Automation, Quantification, and Business Value Define the New Era for Cyber Risk Leaders
The FAIR Institute today released its 2025 State of Cyber Risk Management Report, revealing an ongoing shift in how leading organizations manage digital risk. Sponsored by GuidePoint Security and SAFE and based on insights from 402 cyber risk leaders from around the globe, the report reveals that cyber risk management (CRM) has evolved from a siloed compliance function into a strategic discipline that informs executive decision-making.
“The way we manage cybersecurity and technology risk is increasingly quantified, data-driven, and aligned to business outcomes and value,” said John Sapp, CISO, Texas Mutual Insurance Company and FAIR Institute Board Member. “This report confirms what many of us have felt, that our risk management efforts are no longer constrained to regulations and standards and that we have the power to create risk-weighted returns for our businesses.”
Key findings include:
- CRM is fueling business outcomes. High-maturity organizations report improved credibility, better alignment, optimized cybersecurity spending, measurable risk reduction, and a more proactive cybersecurity posture.
- Technology-focused C-suite decision makers benefit most. In particular, CTOs, CIOs, CISOs, and Chief Risk Officers, are the primary consumers of cyber risk information, utilizing it to inform their strategy, investments, and resource allocation.
- Quantification has gone mainstream. Nearly half of the respondents use or plan to adopt the Factor Analysis of Information Risk (FAIR) model for financially driven risk analysis.
- Automation, AI, and data are foundational. Seven in ten respondents have automated most or all of their CRM processes; nearly half are using AI to scale and mature their programs; and a strong majority integrate operational data into their risk systems.
- Demand for CRM is growing, especially for those with mature programs. Nearly all respondents said internal demand for CRM is growing. Among those reporting high or very high CRM maturity, nearly a quarter report that demand will significantly increase.
- The board sets expectations for risk management, but is not engaged enough. Nearly all respondents have defined risk appetite and tolerance levels that are formally approved by the boards; however, boards consume cyber risk information in less than half of the participating organizations.
“It’s encouraging to see that boards are consistently defining risk appetite to guide cyber risk teams,” said Yvette Kanouff, public company board member and partner with JC2 Ventures. “As risk quantification has evolved, particularly with the FAIR standard, I anticipate CIOs and CISOs will use quantitative risk information as a regular part of their board reporting.”
“This research reveals what we’ve experienced first-hand,” said Michael Walters, CISO for Washington State University. “We found that using FAIR to quantify risk in dollar terms helped our business partners understand the implications of cyber issues. They now see cyber risks as business risks, not just technical risks owned by somebody else.”
Backed by data and peer insights, the report highlights best practices, trends, and challenges, from integrating CRM into business operations to overcoming resistance and governance gaps.
The report is available now at fairinstitute.org/state-of-crm-2025.