tools are also quietly but rapidly revolutionizing how businesses operate, anticipate disruptions, and adhere to security and regulatory requirements.

For the majority of organizations, one of the most powerful and practical benefits of using Gen AI seems mundane at first glance: its ability to dramatically reduce the time people spend on critical – but boring – tasks. Capgemini in partnership with ServiceNow make gaining the benefit easy to accomplish, with an integration platform that unleashes the advantages of Gen AI, while creating time for other value-added activities.

Automate processes, eliminate errors, and strengthen compliance

Gen AI tools and AI agents can dispatch tedious and costly routines in a fraction of time it would take a massive team, effectively eliminating backlogs in the process. They can also eliminate the user and quality errors that often come from performing rote work. AI Agents can also proactively monitor changes in regulations, assess their impact, and recommend updates – ensuring continuous alignment with evolving standards. And there are more meta and detail use cases for improving security and compliance underway.

Imagine the time and labor savings of making analysis spreadsheets redundant, instead integrating datasets in ServiceNow modules, making them accessible to everyone in an organization. Or swiftly summarizing lengthy security and compliance documents and highlighting key points to make it easier to understand regulatory requirements. For example, analyzing the requirements of the EU’s Digital Operational Resilience Act (DORA) which came into force in January 2025, and using AI to get suggestions on how to update your policies and procedures. Getting more granular on this front, Gen AI tools can detect outdated security and compliance documentation globally, and also automate the process of ensuring consistency in compliance-related documentation like terminology, style, formatting, and language. This helps organizations stay ahead of security and compliance requirements and avoid penalties in the design phase.

These are just a few examples of how organizations can create a better lens on enterprise resilience and regulatory compliance through technology. The smart approach to widespread adoption of Gen AI is to take a rational, step-by-step approach, selecting a particular process for security and compliance , mapping out the essential high-level activities, and identifying more specific use cases to test scenarios for Gen AI, AI agents, RPA and, of course, the remaining human factor. Then after the design and build, organizations can continue to iterate and improve.

Leverage large-scale data analysis

But where to start? Ensuring data quality and consistency is a game changer that can create a competitive advantage for companies. And Gen AI’s ability for large-scale data analysis makes it easy to tackle data cleaning and improvement, which used to be an expensive and time-consuming task. This opens up exploration of how companies can embed data-driven intelligence into their end-to-end operations.

That could include crucial compliance tasks such as comparing existing policies and procedures against requirements to identify gaps and areas for improvement. Or analyzing feedback from stakeholders (e.g., legal, auditors) about the interpretation of a new regulation and incorporating relevant changes into compliance documentation, which in turn can be used to create an audit trail of scenarios and detail the choices.

Monitor operations in real-time and predict patterns

When Gen AI tools analyze vast volumes of business data, they can recognize patterns, detect deviations from the norm, and provide actionable insights to improve decision-making processes. This enables organizations to continuously monitor aspects of their operations in real-time while also using machine-learning algorithms to enhance problem-solving.

Look no further than the recent shifts in global tariffs that have disrupted supply chains, requiring companies to pivot quickly. AI agents can analyze historical data and identify trends that may indicate potential disruptions, to predict delays or shortages and suggest alternative suppliers or routes, mitigating risks before they escalate. Using that same type of historical data, retailers can predict changes in customer demand based on historical sales data, seasonal trends, and market conditions. This helps with optimizing inventory levels, reducing overstock and stockouts, and improving customer satisfaction. The same applies for the meta use cases for security and compliance, as companies can prevent resilience issues rather than fixing them later.

Maintain human-led expertise and oversight

Generative AI tools leverage machine learning algorithms to create outputs that mimic human creativity and problem-solving abilities. But unleashing Gen AI doesn’t mean there aren’t any guardrails. Human collaboration between AI experts and domain specialists is crucial for expertise, oversight such as regular auditing and monitoring of AI output, and to maximize the benefits of these tools. Organizations should also invest in training programs to upskill employees and foster a culture of continuous learning.

While technological advancements in Gen AI initially leapt ahead of regulations, ethical considerations such as data privacy, bias, and transparency have caught up. Although the US loosened regulatory barriers to AI innovation in January, new measures promoting the responsible design, development, and deployment of AI have been introduced by the EU, as well as Canada and China. Individual organizations are also increasingly following a framework of measures referred to as TRiSM – trust, risk, and security management – baked into AI platforms.

Improving operational resilience and regulatory compliance might not be headline-grabbing news, but it’s often these seemingly small shifts that can make the biggest collective impact. Even the most eye-catching skyscraper would topple without its underpinning of concrete and steel. In the same way, Gen AI tools and AI agents can help organizations shore up their foundations, build strength in a holistic approach to maintain business continuity, and minimize the impact of unexpected events.

Salesforce’s plan to acquire Informatica will unleash a powerful trifecta of technologies, making it easier for organizations to benefit from a new, human/digital hybrid workforce

Deploying autonomous AI agents at scale is poised to transform business operations. Enterprises across all industrial sectors are eager to leverage these agents – working alongside humans – to boost productivity, efficiency, and customer experience. However, to unlock the full value of the digital labor opportunity, it’s imperative that companies empower AI agents with broad access to organizational tools and data – and do so without sacrificing security or incurring massive integration costs. The recently announced plan by Salesforce to acquire Informatica is good news for enterprises as they address this significant challenge.

Overcoming deployment barriers

In Rise of agentic AI: How trust is the key to human-AI collaboration, the Capgemini Research Institute projects AI agents could generate up to $450 billion in economic value by 2028, through revenue uplift and cost savings across the surveyed countries.

But from their interviews with 1,500 executives, Capgemini researchers discovered only 14 percent of organizations have moved beyond pilot projects to partial or full-scale deployment of these agents. Trust is a key barrier, as those surveyed cited ethical concerns, lack of transparency, and a limited understanding of agentic AI capabilities. But organizational readiness – including the creation of an effective governance system – is also hampering secure, scalable deployments.

Salesforce is one of the leading technology companies helping enterprises to deploy autonomous agents, and it is taking steps to help organizations overcome these barriers. In the spring of 2025, Salesforce announced a major play to strengthen its capabilities in the form of an $8 billion deal to acquire Informatica. As a longtime Salesforce partner, Capgemini believes this is an important development that will enable Salesforce to deliver AI agents that can operate with intelligence, context, and confidence across the modern enterprise.

Key assets, working together, will enable this.

Agentforce. The Salesforce approach starts with Agentforce – the company’s flagship AI agent platform. Agentforce integrates natively with an organization’s existing applications, data, and business logic so agents can securely take action across the enterprise – handling complex tasks automatically while working in tandem with human teams.

Early deployments of Agentforce have already demonstrated substantial gains. For example, companies using Agentforce have cut customer service case handling time by double-digit percentages and allowed AI agents to autonomously resolve the majority of simple support requests. At scale, these AI agents handle high-volume, repetitive tasks such as answering FAQs, processing form submissions, or triaging support tickets. This frees up human agents to focus on higher-value work.

Salesforce recently enhanced this solution with the Agentforce Command Center, which enables business leaders to monitor and control their AI agents’ activities in real time. This level of visibility and governance addresses critical hurdles to scaling AI agents across the enterprise.

Anthropic’s Model Context Protocol. To enable its AI agents to access diverse systems, tools, and data across the client’s organization, Salesforce has embraced Model Context Protocol (MCP) – an open integration standard from Anthropic. This addresses a major pain point in the AI deployment process – namely, that custom integrations, each using custom code and requiring unique maintenance processes, do not scale.

MCP eliminates the need for developers to build a custom integration every time agents need to connect to external systems, APIs, databases, and services. The result is faster development, lower integration costs, and the freedom to mix-and-match AI models with a wide variety of tools and data sources. MCP’s model-agnostic open standard – often referred to as “the USB-C of AI” – means businesses avoid vendor lock-in and encourages a broad ecosystem of integration. Salesforce’s decision to adopt MCP enables Agentforce agents to seamlessly interface with a vast and growing universe of enterprise systems and cloud services – without requiring custom code, and without compromising on security.

MCP-native agents. When Salesforce released Agentforce version 3 in mid-2025, it introduced built-in MCP interoperability. What’s more, more than 30 launch partners provide MCP integrations – spanning cloud platforms (AWS, Google Cloud), content and collaboration tools (Box, Notion), payments (PayPal, Stripe), data and AI services (IBM, Writer), and more. This means Agentforce can accomplish a vast variety of tasks.

The Salesforce vision is clear: to enable an open ecosystem in which Agentforce-powered AI agents can plug-and-play into business applications and services, regardless of source and with minimal setup. This represents a major leap forward in what these agents can do autonomously.

The Informatica toolset. The effectiveness of AI agents – no matter how intelligent or well integrated – is only as good as the data on which they operate. With its plan to purchase Informatica, Salesforce will acquire important enterprise-grade tools for data integration, data quality and cleansing, master data management, granular data governance and privacy controls, and real-time data observability across complex hybrid and multi-cloud environments.

From a business perspective, this acquisition will inject a powerful dose of data integrity, context, and governance into Salesforce’s AI ecosystem, ensuring Agentforce agents have access to clear, trusted, and actionable data. Enterprises will be able to track where data comes from, how it’s transformed, and how it’s used. Organizations will avoid mistakes due to using outdated or inconsistent data. And companies will deploy AI agents, confident that they will not run afoul of regulatory requirements or privacy laws.

A powerful trifecta

Agentforce, MCP, and Informatica form the three pillars of an AI-driven enterprise: an agent platform to act, a protocol to connect, and a data ecosystem that informs. Organizations that leverage all three will be well positioned to achieve unprecedented levels of automation and insight – transforming their enterprise into a smarter, more agile business in which humans and agents can collaborate seamlessly to enrich customer experiences and drive growth.

For many enterprises, this will make the vision of autonomous agents a practical reality. AI agents, working fluidly across systems, will handle routine processes in customer service, sales, marketing, IT, and finance. This digital workforce will answer questions, generate reports, update records, and flag issues – autonomously, and in real time. This will free up humans to focus on strategic, creative, and relationship-oriented work – activities at which humans excel – while supervising AI as needed.

Capgemini is excited by this trifecta and looks forward to working with its Salesforce clients to enable the ongoing value opportunity agentic AI represents. As a Salesforce partner for 17 years and one of the company’s global top five strategic partners, Capgemini offers its clients expert knowledge of the Salesforce platform, the experience of more than 3,000 AI specialists and 50,000 AI-enabled engineers, strong integration capabilities, and sector-specific expertise in multiple industries. Assets include the Capgemini Agentforce Factory – a hub for clients to explore real-world applications through interactive demos, hands-on training, and expertise guidance.

For more information, please contact: andy.forbes@capgemini.com

Supply chains are no longer just operational backbones; they are the beating heart of global business. We live in a digitally interconnected world with supply chains operating just-in-time. From pharmaceuticals to automotive to consumer goods, supply chains are where innovation, efficiency, and sustainability ambitions come to life. But they are also where vulnerabilities now concentrate. In an interconnected world, there are interconnected risks.

As industries digitize at pace – integrating AI, cloud platforms, and connected ecosystems – their supply chains have become prime targets for cybercriminals. Attacks are no longer isolated disruptions; they ripple across industries, markets, and even national economies.

Capgemini’s latest research confirms what we see in the field every day: cybersecurity is now the number-one concern for supply chain leaders, cited by 74% of executives, outpacing cost pressures and digitization challenges[RA1] . This marks a pivotal shift.

Why supply chain cybersecurity is a market imperative

Between 2019 and 2022, supply chain cyberattacks rose by an alarming 742%. Industry reliance on third-party vendors, SaaS ecosystems, and globally distributed partners has created vast and complex risk surfaces. Organizations are as safe as their weakest link, and many times the biggest weakness is in a third party.

Consider the impact:

• A manufacturing shutdown caused by a ransomware attack can stall production for weeks, with ripple effects across automotive or electronics industries.
• A pharmaceutical supplier breach can jeopardize both regulatory compliance and patient safety.
• A logistics provider hack can paralyze retail operations during peak season.

Despite this, only 9% of organizations monitor cybersecurity across their entire supplier base. That leaves blind spots, especially in Tier 2 and Tier 3 suppliers, that attackers are quick to exploit.

Visibility is now the competitive differentiator

In an interconnected economy, visibility is the new currency of trust. Our research shows 79% of executives worry about their lack of cybersecurity visibility in global supply chains.

For industries where trust defines the brand, whether ensuring product authenticity in luxury goods or safeguarding patient data in healthcare, visibility gaps are no longer tolerable. Forward-looking organizations are now investing in:

• AI-driven monitoring and analytics for real-time supplier risk insights
• Collaborative cybersecurity frameworks that extend beyond Tier 1 vendors
• Integrated resilience planning that balances security with sustainability and agility goals.

Cybersecurity as an industry growth driver

Encouragingly, we also see progress. 73% of organizations have deployed end-to-end cybersecurity tools, and nearly half report radical transformation as a result.

For leaders, this is more than protection, it’s a growth story. Cybersecurity-enabled supply chains are:

• More agile, adapting faster to geopolitical shocks
• More trusted, earning customer and regulatory confidence
• More sustainable, by ensuring continuity even under disruption.

Resilience must now be treated as core dimensions of the supply chain strategy.

Five imperatives to future-proof supply chains

Based on our market research and client work, we recommend organizations focus on:

1. Embedding cybersecurity controls across all supply chain tiers, not just Tier 1
2. Partnering with cybersecurity specialists to tailor strategies by industry
3. Leveraging AI and Gen AI to enhance visibility and accelerate detection
4. Building cybersecurity into supplier contracts for accountability
5. Educating internal teams and suppliers to strengthen the human defense layer.

The bigger picture: Agility, sustainability, and AI

Industry leaders know that the future supply chain must balance cybersecurity, agility, and sustainability. These three priorities are converging into one strategic agenda.

Organizations that succeed will not only withstand disruptions, but they will also turn resilience into a market advantage.

From risk to resilience

Supply chain cybersecurity is no longer a technical challenge; it is an industry-wide business challenge. The risks are escalating, but so are the opportunities for those who act with urgency.

Our research provides deep insights into how organizations across industries are approaching this challenge. To learn more, or to explore how we can help you secure your supply chain for tomorrow’s threats, connect with our experts.

Security leaders thought zero trust was important before? Welcome to the AI century, where artificial intelligence (AI) isn’t just accelerating the adoption of zero trust, but is becoming the essential technology for outsmarting ever-more sophisticated cyber threat actors.

The rise of AI and zero trust 

In today’s digital world, cybersecurity challenges often seem insurmountable. As threats grow in complexity and scale, organizations are rethinking security strategies. Zero trust – built on the principle of “never trust, always verify” – has become the gold standard for enterprise security. Yet, research suggests that only around 30 percent of Fortune 500 companies have a defined zero trust roadmap. For those still on the sidelines, the time to act is now.  

The urgency has only intensified with the rise of artificial intelligence. Since the launch of ChatGPT in late 2022, AI adoption has been rapid and widespread. What began as a consumer phenomenon is now reshaping enterprise security. AI is no longer an add-on – it is becoming the core enabler of zero trust, helping organizations scale defenses and respond to threats in real time.  

CISO’s perspective: Continuous transformation in security 

This shift is most significant for chief information security officers (CISOs). Already under the pressure to protect enterprise assets, while enabling digital transformation, CISOs have seen cloud adoption, hybrid work, and new regulations stretch traditional defenses to their limits. Now, the acceleration of AI adoption is adding another layer of urgency. CEOs are driving the vision for AI use cases while CISOs are responsible for delivering on that aspiration.

In this context, zero trust is no longer a theoretical – it’s the future state for enterprise security. The real question is how AI can help get them to the zero trust future. Artificial intelligence has shifted the cybersecurity landscape in fundamental ways. At its core, zero trust requires granular access controls, continuous authentication, and real-time monitoring. Historically, scaling these principles across a vast enterprise was a daunting task. AI changes the equation by automating detection, response, and analysis, making it possible to enforce zero trust at every level (i.e., endpoints, applications, infrastructure). AI delivers speed, but more importantly, it helps enterprises do security faster.  

Financial services as a proof point

The financial services sector illustrates this shift clearly. With valuable data, critical operations, and strict compliance requirements (PCI DSS, SOX, GDPR), financial institutions face constant attack. For them, zero trust is not optional, it is foundational. Here AI is proving its worth. It empowers banks, insurers, and investment firms to implement adaptive identity verification, anomaly detection for fraud prevention, and rapid incident response at scale. For example, AI algorithms can flag suspicious transactions across millions of accounts in real time, while continuous authentication ensures that only legitimate users gain access to critical systems. Investment firms are integrating AI insights into zero trust frameworks to detect anomalies faster and reduce fraud losses.

The lesson is clear: where the stakes are highest, AI and zero trust together are delivering tangible results. Other industries can draw confidence from this example.

Practical considerations for enterprises

For CISOs and enterprise clients, the journey toward AI-powered zero trust doesn’t have to be overwhelming. It begins with a few practical steps:

• Assess your security architecture: identify where AI can close gaps or enhance scalability.
• Establish clear AI policies: ensure safe usage while meeting GDPR and standards such as ISO/IEC 42001.
• Upskill your teams: build AI knowledge and monitoring expertise into cybersecurity functions.
• Partner strategically: few enterprises can operationalize AI for zero trust alone; trusted partners accelerate progress.
• Continuously optimize: as attackers evolve, so must AI models and security controls.

AI as the essential technology for zero trust 

The convergence of AI and zero trust marks a pivotal moment in the evolution of cybersecurity. As threat actors become more advanced, the tools to defend against them must be equally sophisticated. AI isn’t just enhancing zero trust – it’s enabling it at scale, making previously unattainable levels of security possible. For CISOs and security professionals, embracing AI is no longer optional; it’s imperative. By adopting AI safely, embedding it into zero trust strategies, and striving for operational excellence, enterprises can stay ahead of the curve and safeguard their digital future with confidence.  From strategy to scale — discover how Capgemini’s Gen AI security suite accelerates your zero trust journey

In the ever-evolving world of cybersecurity, few leaders embody resilience, innovation, and inclusivity like Marjorie Bordes. From the adrenaline-fueled unpredictability of cyber defense to building a global, diverse team at Capgemini, Marjorie’s journey is a testament to bold leadership and relentless curiosity. As Group CISO, she’s not only shaping the future of cyber operations but also inspiring the next generation – especially women – to step into the field with confidence and purpose. In this exclusive interview, Marjorie shares her path, her passion, and her powerful message for those ready to make their mark in cybersecurity.

Q1: What first sparked your interest in cybersecurity, and how did you find your way into the field?

What first attracted me to cybersecurity was the adrenaline – the thrill of unpredictability. No two days are ever the same. When I wake up in the morning, I never know what the day will bring. There’s never a dull moment, and that constant challenge drew me in. My curiosity, hunger to learn, and love for stepping outside my comfort zone naturally led me to cybersecurity.

What makes cybersecurity truly unique is its constant evolution. It’s a field where staying still means falling behind – there’s always a new challenge to address, a new domain to explore, or a new skill to develop. Its diversity is one of its greatest strengths: it spans countless domains, making it a field where varied expertise and perspectives can thrive.

Over several years, I had the privilege of leading Cyber Defense Operations for the Capgemini Group, a role that was both demanding and deeply rewarding. It allowed me to operate at the heart of the organization’s security posture, manage complex incidents, and drive strategic initiatives across global teams. More than anything, it was a team effort. I had the chance to collaborate with talented and passionate professionals. That collective experience reinforced my passion for the field and my commitment to building together resilient, forward-looking cybersecurity capabilities.

Q2: Looking back, what has been the most rewarding or defining moment in your cybersecurity career so far?

Creating a strong, collaborative, and diverse global cyber team and community within Capgemini has been one of the most fulfilling parts of my journey. Becoming Group CISO was a defining milestone – not just for me personally, but as a signal that leadership in cybersecurity is evolving. What drives me is seeing our teams challenge conventions, bring fresh perspectives, and deliver real impact.

One of the achievements I’m most proud of is transforming our cyber operations to a  follow-the-sun model with new expertise spanning across Australia, India, Egypt, Europe, the US, and Mexico. It’s incredibly rewarding to see professionals from such different cultures and backgrounds working together seamlessly, united by a shared mission, mutual respect, and common values – among which team spirit, trust, and boldness stand out.

At Capgemini, this ability to blend diverse perspectives and build inclusive, high-performing teams is part of our DNA. Watching this global community grow, evolve, and thrive has been both a privilege and a source of daily inspiration.

Q3: Cybersecurity can be intense and fast-changing. How do you stay motivated and resilient in this environment?

I stay motivated by embracing the pace and staying curious. Cybersecurity moves fast, and that’s exactly what keeps it exciting. Every new threat is a chance to learn, rethink our approach, and stay ahead. I see change as a driver for growth and innovation.

What also makes a real difference is the trust and support we receive at the highest levels of the organization. The confidence and transparency shown by our CEO, and the close relationship with our Board, give us the clarity and agility to act quickly and decisively.

Resilience isn’t about being unshakable – it’s about staying steady and adaptable when things get intense. When you’re surrounded by trusted colleagues and supported by strong leadership, you can move forward with calm and purpose. At Capgemini, we embrace the idea that nobody is perfect and making mistakes is part of the journey. We learn from our missteps, come back stronger, and grow through the lessons they teach us. This mindset fosters a culture of continuous learning, unlocks creativity, and encourages innovation in how we approach problems and build solutions.

Q4: When you’re not thinking about cyber threats, what’s your favorite way to unwind or spark creativity?

Music helps me create mental space to focus and reflect. I adapt the style depending on the mood – it’s a powerful tool for concentration and creative thinking.

I also practice horse riding, which allows me to disconnect, reset, and gain perspective. It’s a moment of clarity, far from screens and alerts, where I can recharge and come back with a fresh mindset. That silence and focus, in a completely different environment, helps me step back, rise above the immediate complexity, and escape the tunnel vision that can come with intense situations. I come back refreshed and ready to make thoughtful decisions.

And then there’s my notebook. I always keep it open on my desk at home, ready to capture ideas whenever they strike. It’s my personal space for inspiration, where thoughts can flow freely before they’re forgotten. It’s a simple habit that fuels my creativity and keeps me open to new ways of thinking.

Q5: What advice would you give to young women considering a career in cybersecurity, and why do you believe Capgemini is the best place to start?

Don’t wait for permission – step in with confidence, trust the value of your perspective, and shape your own journey. Cybersecurity needs diverse voices, and your unique background is an asset, not something to fit into a predefined mold.

At Capgemini, you don’t have to conform to a standard box or follow a fixed path. You can come as you are – there’s always a place for you. And if that place doesn’t exist yet, even better: you’ll have the freedom and support to create it. That’s part of our DNA. Here, you’ll find the freedom to explore, the support to grow, and the opportunity to work on meaningful challenges with inspiring teams. It’s a place where initiative is encouraged, where innovation thrives, and where you can build a career that truly reflects who you are.

Public sector organizations are allocating 30% of their tech spend to on-demand technologies – with this figure set to rise to 44% in 2026. What’s causing this increase in costs and how can the public sector contain it?

In a new report from the Capgemini Research Institute (CRI), The on-demand tech paradox: Balancing speed and spend, 82% of technology leaders surveyed across industries have seen significant cost increases for cloud, SaaS, and Gen AI usage. Almost half are considering moving workloads to on-premises environments as a result. The debate surrounding cloud sovereignty is further fueling this trend, as CIOs and their teams aim to avoid compliance risks and data privacy dependencies that could arise from geopolitical challenges.

What’s accelerating public sector cloud adoption?

Cloud is a necessary foundation for delivering modern, joined-up, data-driven services. And, as AI continues to mature, success with it depends on cloud services. That’s because AI only works when it’s given good data, and cloud offers a better way to connect that data.

Yet on-demand cloud services are cited as one of the biggest IT cost drivers. For the public sector, these services increasingly underpin the way public services are delivered at scale, as well as how the sector handles new or periodic service demands, such as during an election, AI-powered chatbots dealing with citizen queries, and platforms for remote working and collaboration.

What is clear is that the power of the cloud, while creating opportunities for streamlining and automating countless processes, also generates one of the biggest challenges. Just as control, transparency, and governance are required to ensure a sovereign cloud, so it is for cloud costs, particularly as on-demand IT resources are scaled.

Cloud use in the public sector – what’s going wrong?

The CRI survey revealed some startling facts about the difficulty public sector organizations face in controlling their cloud spend:

• 67% are unable to accurately forecast cloud budgets
• 68% see cloud waste as a big challenge – significantly higher than the 59% all-sector average
• 61% say their organization’s on-demand tech costs are “a big black hole”
• 53% have faced bill shocks due to unpredictable spikes in cloud usage

More generically, only around 30% of organizations across sectors have achieved their savings target.

Why the public sector needs FinOps

These figures are perhaps not surprising. What’s missing in so many cloud environments are the controls required to keep costs from spiraling as on-demand tech sprawl expands. For example, 58% of public sector leaders said they did not have complete visibility of how many SaaS apps they had.

What’s needed is an effective FinOps program. FinOps is the continual management of both operational and cultural practices that ensures you get the most from your cloud investments, while controlling their costs. The word “continual” is important here because cloud and on-demand are flexible by nature, thus your controls need to flex in tandem.

But that’s precisely the catch. Many organizations are considering FinOps, but few are implementing it effectively. In the public sector, while 53% of the CRI survey respondents said they used cloud cost management tools, only 34% regularly evaluated the performance and impact of those tools and took action based on the insights. 

Furthermore, FinOps is invariably pushed behind cloud strategies (perceived as an afterthought), thus lagging behind the cost explosion. Playing catch-up is much harder than preventing that cost explosion in the first place.

FinOps, like compliance and security, must therefore be part of the cloud strategy from the outset, moving away from the idea of technology first, cost control second.

What is procurement’s role in controlling cloud costs?

So, where do you start? It is vital when developing a cloud strategy that you identify the base costs for each functionality, as well as the cloud’s cost drivers in a design-to-cost methodology. You should also establish a clear usage framework.

With cloud services – especially AI-based automation – becoming more and more prevalent in business processes, their procurement should be managed just as professionally as other purchased goods. This is precisely why purchasing/procurement has always existed as a standalone skill and function. A good industrial purchaser has the technical background to efficiently manage negotiations and supplier management.

But how good is the purchasing department’s expertise in cloud technology? With 67% of the public sector survey participants saying they are unable to forecast their cloud budgets accurately, something is clearly going wrong.

A big clue lies in how established procurement processes have worked in the past. The public sector has historically used fixed price terms and deliverables. So, while cloud environments have been set for most use cases and are waiting to be deployed and used, on-demand pricing is, in general, a huge challenge for public sector procurement. Balancing cloud cost and on-demand agility demands wholly new thinking.

Rebalancing speed and spend

The pattern of cloud/on-demand first, costs second (often after a service has been built and launched) is especially evident in the public sector. Indeed, 65% of public sector participants reported that this was the case, against an all-sector average of 54%. The outcome of this is clear. For example, taking just one element of on-demand budgets, spending on SaaS in the public sector has seen an average over-spend of 12% in the past year.

Meanwhile, 65% of the public sector respondents confirmed this pattern of tech first, cost second thinking, whereas private industry players are addressing this more effectively, with an all-sector average of 54%. The life sciences sector shows a marked contrast at 38%. This presents an opportunity for public sector organizations to tap into already proven best practices from the private sector. This is particularly pertinent in today‘s climate, where the need for digitization is increasing and there is an expectation of a huge rise in funding IT/digital projects in the public sector.

What impact will sovereignty have on cloud costs?

Another aspect of cloud raises cost implications: geopolitical shifts have led to sovereignty becoming more of an imperative in the public sector. 57% of public sector organizations, versus a global average of 46%, are already embedding cloud sovereignty in their overall cloud strategy.

With the potential to add to the cost control challenge, this demands careful decisions about what environment is appropriate for each workload. Sovereign solutions should only be used where the risk management approach really demands them.

How much are organizations willing to pay for additional sovereignty and compliance? This was a key question in the CRI survey, noting that all cloud providers today are providing different offers. Most of these offers come with a premium tariff for additional compliance controls, liability terms, and local/national operations.

An all-sector average of 42% said they would be willing to pay extra for sovereignty, with an average 11% price increase. A further 37% acknowledged a tentative willingness to pay an 11% premium for sovereign cloud.

That some FinOps thinking is already in play is evidenced by 58% of respondents across all sectors saying that they conduct a cost-benefit analysis to balance sovereignty needs and cost efficiency. This will lead to a multi-cloud approach, providing the right cost/function model for different data classification needs.

What should public sector leaders do?

We have seen that the adoption of on-demand technologies, such as cloud, SaaS, and Gen AI, is accelerating. At the same time, there is a corresponding rise in both costs and complexity. FinOps offers a pathway to controlling the cost explosion and increase the value of on-demand technology.

The following steps can help to establish successful, cost-managed cloud adoption:

• Make cost a deciding factor, not an afterthought. On-demand tech decisions should be made with cost management to the fore.
• Bring procurement and IT closer together. Purchasing can then feature at the outset of new IT adoption.
• Build understanding of cloud provision and on-demand services within your procurement function. Purchasers should know what the cost drivers are and how on-demand pricing can be dealt with.
• Design scalable, agile, frugal, and sustainable architecture. Architecture choices should align costs to value, and cost-aware architecture should limit egress charges.

Making public sector cloud work – cost effectively

Cloud is playing a pivotal role in the transformation of public services. Done the right way, it can reduce costs and make digital modernization easier, but smart choices and cost-containment are key.

Organizations that get this right will be able to rely on the cloud effectively and consistently, and by increasing their use of on-demand services, drive real improvements in productivity, innovation, and cost savings.

Find out more

Read The on-demand tech paradox: Balancing speed and spend published by the CRI for more on the current state of cloud investments and on-demand usage. The breakdown of pure cloud expenditures, SaaS, and Gen AI is particularly interesting.

Our report Making it real: Four steps to implementing a sovereign cloud shows howpublic sector organizations can maintain an appropriate level of control over their data, technology, and operations. 

Post-quantum cryptography (PQC) migration is often presented as a clean, linear process: inventory your cryptographic assets, prioritize them, build a roadmap, and migrate one by one.

In practice, it’s rarely that simple. You might think you’ve got crypto discovery covered – until you realize it’s a highly-dimensional, deeply-embedded, and often undocumented part of your infrastructure. Or perhaps you’re the one championing the cause, but you lack the mandate, budget, or executive support to move forward. Maybe there are just too many other priorities.

So how do you get started? The answer: start small, but think big. PQC migration doesn’t have to be overwhelming. You can start your PQC migration journey by focusing on four key areas. These aren’t sequential steps. You can begin where it makes the most sense for your business – and build momentum from there.

1. Develop readiness and capability

In my experience, most organizations already have someone who understands the urgency of PQC. If you’re reading this, that person might be you. But even with technical know-how, the biggest challenge is often organizational: no budget, no priority, and no clear mandate. Even when a small team is capable, implementing cryptographic upgrades across dozens of DevOps teams – each with its own backlog – is a different story. Ironically, the hardest systems to migrate may not be the crown jewels, but the forgotten legacy systems no one wants to touch. So where do you begin?

Before pushing for a full-on roadmap of strategy, create a short, compelling internal document that outlines the urgency and opportunity. Give people something to rally around. Identify what the quantum risk means to your industry and company, and formulate it in the language that resonates with leadership and practitioners. You may find it helps to get experts on board, too.

2. Rethink inventory: it’s not a prerequisite, it’s a process

There are two common misconceptions:

• One tool will give you full visibility.
• You need a complete inventory before you can start migrating.

Neither are true. Cryptographic assets have many dimensions. Their owner may be internal or vendor-supplied. They may be deployed on-premises or in the cloud. They may be legacy, active, or still in development. They may have different levels of exposure, risk characteristics, scope, and more. No single tool will capture everything. Doing so requires a combination of TLS traffic analysis, filesystem scans, cryptographic bills of materials (CBOMs), questionnaires, and more. Each method has its strengths and blind spots. Don’t expect one solution to be the holy grail, but instead, start where you already have visibility and build from there.

Second, cryptographic inventory is not a prerequisite. In one case, I worked with an organization that prioritized TLS traffic, only to find that 99% of assets were marked high priority. Denoting everything as a high priority nullifies the need for prioritization. Additionally, cryptographic inventory is never going to be finished, so waiting for it to be done won’t get you far. It’s not a one-time task either. It’s a continuous process that’s essential for prioritization, compliance, and incident response.

3. Begin migration where it makes sense

Another common misconception is that the technology isn’t there yet. It’s actually a nuanced picture. PQC algorithms were standardized in mid-2024 after years of global vetting. Since then, vendors have rapidly integrated PQC into OpenSSL, TLS, HSMs, and other products. Nonetheless, scrutiny continues. In 2022, side-channel vulnerabilities were found in Falcon, one of the PQC algorithms, after five years of development and vetting.  It’s a reminder that algorithms deemed secure may one day face vulnerabilities. Nonetheless, the same is true for any cryptographic algorithm. This doesn’t mean they aren’t secure.

There are also still wrinkles in software packages implementing PQC. For example, when testing BouncyCastle, we found it lacked native PQC support, requiring C-based implementations and custom compatibility layers. We also found a lack of standards, forcing us to define custom nomenclature. This raised an important question: would it have been easier to wait a few years for the technology to mature?

For some systems, perhaps it would have been. For new technologies and non-critical systems, one could wait until more documentation is available and more experience is available. But you can’t wait forever. By choosing not to wait, early adopters gain experience, influence standards, and uncover risks sooner.

There are also plenty of smart, low-risk actions you can take in the short term – steps that make sense regardless of where you are in your PQC journey. For example, organizations can adopt best practices related to automated key and certificate management and rotating keys regularly or automatically. They could also upgrade to TLS 1.3 or design modular, update-ready systems. Perhaps the most sensible thing is to look at what’s already on the roadmap. If a system is being upgraded, ensure it’s done with PQC and crypto agility in mind.

4. Engage your ecosystem and dependencies

PQC migration is an organizational problem, full of complex dependencies. You depend on vendors who may not yet support PQC, policies with customers that may assume cryptographic lifetimes of decades, and standards that vary by region. You may want to consider negotiating terms with your vendors but lack the capacity and knowledge to do so effectively. You may want to align with regulators and governments, but ambiguous and diverging polices complicate the matter. How should you get started?

Foremost, start the conversation. Talk to your peers. Collective pressure is more effective when negotiating with vendors or influencing standards. Talk to your vendors. Include crypto agility clauses in contracts – especially during renewals – and talk to policy owners to challenge assumptions about key lifetimes and update cycles.

Conclusion: action over perfection

PQC migration is complex, and it’s hard to see the full picture from the start. But one thing is clear: inaction is not an option. The good news? You don’t need to solve everything today. No-regret moves are possible. Rather than overcomplicating cryptographic discovery, start with existing visibility and build a more complete inventory from there. Oversee the migration roadmap. If a system is being upgraded, ensure it’s done with PQC in mind and adopt best practices around crypto agility. Finally, engage your ecosystem and initiate discussions with peers, vendors, and policy makers. Whatever you do, lean towards action instead of perfection. The time is ticking as quantum computers mature.

Women leaders from across industries share how inclusive leadership, AI fluency, and diverse teams are shaping the future – and why gender equity is central to lasting impact.