State of Cybersecurity 2025

46% of very large companies (10000+ employees) are concerned with the scale of attacks.

The feeling that the current approach is 'good enough' is the second-greatest challenge in improving the execution of a strong cybersecurity strategy for business leaders.

37% of organizations say their AI priority within cybersecurity is improving internal efforts.

48% of companies are considering certifying current employees for skill improvement.

43% of small companies (<100 employees) are concerned with the emergence of generative AI.

37% of companies have average capability in securing data in cloud providers.

45% of elements involved in risk analysis are related to use of cloud computing.

46% of companies are considering expanding the use of third parties for skill improvement.

38% of elements involved in risk analysis are related to data ownership.

50% of respondents surveyed have expert-level skill in network/infrastructure security.

47% of respondents surveyed have expert-level skill in application security.

38% of large companies (500-9999 employees) are concerned with compliance with regulations.

46% of respondents surveyed need significant skill improvement in network/infrastructure security.

38% of companies have average capability in creating comprehensive data sets.

57% of companies have high capability in creating comprehensive data sets.

47% of respondents surveyed have expert-level skill in data analysis.

36% of firms say they now have a moderate focus on OT.

16% of risks identified through analysis are viewed as organizational concerns.

41% of companies are improving board of directors visibility to improve the effectiveness of their cybersecurity program.

6% of companies have below average capability in mining data.

31% of organizations say their AI priority within cybersecurity is prioritizing defending new threats.

36% of organizations surveyed believe that networking protocols used by OT systems must be understood better to properly secure OT.

38% of organizations surveyed believe that total costs of digitizing physical infrastructure must be understood better to properly secure OT.

33% of organizations reported a lack of buy-in from senior leadership in using AI for cybersecurity.

44% of elements involved in risk analysis are related to operational technology (OT).

Nearly three in four companies report that the impact of cyber incidents in the past year has been severe or moderate.

46% of companies place a higher priority on incident response.

58% of firms say they have a high focus on OT.

37% of companies have average capability in securing data on endpoints.

70% of firms place themselves in an early education phase or a stage of testing AI implementation on low-priority systems.

52% of companies rate themselves as having high capability in AI.

38% of organizations surveyed believe that implementing access control, including remote access, must be understood better to properly secure OT.

58% of companies have high capability in securing data in cloud providers.

59% of companies have high capability in securing data on endpoints.

59% of companies have high capability in securing data on networks.

42% of companies have average capability in mining data.

40% of companies have average capability in capturing data from all sources.

Three of the top seven elements involved in incident response involve some sort of purchase.

42% of companies are improving senior executive visibility to improve the effectiveness of their cybersecurity program.

46% of companies face integrating with business initiatives as a challenge in retaining cybersecurity talent.

43% of organizations are in the early education/experiment phase of AI adoption.

70% of companies are in early stages of AI adoption.

52% of companies have high capability in mining data.

There are 514,000 U.S.-based job openings with cybersecurity-related skills.

49% of large companies (500-9999 employees) are concerned with privacy.

46% of small companies (<100 employees) are concerned with privacy.

41% of medium companies (100-499 employees) are concerned with privacy.

47% of very large companies (10000+ employees) are concerned with privacy.

41% of small companies (<100 employees) are concerned with their reliance on data.

43% of medium companies (100-499 employees) are concerned with their reliance on data.

45% of large companies (500-9999 employees) are concerned with their reliance on data.

55% of very large companies (10000+ employees) are concerned with their reliance on data.

46% of small companies (<100 employees) are concerned with the scale of attacks.

36% of medium companies (100-499 employees) are concerned with the scale of attacks.

49% of respondents surveyed need significant skill improvement in data security.

43% of large companies (500-9999 employees) are concerned with the scale of attacks.

36% of large companies (500-9999 employees) are concerned with the breadth of skills needed.

37% of very large companies (10000+ employees) are concerned with the breadth of skills needed.

35% of medium companies (100-499 employees) are concerned with compliance with regulations.

38% of organizations reported uncertainty around AI efficiency as a challenge in using AI for cybersecurity.

43% of organizations reported skill gaps in basic cybersecurity topics as a challenge in using AI for cybersecurity.

45% of organizations reported skill gaps in using AI tools as a challenge in using AI for cybersecurity.

45% of firms believe existing IT workers need OT training.

34% of firms believe there is insufficient OT budget.

37% of firms believe OT cybersecurity has been overlooked.

33% of organizations surveyed believe that incorporating OT into network maps/architecture must be understood better to properly secure OT.

30% of organizations surveyed believe that patching strategy for OT devices must be understood better to properly secure OT.

43% of organizations surveyed believe that risk assessment for OT systems must be understood better to properly secure OT.

5% of companies have below average capability in securing data on networks.

66% of companies have dedicated employees for data security.

60% of companies have dedicated employees for database administration.

58% of companies have dedicated employees for data analytics.

41% of respondents surveyed have expert-level skill in knowledge of threat landscape.

40% of respondents surveyed have expert-level skill in regulatory landscape.

46% of respondents surveyed have expert-level skill in access control and identity management.

42% of respondents surveyed have expert-level skill in automation and AI.

44% of respondents surveyed need significant skill improvement in access control and identity management.

43% of respondents surveyed need significant skill improvement in application security.

43% of respondents surveyed need significant skill improvement in data analysis.

96% of respondents indicated that Identity management requires significant or moderate improvement.

42% of companies are considering exploring new uses of third parties for skill improvement.

96% of respondents indicated that Application security requires significant or moderate improvement.

95% of respondents indicated that Automation/AI requires significant or moderate improvement.

94% of respondents indicated that Knowledge of the threat landscape requires significant or moderate improvement.

44% of companies are developing new or better cybersecurity policies to improve the effectiveness of their cybersecurity program.

45% of companies are implementing a dedicated reporting structure to improve the effectiveness of their cybersecurity program.

35% of companies face burnout/mental health issues as a challenge in retaining cybersecurity talent.

42% of companies face defining career pathways as a challenge in retaining cybersecurity talent.

44% of companies face salary/paying market wages as a challenge in retaining cybersecurity talent.

46% of companies face finding ways to enable skill building as a challenge in retaining cybersecurity talent.

47% of companies face ensuring tools/support availability as a challenge in retaining cybersecurity talent.

31% of small companies (<100 employees) are concerned with compliance with regulations.

42% of respondents surveyed have expert-level skill in endpoint security.

42% of companies have a higher awareness of regulatory issues.

94% of companies have a high or moderate focus on operational technology.

73% of companies rate the impact of cybersecurity incidents as severe or moderate.

36% of companies have average capability in securing data on networks.

5% of companies have below average capability in manipulating data.

4% of companies have below average capability in capturing data from all sources.

5% of companies have below average capability in finding patterns within data.

6% of companies have below average capability in creating comprehensive data sets.

4% of companies have below average capability in securing data on endpoints.

51% of respondents surveyed have expert-level skill in data security.

42% of respondents surveyed need significant skill improvement in regulatory landscape.

4% of companies have below average capability in securing data in cloud providers.

44% of respondents surveyed need significant skill improvement in knowledge of threat landscape.

56% of companies surveyed say that they are using a formal risk management framework.

41% of respondents surveyed need significant skill improvement in endpoint security.

50% of respondents surveyed need significant skill improvement in automation and AI.

97% of respondents indicated that Network/infrastructure security requires significant or moderate improvement.

95% of respondents indicated that the Regulatory landscape requires significant or moderate improvement.

95% of respondents indicated that Endpoint security requires significant or moderate improvement.

95% of respondents indicated that Data analysis requires significant or moderate improvement.

40% of companies are implementing dedicated cybersecurity roles to improve the effectiveness of their cybersecurity program.

45% of medium companies (100-499 employees) are concerned with the emergence of generative AI.

47% of large companies (500-9999 employees) are concerned with the emergence of generative AI.

52% of very large companies (10000+ employees) are concerned with the emergence of generative AI.

48% of small companies (<100 employees) are concerned with the variety of attacks.

46% of large companies (500-9999 employees) are concerned with the variety of attacks.

49% of very large companies (10000+ employees) are concerned with the variety of attacks.

42% of medium companies (100-499 employees) are concerned with the variety of attacks.

34% of small companies (<100 employees) are concerned with nation-state actors.

30% of medium companies (100-499 employees) are concerned with nation-state actors.

40% of large companies (500-9999 employees) are concerned with nation-state actors.

42% of very large companies (10000+ employees) are concerned with nation-state actors.

34% of companies are exploring cybersecurity insurance.

37% of organizations reported a lack of cybersecurity metrics as a challenge in using AI for cybersecurity.

35% of small companies (<100 employees) are concerned with the breadth of skills needed.

34% of medium companies (100-499 employees) are concerned with the breadth of skills needed.

38% of very large companies (10000+ employees) are concerned with compliance with regulations.

35% of companies are building dedicated cyber resources.

35% of companies are exploring emerging cyber trends more.

38% of companies are focusing more on employee cyber education.

42% of companies are making greater investment in technology tools.

42% of companies are focusing more on risk management.

27% of organizations are implementing AI in low-priority systems.

9% of organizations have full integration of AI with modified workflow.

20% of organizations are implementing AI in high-priority systems.

35% of organizations reported a lack of AI policy as a challenge in using AI for cybersecurity.

36% of organizations reported a lack of appropriate data sets as a challenge in using AI for cybersecurity.

41% of organizations surveyed believe that different security priorities for OT vs. IT must be understood better to properly secure OT.

44% of organizations surveyed believe that types of threats that can impact OT must be understood better to properly secure OT.

56% of companies have high capability in capturing data from all sources.

56% of companies have high capability in finding patterns within data.

39% of companies have average capability in finding patterns within data.

One third of companies surveyed say that risks are assessed informally.

49% of risks identified through analysis are viewed as cybersecurity concerns.

34% of risks identified through analysis are viewed as technology concerns.

45% of elements involved in risk analysis are related to technology procurement.

39% of elements involved in risk analysis are related to data classification.

97% of respondents indicated that Data security requires significant or moderate improvement.

56% of companies are considering new hiring for skill improvement.

41% of companies are implementing better metrics for cybersecurity to improve the effectiveness of their cybersecurity program.

54% of companies are considering training current employees for skill improvement.

41% of companies are establishing better connection with business units to improve the effectiveness of their cybersecurity program.