Interpreting Maturity: What the 2025 State of Cyber Risk Management Report Really Tells Us


Released last week, the 2025 State of Cyber Risk Management Report paints a compelling picture of progress in the discipline. With 402 cyber risk management (CRM) professionals participating, the report describes a relatively high level of CRM maturity across a wide range of capabilities, including quantitative analysis, automation (including AI), data (including telemetry), third-party risk management, and executive governance. However, as impressive as these results are, they come with an important caveat: Tthis sample is not representative of the industry as a whole.
Todd Tucker is Managing Director of the FAIR Institute
The organizations participating in our research are among the more advanced in CRM, as we intentionally excluded those respondents who had no CRM capabilities or weren’t involved in their CRM programs. The report itself notes the maturity and sophistication of participating programs as a key feature, not a coincidence. This means the findings should be interpreted with the appropriate lens: these organizations are ahead of the curve.
From our work with a broad spectrum of organizations across various industries and geographies, we observe a distinctly different landscape. Many still rely heavily on qualitative methods, compliance checklists, or unstructured assessments. Few have fully integrated CRM with enterprise risk management or adopted FAIR-based quantification on a large scale. To the best of our knowledge, most organizations have not yet reached the maturity levels outlined in this report.
Survey results from the 2025 State of Cyber Risk Management Report
So, how should you use the report if it doesn’t reflect the broader market? Rather than viewing this as a scorecard, treat it as a roadmap:
1. Benchmark Aspirations, Not Averages
Use the report to set strategic goals. It shows where the field is headed in many aspects of CRM. It helps describe a vision of CRM that scales and drives better outcomes than what you might be capable of today.
2. Identify Maturity Gaps
Review the report’s capabilities and compare them to your program. Are you quantifying risk in financial terms? Are your CRM processes automated? Are you influencing strategic decisions?
3. Justify Investment
The documented benefits, from better business alignment, optimized spending, and greater risk reduction, offer a compelling business case for investing in CRM maturity.
4. Promote Informed Governance
Share these findings with boards and executives. Seeing what leading organizations are doing can raise expectations and accelerate progress.
The 2025 State of CRM Report is a valuable barometer if we keep its context in mind. The reported maturity reflects the forefront of the field, not its average. Let’s use it not to measure how far we’ve come, but how far we can go.
Download your copy of the 2025 State of Cyber Risk Management Report now.