The second annual Fortra State of Cybersecurity Survey is here. It reveals that organizations are ensuring their foundational and fundamental cybersecurity position is robust to combat more sophisticated threats and comply with more stringent regulations. We also see a rise in the utilization of managed security services owing to budgetary constraints, compliance, and operational efficiency.
The 2025 survey collects insights from global practitioners occupying more than a dozen roles across two dozen industries on the factors they anticipate will define the upcoming year and the associated measures they are taking. This year’s survey focuses on determining what risks and initiatives, challenges, tools and trends, and staffing issues organizations face.
Examining respondents’ thoughts on these key topics and contrasting them with the previous year’s survey reveals some general trends.
Cybersecurity Maturity a Top Priority
When asked for their organization’s top 5 cybersecurity initiatives for the next 6-12 months, three top answers emerged from the data. These were identifying and closing security gaps, improving security culture and awareness, and limiting outsider threats. Seeing these more holistic measures being prioritized over more specific threats described in the survey, such as supply chain security, cloud security, and insider threats, indicates a desire for overall cybersecurity capability and resilience.
The Fortra report reveals that organizations are prioritizing their overall cybersecurity maturity to tackle the challenges facing them in the year ahead. Cybersecurity maturity represents an organization’s level of readiness to defend itself and its digital assets against cyberattacks. It can be considered to operate on three levels: foundational IT/OT and security control processes, fundamental security control capabilities, and advanced security control capabilities.
Challenges Ahead
Respondents reported that the top three challenges they are most concerned about in the year ahead are phishing and smishing, malware and ransomware, and social engineering. Fortra CEO Matt Reck stated that, “Phishing continues to be the most pervasive daily threat for companies around the world.”
Attackers are utilizing AI tools like Chat GPT to curate highly detailed phishing emails and smishing messages (SMS) with personal details, and relevance to recent events, making them seem more credible than ever.
Show me the money
Unsurprisingly, budgetary constraints topped the list of challenges organizations expect to face when executing their security strategy in the next 6-12 months. Budget limitations, a lack of security knowledge and skills, and balancing security controls and business efficiency emerged as the top three challenges.
The rising number of data breaches and cyberattacks we have seen, particularly in the last year, requires C-suite executives and board members to take accountability for their organization’s cybersecurity. The potential legal, financial, and reputational risks organizations can face make it crucial for leadership to prioritize cyber risk management. With more executives being held accountable for cybersecurity failures, resources for securing the enterprise are increasingly stretched. Now, more cybersecurity stakeholders are involved beyond the Chief Information Security Officer (CISO) and the Security Operations Center (SOC).
Increased adoption of managed security services
We continue to see an increase in the adoption of managed security services. Outsourcing is rising, with 60% of respondents looking to outsource penetration testing, 56% for email security and anti-phishing, and 47% for vulnerability management.
The primary driver is transferring some of the operational burden to a third party to free up resources and in-house teams for higher-value projects. Another significant factor in outsourcing is the need to satisfy compliance requirements standards like PCI DSS and HIPAA, which allow staff to focus on strategic projects.
Our Survey Says
The results of this year’s survey show that organizations are looking to operate more effectively and within their means as regulations become more stringent and breaches more costly. Increasingly sophisticated threat actors are deploying more readily available AI tools that have leveled up their attack methods, and organizations are looking to equip their SOCs with as much autonomous help as possible.
The damage from a breach is costlier than ever, and accountability is reaching beyond the CISO and SOC into the boardroom. Organizations are looking to ensure their staff are aware and equipped to contend with the evolving threat landscape.
Adam Parlett is a cybersecurity marketing professional who has been working as a project manager at Bora for over two years. A Sociology graduate from the University of York, Adam enjoys the challenge of finding new and interesting ways to engage audiences with complex Cybersecurity ideas and products.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
