New Research: Why 9 in 10 Cybersecurity Leaders Say Their Job Is Harder Today

In today’s environment—marked by accelerating threats like ransomware, increasingly complex supply chains, and the growing footprint of AI and IoT—managing cyber risk has never been more urgent or more difficult.

Our latest research with Sapio Research, The State of Cyber Risk and Exposure 2025, draws on the insights of 1,000 cybersecurity and cyber risk leaders around the world to understand what they are focused on today and what will be keeping them up tomorrow. Overwhelmingly, 90% of respondents said managing cyber risk is more difficult than five years ago, citing AI-automated threats and widening attack surfaces as their top challenges.

While the full findings are complex and insightful, one takeaway is clear: many organizations are still struggling to achieve the visibility needed across their extended digital ecosystems. Even among those that have made progress, a critical gap remains—the inability to contextualize exposure data with business relevance and threat intelligence.

True cyber risk intelligence depends on integrating several key elements, including threat intelligence, exposure data, business context, and risk scoring. When aligned effectively, these inputs empower organizations to deliver actionable insights to both security teams and business stakeholders. The results are better decisions, stronger governance, and improved security outcomes.

Visibility and monitoring are top priorities, but gaps persist

The core of this State of Cyber Risk and Exposure 2025 report focused on how well organizations are driving extended visibility into their ecosystem—because even with the best intelligence feeds, organizations struggle to understand which threat trends are directly relevant to their business if they lack data about exposures in their assets and their supply chain.

The good news is that a growing contingent of cybersecurity leaders understand the importance of continuous monitoring and visibility for making risk-based decisions. The report found that:

• In the past year, continuous monitoring of the attack surface jumped from the number seven cyber security investment priority to number one.
• 45% of organizations continuously monitor at least parts of their environments to discover IT assets at risk.
• But only one-third of businesses continuously monitor all of their third-party relationships for risk exposure.

What it takes to deliver business-aligned cyber risk outcomes

There is still significant progress to make in order to turn awareness into meaningful cyber programs that deliver actionable insights to the business. The study also showed that: 

• Only 17% of organizations have the capacity to also regularly map threats across their environments and contextualize that with multiple risk factors for full visibility.
• Only 19% of those surveyed would judge their cyber risk management practices as “very mature.”
• Just 29% of organizations report that they have a formal cyber risk management program that is also well-aligned with the business.
• However, organizations with a formal, business-aligned cyber risk management program are 4.5x more likely to continuously monitor all of their relationships than those without a program.

The State of Cyber Risk and Exposure 2025 reveals a cybersecurity community that is increasingly aware of the importance of visibility, context, and alignment—but still navigating the complexities of execution. Cyber risk leaders who prioritize continuous monitoring, third-party oversight, and contextualized intelligence are better equipped to communicate risk effectively to the board, make data-driven decisions, and ultimately improve resilience across the enterprise. Those that embrace this shift not only reduce their exposure—they position cybersecurity as a strategic enabler of business success.

To explore the full set of insights, benchmarks, and actionable recommendations, download the complete report here.