State of Cyber Risk and Exposure 2025

Rapidly expanding attack surfaces are cited by 38% of cybersecurity and cyber risk leaders as a reason for increased difficulty in managing cyber risk today vs five years ago.

Just 28% of organisations say they are "very effective" at communicating cyber risk to leadership.

Cybersecurity and cyber risk leaders at organizations without full threat visibility have a burnout rate of 63%.

Organisations with strong asset visibility are 2.5 times more likely to communicate cyber risk effectively to the board

Nearly all organisations (99%) assess vendor risk.

Just 17% of organisations have tools to regularly map threats and contextualise them for full visibility.

Cybersecurity and cyber risk leaders at organizations with full threat visibility experience a significantly lower burnout rate of 44%.

Only 17% of organisations have the capability for continuous monitoring, despite it being a top priority.

Only a third of organisations monitor third-party relationships over time.

The percentage of breaches tied to third parties doubled from the previous year.

90% of surveyed cybersecurity and cyber risk leaders find managing cyber risks harder today than five years ago.

The explosion of AI is cited by 39% of cybersecurity and cyber risk leaders as a reason for increased difficulty in managing cyber risks today vs five years ago.

1 in 5 organisations still admit their cyber practices are "immature".

Just 29% of organisations have a formal cyber program that is truly aligned with business objectives.

47% of cybersecurity and cyber risk professionals report exhaustion (burnout).