Today, we’re proud to release the FAIR Institute’s 2025 State of Cyber Risk Management report, a comprehensive look at how cyber risk programs are evolving to meet today’s business, regulatory, and operational demands.
Author Todd Tucker is Managing Director of the FAIR Institute
If you care about the future of cybersecurity as a strategic business function that delivers business outcomes, our report will give you many reasons to be optimistic.
Based on a global survey of 402 professionals who actively lead or execute cyber risk management (CRM) in their organizations, the report provides strong evidence that the discipline is maturing and delivering measurable value. Across industries and geographies, we see the same pattern: the organizations that embrace data, automation, and financial quantification (especially with FAIR) are pulling ahead.
It is worth noting that our research focused on established CRM programs. It reveals the best practices, benefits, and challenges of cyber leaders who are actively engaged in identifying, assessing, measuring, and responding to risks. Keep this in mind when reading the report.
We’ve studied this space closely for years, and the positive momentum revealed in our findings is striking:
Speaking of compliance: as the title of this year’s report suggests, cyber risk management is shifting from a compliance-driven obligation to a competitive differentiator. That transformation is most visible in organizations that:
The results are tangible: better credibility with internal stakeholders, more proactive cybersecurity postures, and improved decision-making across the technology C-suite, especially those in technology-related functions (i.e., CTOs, CIOs, CISOs).
Despite the progress, challenges remain (of course!). Cultural resistance, gaps in executive engagement, and weaker-than-expected utilization of CRM outputs by corporate boards are still holding many organizations back. Integration with product development, HR, and line-of-business teams also lags and represents a major opportunity for growth.
What struck me most was that people-related challenges were cited the most. Technical-related ones, like lack of reliable threat intel or inadequate data about third-party controls, were reported by far fewer respondents. And resource constraints (i.e., budget, skills) were further down on the list.
This means that we have a lot to do to change hearts and minds. Organizational change management should be on the top of the list when it comes to CRM. For example, why isn’t CRM more integrated into product-related decisions more often? Product development is a major source of changes to your risk factors (e.g., controls, threat landscape, business impact). Despite a lot of positives identified in this report, there’s still a big opportunity to integrate cyber risk insights into business decision-making.
The 2025 State of Cyber Risk Management report provides data you can use to influence your roadmap, articulate your vision for CRM, and justify resources. It shows that the organizations investing in data, automation, and financial quantification aren’t just complying with regulations and doing the bare minimum; they’re reducing risk, optimizing cybersecurity spending, and making risk-informed decisions. And these are why CRM exists in the first place.
Thank you to those who helped with the research and report. And a special thanks to our sponsors, GuidePoint Security and SAFE, who provided not only financial support but also valuable advice and counsel throughout the project.
We look forward to having many conversations with the community about our findings in the weeks and months ahead.
Download the report here.