Ransomware remains the greatest threat (46%) to financial organisations.

19% of CISOs cited software supply chains as posing significant threats to security.

78% of UK senior security decision makers reallocated budget from other business areas to meet DORA compliance requirements.

48% of UK senior security decision makers reallocated staff members from other projects.

66% of UK CISOs and senior security decision-makers believe that DORA will significantly increase cybersecurity costs in the long term.

Only 5% of CISOs consider their organisation's compliance program to be optimised for efficiency and continuous improvement.

30.3% of CISOs are challenged by control mapping in satisfying regulatory requirements.

Nearly 22% of CISOs said they haven’t looked at GRC tools yet.

Nearly one-third (33.2% of organisations) have incorporated automation without GenAI tools.

Approximately four out of five (79.8% of CISOs) believe that a reduction in manual processing is the biggest opportunity to add automation to their compliance and risk management program.

Just 16.3% of CISOs said they experienced cost savings when using technology to enhance their compliance program.

A staggering 80% of CISOs admit to unnecessary duplication in their compliance efforts.

The most commonly compromised password was "123456", being found in over 1.4 million breached credentials.

Requiring an Active Directory password length of at least 13 characters would significantly reduce the risk of cloud application password reuse.

48% of enterprises report implementing specific security controls for AI deployments.

63% of privacy professionals interact with IT operations and development.

50% of boards with a CISO member report excellent or very good relationships when budgeting adequately to meet goals, compared to 24% for boards without a CISO member.

In 2008, 100% of organizations in BSIMM1 conducted software security awareness training. By BSIMM15, this rate has declined to 51.2% of organizations, marking the lowest rate to date.

Only 51.2% of organisations now offer basic security training, which is the lowest rate observed since the BSIMM initiative began in 2008.

9% of respondents in enterprises whose boards viewed privacy programs as purely compliance driven reported currently using AI for privacy.