Monthly Archives: May 2025

2025 Cybersecurity Threat and Risk Management Report

Leave a reply

As the intensity and frequency of cybersecurity incidents increase, companies are mobilizing their defenses against potential threats. As shown in this research, to improve their security posture organizations are allocating more resources to arm their IT security teams with artificial intelligence (AI), machine learning (ML), Secure Access Service Edge (SASE) or Security Service Edge (SSE) and Security Orchestration Automation and Response (SOAR).

The purpose of this research, sponsored by Optiv but conducted independently by Ponemon Institute, is to learn the extent of the cybersecurity threats facing organizations and the steps being taken to manage the risks of potential data breaches and cyberattacks. Ponemon Institute surveyed 620 IT and IT cybersecurity practitioners in the U.S. who are knowledgeable about their organizations’ approach to threat and risk management practices.

Most organizations are increasing their cybersecurity budgets. In this year’s study, 79 percent of respondents say their organizations are making changes to their cybersecurity budget. Of these respondents, 71 percent say cybersecurity budgets are increasing, with the average budget at $24 million. Only 29 percent of respondents say budgets will decrease. The budget increase correlates with the heightened volume of threat vectors with 66 percent of respondents reporting cybersecurity incidents have increased significantly or increased in the past year, up from 61 percent in 2024.

Cybersecurity budgets are most often based on assessments of threats and risks facing the organization. The use of risk and threat assessments increased significantly from 53 percent of respondents in 2024 to 67 percent of respondents in 2025. Effectiveness in reducing security incidents is the second most often used factor to decide on budget allocation (56 percent respondents in 2025 and 61 percent of respondents in 2024).

Best practices in achieving a strong cybersecurity posture

Fifty-eight percent of respondents rate their organizations in reducing cybersecurity threats as highly effective. These respondents are referred to as high performers and their best practices are shown below.

High performers are more likely to have a Cybersecurity Incident Response Plan (CSIRP) that is applied consistently across the entire enterprise. Sixty percent of high performers have an enterprise-wide CSIRP vs. 45 percent of other respondents. High performers also rate the effectiveness of their organizations’ CSIRP higher (80 percent of respondents vs. 49 percent of respondents).

High performers are briefing C-level executives and/or board members more often than other respondents. Regular briefings to leadership are important to ensuring IT and IT security functions have the necessary resources and support to reduce cybersecurity risks and threats. Seventy-two percent of high performers report on the state of the cybersecurity risk management program to C-level executives monthly (40 percent) or quarterly (32 percent). Only 16 percent of the other respondents brief leadership monthly and 19 percent say they provide briefings quarterly.

 High performers are ahead of other organizations in implementing a SASE or SSE. Forty-six percent of high performers have fully implemented a SASE or SSE vs. only 16 percent of other respondents.

 High performers are more likely to say they have the right number of separate cybersecurity tools. Only 33 percent of high performers have too many cybersecurity tools owned by their organizations vs. 48 percent of other respondents. High performers also are significant users of SOAR. Fifty-three percent of high performers use SOAR significantly vs. 25 percent of other respondents.

 Effective monitoring and observing AI usage and threats requires visibility into AI systems. Sixty-four percent of high performers have this visibility vs. only 42 percent of other respondents.

 The following findings suggest progress in managing cybersecurity risks and threats.

 Cybersecurity incidents continue to increase. In 2025, 66 percent of respondents say cybersecurity incidents increased significantly (31 percent of respondents) or increased (35 percent of respondents), a slight increase from 61 percent in 2024. Fifty-eight percent of respondents in the 2025 study say their organizations had a data breach or cybersecurity incident in the past two years. Fifty-four percent of organizations represented in this research had at least four to more than five data breaches or cybersecurity incidents in the past two years.

 Organizations plan to increase investments in assessments of their security processes and governance practices. The most important investment in the coming year is an internal assessment of their organizations’ security processes and governance practices (63 percent in 2025 and 60 percent in 2024). Other top areas planned for investment are more cybersecurity tools (56 percent in 2025 and 51 percent in 2024) and cloud security (46 percent in 2025 and 42 percent in 2024).

 Cybersecurity Incident Response Plans (CSIRPs) are considered effective in reducing risks and threats. A Cybersecurity Incident Response Plan (CSIRP) is a documented strategy that outlines how an organization will respond to and manage cybersecurity incidents, like data breaches or ransomware attacks, to minimize damage and restore operations quickly.

In 2025, 51 percent of respondents say their organizations have a CSIRP that is applied consistently across the entire enterprise, an increase from 46 percent in 2024. The frequency of CSIRP reviews has increased to 61 percent of respondents (each quarter 25 percent or twice per year 36 percent) from 52 percent of respondents in 2024 (each quarter 23 percent or twice per year 29 percent). More organizations are also providing a formal report of the CSIRP to C-level executives and the board of directors (45 percent in 2024 vs. 39 percent in in 2024).

CSIRPs are becoming more effective in minimizing the consequences of a cybersecurity incident, an increase from 50 percent of respondents in 2024 to 57 percent of respondents in 2025, since 2024, the effectiveness of the CSIRP in mitigating cyber risks has also increased significantly from 50 percent to 58 percent in 2025.

Since 2024, more organizations measure the effectiveness of their cybersecurity risk management program based on reduction in the time to patch software application vulnerabilities. Faster patching of vulnerabilities is considered critical to an effective cybersecurity risk program. Forty-four percent of respondents say they are using this metric, an increase from 37 percent of respondents.

The other most used metric is the time to detect a data breach or other security incident (44 percent of respondents in 2025 vs. 47 percent of respondents in 2024). Assessment of supply chain security increased from 30 percent to 36 percent of respondents. The time to recover from a data breach or other security incident decreased in importance from 41 percent to 36 percent of respondents.

Organizations are adopting SASE and SOAR to better manage cybersecurity risks and threats. Sixty-six percent of respondents say their organization has fully implemented (31 percent) or partially implemented (35 percent) SASE. Only 15 percent of respondents say there are no plans to implement SASE. The significant and moderate use of SOAR continues to be an important part of organizations’ efforts to reduce cybersecurity threats (73 percent of respondents in 2024 and 72 percent of respondents in 2025).

The number of cybersecurity tools is just right. Only 44 percent of respondents say their organizations have too many cybersecurity tools to achieve a strong cybersecurity posture. The average number of separate cybersecurity technologies has not changed in the past year. In 2025, respondents say their organizations have an average of 55 and last year the average was 54.

Recommendations for improvement as cybersecurity incidents continue to increase

A lack of visibility into the existence and location of vulnerabilities puts organizations at risk. The biggest challenge to having an effective vulnerability management plan is the lack of understanding of every potential source of vulnerability, including laptops, desktops, servers, firewalls, networking devices and printers, according to 74 percent of respondents. Only periodically scanning, analyzing, reporting and responding to vulnerabilities reduces effectiveness, according to 67 percent of respondents.

Automation successfully reduces the time to respond to vulnerabilities. Thirty-four percent of respondents say automation has significantly shortened the time to respond to vulnerabilities and 23 percent of respondents say it has slightly shortened the time to respond.

Visibility and control of assets helps organizations identify potential security gaps and address vulnerabilities before they are exploited. Asset inventory management programs monitor and maintain an organization’s assets. However, only 42 percent of respondents say their organizations include an asset inventory program as part of managing risks created by vulnerabilities. Thirty-nine percent of respondents say their organizations assign their asset inventory to both assigned owners and ranked criticality of assets.

 To read the full report, including key findings, visit Optiv.com

Can the new pope give Big Tech and AI a conscience?

Leave a reply

Bob Sullivan

The AI Pope? The Pope for AI times, anyway.

Just over a century ago, Pope Leo XIII stood for workers and humanity over the creeping inhumanity of the Industrial Revolution.  It seems Leo the XIV is spoiling for the same kind of fight, and boy do we need that.

It’s been almost ten years since I wrote a story titled, “A billion useless people…but not one seems very concerned.” I’ve worried about it almost every day since then.  Long before the moniker AI was on every tech publicist’s lips,  smart people around the world were already predicting that robots would soon eliminate whole classes of work. Oxford University ranked 700 jobs at risk of “computerization” and…well, most people will be surprised how high their career ranks on the list (I’m looking at you, lawyers).

I now realize “a billion” was probably being optimistic.  What will the world look like when there are no jobs for most people? On a parallel track, I’ve long been worried about the land hoarding problem — there are no homes for young people today, and there are no properties for small business, owners either.

In one sense, I am comfortable saying that promises of a coming AI world are wildly overexaggerated, in a dot-com-bubble kind of way. Computers are good at repetition and bad at exceptions. Real life is full of exceptional circumstances that will foil AI for years to come. Just watch what happens when a self-driving car meets an urban parking situation, for example.

But AI will do what Big Tech always wants new tech to do — help corporations cut costs.  Customer service, already hanging on by a thread, will soon be doomed forever to the land of chatbots.  But that’s just a symptom. In the next few years, you’re going to see Wall Street cheer every time a company lays off workers and credits entreprise-wide AI implementation.  Some hired economist will blah-blah-blah about retraining workers for even better jobs.  Tell that to all the 50-something single moms out there who must find new careers to get health insurance for their kids.

This “progress” feels pretty inevitable. That’s why it’s so important that a world figure like the new pope said he was ready to take on this challenge. In his very first speech to the College of Cardinals, he warned that AI is a threat to “human dignity, justice and labor.” That’s quite a tech-savvy statement for a 69-year-old missionary.  The man holds a mathematics degree, so Big Tech would be unwise to underestimate him. This New York Times story offers a bit more insight into the complex tech debate the new pope has waded into.

As always, the issues is even more complex, and more fundamental, than AI.  And that’s why the name Leo XIV matters.  The name Pope Leo XIII doesn’t fall trippingly off the tongue, even for Catholics, but his papacy came at a time of similar upheaval in world economics — the late Industrial Revolution.

Leo XIII’s signature publication is called Rerum Novarum — strictly speaking, “Of New Things.”  A refreshingly simple name for a momentous topic.  I know what you’re thinking: why should any economist care what a pope says? Read it for yourself and you’ll see why: it’s remarkably balanced and thoughtful, with conclusions that are still highly relevant today.

At the time, capitalists were running roughshod over workers by forming gigantic, all-powerful trusts — think Standard Oil and the Rockefellers. Naturally, worker revolts were increasingly common, and worker anger helped fuel the rise of communism and socialism.

Rerum Novarum, published in 1891 — sometimes referred to as “Rights and Duties of Capital and Labor” — called out for worker dignity and fair pay.  One example: “Some opportune remedy must be found quickly for the misery and wretchedness pressing so unjustly on the majority of the working class.”

On the other hand, it also described the importance of private property.  In the same breath, the document rejects socialism and property redistribution outright, saying it would give governments an outsized role in controlling individual lives. It says, “Their contentions are so clearly powerless to end the controversy that were they carried into effect the working man himself would be among the first to suffer. They are, moreover, emphatically unjust, for they would rob the lawful possessor, distort the functions of the State, and create utter confusion in the community. ”

On the other, other hand, the encyclical cautions against what I have come to call property hoarding. While individuals should have the right to own property — to possess that which they have invested themselves in  — property should ultimately be used for the common good. Rerum Novaram laid the groundwork for a later encyclical written by Pope Pius XI during the Depression warning about the “twin rocks of shipwreck” — individualism on one side and collectivism on the other. Quiet a poetic turn of phrase, but also, quite a pragmatic, dualistic view of the world. The kind of balance our Blue vs Red world is sorely lacking today.

I’m sure you are thinking that Leo XIII did not manage to stop the Russian Revolution, or the American Communist movement, or even the excessive individualism that has led to American property hoarding today. And you are right.  I hold no fantasy that the new pope can ward off the scary future that artificial intelligence might bring.  On the other hand, who else will stick up for worker rights, and individual property rights, in our time? You’ll have to wait a long time before Big Tech companies prioritize a healthy middle class.

The Catholic church has many problems of its own to address, and I hope the new pope faces them head on.  But I am thrilled that concerns about artificial intelligence were among the first words out of the new pontiff’s mouth. We can only hope more world leaders join him.