Survey: Continuous Monitoring Emerges as Top Priority for Security Leaders in Germany

German cybersecurity teams are making meaningful progress in exposure management, but critical gaps remain that limit their ability to reduce business risk. That’s one of the key takeaways from Bitsight’s State of Cyber Risk and Exposure 2025 report, which surveyed 1,000 cyber risk professionals globally, including 150 based in Germany.

The report highlights a clear shift: German organizations are prioritizing investments in continuous monitoring and exposure management, yet many still lack the ability to translate security data into actionable intelligence that supports business-aligned decision-making. Without that context, even mature programs risk falling short.

In this geographic spotlight, we explore what’s driving cyber risk in Germany, how security leaders are responding, and where they stand relative to peers in the UK, US, and beyond. The data points to a strong appetite for progress and a path forward for organizations looking to turn visibility into strategic advantage.

German cyber professionals say their jobs are harder than ever

Like the rest of their global counterparts, German cyber professionals are under tremendous pressure to minimize the damage and financial consequences of cyber risk even as the threats keep multiplying. The study shows that 91% of German respondents believe that managing cybersecurity risks is harder now than it was five years ago. This mirrors the rest of the response pool, which stood at 90%.

As with the rest of global respondents, Germans reported that the number one cyber risk challenge that keeps them up at night is accelerating AI risks, cited by 47% of respondents from Germany. While issues like the scale and diversity of threats facing the business, and the inability to prioritize the riskiest threats and exposures still ranked in German companies’ top five risks, the number two problem was lack of visibility into assets and attack surfaces. Germans are more likely to name this as a concern than those in the UK or in the broader response pool:

Alternatively, when we asked UK cyber professionals the top three cyber risk challenges that keep them up at night, the number one answer was the scale and diversity of threats facing the business, cited by 41% of respondents.

This was also different from the number one cause of sleepless nights across global responses, which was accelerating AI risks (though that concern did rank number two in the UK, followed closely by a lack of alignment with the business).

When it came to concerns about specific kinds of security breaches, German responses showed a more equal weight placed across the different kinds of categories than global responses and US firms. The survey asked respondents to pick their top two concerns, and whereas 72% of US respondents named data breaches in those top picks, just 37% of German companies reported the same. We speculate that this is likely due to the investment that German companies have had to make around privacy controls in the wake of GDPR.

For German firms, the number one incident they are worried about is ransomware, which was named by 39% of respondents. Number two was breaches, followed by Distributed Denial-of-Service (DDoS) (32%) and supply chain attacks (28%).

A look at German cyber risk maturity

German respondents were more self-critical about the maturity level of their cyber risk management practices than US companies, but they led global responses. Some 71% of German respondents reported that they’re at least moderately mature, which was a few points above the global benchmark of 67%. However, only 17% report themselves very mature. This trails behind the US levels of very mature firms, which stood at 28%. The good news is that a scant 1% of German firms admit that they’re very immature and only 11% said they’re moderately immature. This is far better than the global rate of immaturity, which stands at 20%.

Nevertheless, there’s still a lot of work to be done for many firms in Germany to institute a programmatic approach to risk management that’s well-aligned to the business. Only 81% of companies have a formal cyber risk management program in place, lagging behind the US rate of 92% and the UK rate of 87%. What’s more, just 26% of German firms say that they have a program that is well-aligned with the business. This also lags behind US and UK firms:

Visibility benchmarks

That lack of visibility that German firms were concerned about is likely interconnected with this lack of having a formal program. Formal programs are fed by continuous monitoring, and they also drive it. The survey showed that German firms are still figuring out how to implement and get the most out of continuous monitoring of assets and third-party relationships. The study showed that only 40% of German organizations continuously monitor their assets, and just 17% continuously monitor and are also able to regularly map threats across their environment and contextualize that data with risk factors to help them prioritize exposure management. That’s in contrast to 54% of US firms that continuously monitor and 22% that also contextualize that monitoring data. 

Drilling specifically into exposure management tooling and practices, a solid 81% of German firms say they have an exposure management program in place and have started to deploy attack surface management tools to run it. However, only 29% of German firms believe that they have mature processes in place to run their exposure management programs.

German firms aren’t just struggling to implement and use continuous monitoring on their own internal assets. They’re also lagging behind global firms when it comes to third-party risk management and monitoring. Fewer than a third of German companies (26%) report that they continuously monitor all of their third-party relationships for cyber risk. That lags behind counterparts globally and specifically in UK and US firms:

The lack of visibility hurts companies in a lot of different ways, and also takes a toll on the mental health of cybersecurity staffers. The global results showed that companies that use asset monitoring to discover and prioritize exposure mitigation are 30% less likely to have staff suffering from burnout. According to our study some 49% of German firms report their staff is experiencing some level of burnout.

Continuous monitoring is a top spending priority

The good news is that German companies have deemed continuous monitoring as a top spending priority for the next year. Almost a third of firms voted this the number one spending initiative, ahead of IAM, vulnerability management, endpoint management, and security training:

The 2025 State of Cyber Risk and Exposure report shows that German organizations and their peers still have significant work to do if they want to both identify and understand the business risk around cyber exposures that threaten their digital ecosystems. Simply identifying exposures isn’t enough: security teams and business stakeholders alike need to contextualize risk data with business priorities and actionable threat intelligence to drive meaningful mitigation efforts. To dive more fully into these trends and read our analysis of what the survey means for enterprises, check out the full State of Cyber Risk Intelligence 2025 report here.