Conducted in May and June 2025 by the FAIR Institute with sponsorship from GuidePoint Security and SAFE, the 2025 State of Cyber Risk Management research provides a data-driven perspective on how mature organizations are addressing this challenge and where CRM is headed next.
This report provides the following key takeaways:
- CRM is fueling business results. Top outcomes include improved alignment with the business, greater risk reduction, and optimized cybersecurity spending.
- Those with mature CRM programs are more proactive and business-aligned. High-maturity organizations are more likely to have board-approved risk tolerances, quantify risk in financial terms, embed CRM across business functions, and have a more proactive cybersecurity posture.
- Factor Analysis of Information Risk (FAIR) and cyber risk quantification (CRQ) are gaining momentum. Nearly 45% of organizations use or plan to use FAIR. Among adopters, 90% report success.
- Technology-focused C-suite decision makers benefit most. CTOs, CIOs, and CISOs, along with Chief Risk Officers, are the primary consumers of cyber risk information, utilizing it to inform their strategy, investments, and resource allocation.
- Automation and AI are delivering scale and impact. Seventy-two percent of organizations have mostly or completely automated their CRM systems, and 48% are utilizing AI for CRM. Both CRM automation and the use of AI are strongly correlated with maturity and improved outcomes.
- Data is foundational. Organizations use a wide variety of telemetry, threat, and compliance data to inform their decisions. Those who can operationalize this data gain a clearer and more defensible picture of their risk exposure.
- Demand for CRM is growing, particularly among those with mature programs. Nearly all (95%) respondents said internal demand for CRM is growing. Among those reporting high or very high CRM maturity, 23% indicate that demand will increase significantly.
- The board sets expectations for risk management but is not sufficiently engaged. Nearly all respondents have defined risk appetite and tolerance levels that are formally approved by the boards; however, boards consume cyber risk information in less than half of the participating organizations.
- Challenges and gaps remain. Cultural resistance, lack of executive support, and gaps in governance and metrics persist even among more advanced organizations.