Boards most often ask CISOs for the following metrics: risk-reduction trendlines (51%), quantified business impact (47%), and incident-response performance metrics (40%).

82% of CISOs feel confident quantifying risk.

72% of organizations across the U.S., U.K., France, Germany, and Australia reported that the security risks for their company have never been higher in 2025, marking a 17 point increase from 2024.

45% of risk leaders reported that they can only assess and monitor their tier 1 tech partners.

In a comparison of executive roles, 34% of VP and C-level risk executives are not considering incorporating agentic AI into their operations, while only 20% of directors, managers, and below share this view, indicating a disconnect in AI adoption strategies.

Nearly two-thirds of risk leaders reported that their budgets have not changed at all this year.

66% of risk leaders stated they have reviewed and updated their IT and cyber risk management strategy in response to major disruptions such as the Crowdstrike outage or MOVEit breach

85% of risk leaders globally reported having a business continuity and resilience plan in place to maintain operations during a major IT outage or cyber incident at one of their business-critical service providers.

68% of risk leaders foresee data privacy and security issues as the biggest risks from deploying agentic AI.

38% of risk leaders express concern over unintended actions from runaway processes, such as unauthorized transactions or incorrect pricing changes, as a risk from deploying agentic AI

15% of risk leaders are unaware if their organization is considering incorporating agentic AI into its operations or products.

Only 10% of leaders expressed a lack of confidence in their risk management data in 2025, down from 16% in 2024, reflecting a six-point improvement in trust towards risk data.

In 2025, 40% of companies reported that they mostly or only use spreadsheets to manage risk, a decrease from 53% in 2024, indicating a significant shift towards software use in risk management.

30% of risk leaders claimed that third-party and nth-party risks are not having an impact or are only having a minimal impact on their business in 2024.

16% of risk leaders admitted they cannot monitor and assess the risks of their critical third-party tech partners at all in 2024.

Thirty-nine percent of companies are not conducting worst-case scenario simulations, highlighting a critical gap in risk management practices that needs to be addressed.

60% of companies globally now have a chief risk officer as of 2024, an increase from 52% over the past two years, indicating a growing recognition of risk management as a priority.

The percentage of companies globally that felt very prepared to manage AI risks has remained relatively flat over the past three years, with 9% in 2023, 8% in 2024, and 12% in 2025.

23% of companies globally have a policy against using foreign AI models such as Deepseek in 2025.

8% of risk leaders indicated they can assess and monitor their tier 1 partners, their suppliers, and their suppliers’ suppliers in 2024.