The CISO Society 2025 State of Continuous Controls Monitoring Report

More than one-third of organisations (34.2%) hope to achieve their KPIs for compliance benchmarks by incentivizing success or by penalizing failure, or by implementing both incentives and penalties.

69.7% of CISOs said cost is most important when selecting tools/vendors to provide governance and continuous controls monitoring.

Over a billion credentials were stolen in malware attacks within a 12-month period.

Stolen credentials are involved in nearly half (44%) of all data breaches.

Of the 1.8 million breached administrator credentials, 40,000 admin portal accounts had the password ‘admin’.

53.2% of CISOs take note of their organisation's regulatory requirements.

Roughly 50% of CISOs expect automation to optimize compliance through a single pane of glass.

50% of CISOs said that, on an annual basis, they spend more than $200,000 worth of capital and dedicated staff resources to achieve and maintain compliance across their organisation.

46.2% of organisations said they don’t have a sufficient budget to invest in GRC tools.

Roughly two-fifths of CISOs are challenged by evidence gathering (41.5%) as a challenge in satisfying regulatory requirements.

13.7% of CISOs said their compliance program is a 1 (“Initial: ad-hoc”), and 23% said their program is a 2 (“Established: documented and repeatable”).

More than a third (37.8% of CISOs) said their relationship between compliance and security is in a phase of simple negotiations.

25.5% of CISOs assume current GRC processes are not broken.

66.7% of education businesses are challenged by audit readiness and their maturing compliance program.

230 million of the breached passwords met standard complexity requirements, including length, capitalisation, numbers and special characters.

30% of CISOs spend less than $100,000 annually on compliance.

Most organisations (57.9%) spend at least some of their budget on GRC tools to collect and maintain compliance evidence.

Almost half of the CISOs who rated their compliance programs a 1 or 2 attributed their difficulties to a lack of personnel or resources.

Of the organisations that measure the operational cost of managing compliance, 10.1% track IT costs.

76.1% of CISOs said integrations are most important when selecting tools/vendors to provide governance and continuous controls monitoring.

44.2% of CISOs consider security and compliance a business enabler.

40.4% of CISOs are challenged by the lack of a centralized system as a challenge in satisfying regulatory requirements.

Almost one-third (31.1% of CISOs) believe that their company’s resistance to change is primarily driven by financial matters.

26.1% of CISOs cited the rate of regulatory change as a challenge in implementing new or updated compliance frameworks.

43.6% of CISOs cited control mapping as a challenge in implementing new or updated compliance frameworks.

38.5% of CISOs said GRC tools are too expensive.

17.6% of CISOs believe that manual processes are easier than using Compliance as Code.

Just over 13% of CISOs are looking to technology to help solve their problems and have started to adopt or have plans to adopt Compliance as Code (OSCAL or OCSF).

35% of CISOs said that, on a scale of 1 to 5, they would rate their compliance program a 3 (“Defined: early-enterprise, standardized and structured”).

53.7% of CISOs stated that compliance is not embedded into their CI/CD pipeline.

20% of CISOs spend between $100,000 and $200,000 annually on compliance.

Just over a quarter (26.4%) of CISOs said that compliance has been embedded into 26-50 percent of their pipeline, while 27.4% have embedded compliance in as much as 75 percent of their pipeline.

Less than one-sixth (14.2%) of CISOs have embedded compliance into the majority (76-100 percent) of their pipeline.

Less than half of the respondents (44.1% of CISOs) described the relationship between compliance and security as completely synchronized.

One-third (33% of CISOs) see an opportunity to supercharge staff through automation.

Almost one in ten (9.6% of CISOs) said their relationship between compliance and security is in a period of complex negotiations while 8.5% said their relationship is out of sync.

Roughly one-sixth (15.8% of CISOs) endure quite a bit of duplication and 37.4% have some duplication in their compliance efforts.

Only a fifth (20.5% of CISOs) said they have very little duplication in their compliance efforts.

Roughly half of CISOs (47.9%) cited evidence gathering as one of their greatest challenges in implementing new or updated compliance frameworks.

53.7% of CISOs pointed to skilled staff as a major challenge in implementing new or updated compliance frameworks.

38.3% of CISOs cited cost as a challenge in implementing new or updated compliance frameworks.

33.5% of CISOs cited audit management as a challenge in implementing new or updated compliance frameworks.

Many CISOs (51.6%) were impacted by their maturing compliance program as a challenge in satisfying regulatory requirements.

Nearly as many (46.3% of CISOs) think the technology will allow them to more rapidly apply governance.

Just over a quarter (27.7% of CISOs) think that automation will improve the ROI on existing tools.

Almost two thirds of organisations (63.7%) do not feel that meeting new regulatory requirements slow their organisational growth.

34.6% of CISOs are challenged by regulatory change management in satisfying regulatory requirements.

Roughly 22.6% of CISOs rate their compliance program a 4 (“Adherence: measured with metrics to support audit and risk mitigation”), but only 5.3% believe their program is a 5 (“Optimized: continuous improvement and efficiency”).

More than one-third (37.2% of CISOs) said that no platform has demonstrated its reliability for Compliance as Code.

Just 17.9% of CISOs are using GenAI tools within their compliance program.

41% of CISOs said that OSCAL adoption is hindered by both a lack of usage and a difficulty in understanding its importance.

More than four-fifths (82.1% of organisations) are not currently using GenAI tools or functions within their compliance program.

Two-thirds (66.3% of all CISOs) surveyed said that their organisation does not measure the operational cost of managing compliance.

Of the organisations that measure the operational cost of managing compliance, more than three quarters (75.4%) track all costs.

Of the organisations that measure the operational cost of managing compliance, 14.5% track compliance expenses.

60% of manufacturers and 52.5% of software and IT services companies see the biggest barrier to adopting Compliance as Code is that no one is using the technology.

33.5% of CISOs are challenged by audit readiness in satisfying regulatory requirements.

75% of retail and consumer goods and 62.5% of entertainment and media corporations are coping with the lack of a centralized system, but retailers are also challenged by silos within their data (75%).

Almost all (94.2% of CISOs) believe that continuous controls monitoring will improve both compliance and security.

54.2% of respondents to the CISO Society survey feel that they have the talent to meet future regulatory requirements.

Research shows over 210 million compromised passwords.

Only 5% of CISOs consider their organisation's compliance program to be optimised for efficiency and continuous improvement.

Nearly 22% of CISOs said they haven’t looked at GRC tools yet.

Nearly one-third (33.2% of organisations) have incorporated automation without GenAI tools.

Approximately four out of five (79.8% of CISOs) believe that a reduction in manual processing is the biggest opportunity to add automation to their compliance and risk management program.

Just 16.3% of CISOs said they experienced cost savings when using technology to enhance their compliance program.

A staggering 80% of CISOs admit to unnecessary duplication in their compliance efforts.

The most commonly compromised password was "123456", being found in over 1.4 million breached credentials.

42% of CISOs are challenged by data and system silos as a challenge in satisfying regulatory requirements.