Security Leaders Are on the Hook for More Than Ever
Let’s be blunt—security leaders aren’t just responsible for defending their organizations; they’re responsible for proving their “security” actually works.
Board scrutiny is rising. Regulators are watching. And when a breach happens, “we didn’t know” won’t cut it.
Upon further analysis of a Horizon3.ai survey of 375 security leaders in the US, UK, and EU revealed just how high the stakes are:
- 32.5% fear the boardroom and regulatory fallout the most—facing executives, investors, and government scrutiny after an incident.
- 27.7% are most concerned about direct financial and operational losses, including customer trust erosion.
- 25.9% worry about explaining why their security controls failed, exposing gaps in detection and response.
- 13.9% dread the reputational damage of being in the news for the wrong reasons.
These aren’t just hypothetical concerns. Recent legal actions have shown that CISOs can and will be held personally accountable for failing to disclose cyber risks or properly handle security incidents. In some cases, failing to maintain an accurate understanding of risk—and failing to communicate it transparently—has resulted in regulatory investigations, lawsuits, and even criminal charges.
The message is clear: it’s not just about stopping attacks—it’s about answering for them. And without proof that their security investments are making an impact, CISOs are left exposed.
What Security Leaders Want to Know
Security leaders don’t need more data—they need the right insights to make real security improvements. Yet, despite knowing what’s important, many organizations still struggle to align their investments with their priorities. Our survey found:
41%want to know what attackers will target first, ensuring teams focus on the most likely entry points.
37%need a better way to communicate risk to leadership and the board, highlighting the growing demand for clear, data-driven reporting.
36%seek a real-time understanding of risk based on actual attack paths, rather than outdated compliance checklists.
However, 31% admitted they still invest more in reactive security measures than proactive ones—proving that many security teams are still operating in crisis mode instead of working to prevent attacks before they happen.
Where Organizations Are Failing Today
Despite increased security spending, many organizations are still failing where it matters most—knowing what’s truly exploitable, prioritizing real risks, and proving security effectiveness.
Too many teams rely on outdated compliance checklists, fragmented tools, and assumptions instead of real validation. The data doesn’t lie: CISOs are struggling to align security investments with the actual threats they face.The Horizon3.ai Annual Insights Report: The State of Cybersecurity in 2025 reveals exactly where organizations are falling short—and what security leaders must do differently.
You Can’t Defend What You Don’t Understand
When a cyber incident occurs, CISOs and security leaders must account for what they knew, what they should have known, and how they responded. Simply saying “we didn’t know” is no longer a defensible position.
Yet many organizations still rely on outdated risk measurement methods that provide visibility without validation. Instead of focusing on real-world exploitability, security teams are still using tools that generate high volumes of low-value alerts:
- Vulnerability scanners produce endless lists of potential issues but fail to distinguish what’s actually exploitable.
- Annual pentests offer a limited snapshot that quickly becomes outdated.
- Compliance audits may confirm alignment with frameworks, but they don’t measure whether an attacker could actually breach the organization.
This is where the Duty to Know comes in—the obligation for security leaders to maintain an up-to-date, evidence-based understanding of where they’re vulnerable and how those risks could be exploited in a real attack.
Real-World Risk Reduction in Action
One national materials provider, serving aerospace and military sectors, ran its first NodeZero assessment to better understand its internal risk. The findings were serious:
A compromised domain, widespread access to user accounts, and millions of sensitive resources at risk.
But the team didn’t stop at awareness. They used the results to prioritize remediation and then retested to validate improvements. Within weeks, they:
- Reduced the number of weaknesses by nearly 50%
- Cut compromised credentials by 75%
- Shrunk the number of affected systems from dozens to just a handful
For this organization, the difference between reacting and responding was measurable. By shifting from assumptions to validation, they reduced their attack surface, improved their resilience, and proved security progress in a way that mattered.
That’s the Duty to Know in action.
Transforming Metrics Into Meaning
For CISOs, security leadership isn’t just about making the right investments—it’s about proving they deliver real, measurable improvements.
When asked, “Are we more secure today than we were last quarter?”, the answer must be backed by data, not assumptions.
Instead of relying on disconnected tools and ad-hoc reports, security teams need a continuous, validated view of how their security posture evolves over time.Without a way to track real progress, security leaders are left guessing. NodeZero Insights™ provides that clarity. It tracks:
How quickly critical risks are mitigated
How efficiently issues are resolved
How effectively attack paths are being eliminated
One of the most telling security metrics is Mean Time to Remediate (MTTR)—a measure of how long it takes to close verified security gaps.With NodeZero Insights™, organizations can track and measure MTTR over time, ensuring that weaknesses aren’t just identified but rapidly addressed. The latest MTTR data confirms that security teams using validation-based approaches can significantly reduce risk exposure in real time.
Beyond being a key performance indicator, MTTR is a critical artifact of the Duty to Know.
It’s the difference between telling regulators, boards, and stakeholders, “We took every possible step to reduce the attack window,” versus being caught unprepared when the post-breach questions come.
Asking the Right Questions
Meeting the Duty to Know doesn’t require an overhaul. It starts with a shift in mindset—and a few key questions:
- Do you have confidence in knowing what’s exploitable in your environment today?
- Are your security controls actually working, or are you relying on assumptions?
- Can you prove that your team is reducing risk over time?
If the answers aren’t clear, it’s time to rethink your approach.
Final Thoughts
The unknown is the greatest risk of all. Horizon3.ai helps security leaders take back the unknown, revealing your greatest risks so you can take action with certainty.
Security isn’t about assumptions. It’s about proof.
We know this works because we’ve seen it firsthand. Organizations that validate risk instead of assuming security is working don’t just improve their defenses—they gain the confidence to prove it. Trust us… Managing risk starts with knowing where you stand.
That’s the Duty to Know in action.