Cost-saving measures reported by CISOs include reduced security solutions and tools (50%), security hiring freezes (40%), and decreased or eliminated security training (36%).

82% of security leaders report directly to the CEO in 2024, which is up from 47% in 2023.

83% of security leaders participate in board meetings "somewhat often" or "most of the time".

64% of CISOs reveal that the current threat and regulatory environment make them concerned they’re not doing enough.

90% of CISOs have ownership of their organization’s security operations, architecture, governance, as well as digital risk and compliance.

The cyber skills gap has increased by 8% since 2024.

Between 50% and 90% of CISOs identified other elements of business risk, such as disaster recovery, business risk, and third-party risk management, as well as broader security concerns such as product security, as falling under their remit.

The manufacturing industry was the most-targeted industry in R&DE incidents during 2024, accounting for approximately 17.7 percent of attacks globally.

70% of CISOs indicated any raises they received were annual merit-based increases, which on average were 6%.

82% of businesses recognize the need for better tools to manage how their processes intersect.

Real-time, interactive user coaching is used in 34% of organizations to control genAI data risk by empowering individuals to make informed decisions about AI risk in real time.

80% of executives agree they face pressure to reduce the cost of security.

81% of organizations say that without process orchestration, achieving an autonomous enterprise will be a pipe dream.

76.1% of CISOs said integrations are most important when selecting tools/vendors to provide governance and continuous controls monitoring.

More than two thirds (67%) of IT leaders believe vendors are not innovating fast enough to keep up with emerging risks, leaving a critical gap in the market

44.2% of CISOs consider security and compliance a business enabler.

40.4% of CISOs are challenged by the lack of a centralized system as a challenge in satisfying regulatory requirements.

Only 28% of respondents said their organisations informed law enforcement when they were hit by ransomware.

Organizations enrolled in CISA’s Vulnerability Scanning service saw a steady decline in KEVs on their networks.

Newly published API endpoints are discovered by attackers in a mere 29 seconds.