The Horizon3.ai Annual Insights Report: The State of Cybersecurity in 2025 is packed with data-driven findings about security’s biggest challenges, but not everything made the cut. To keep the report focused, some eye-opening insights from CISOs and IT practitioners had to be left out.
This blog highlights those additional findings, exposing critical blind spots, flawed assumptions, and emerging challenges that security teams are facing.
CISOs’ Biggest Breach Fear: Explaining the Failure
When CISOs were asked about the worst possible outcome of a cyberattack, financial loss wasn’t their top concern. Their biggest fear was being forced to explain why security failed.
- 18% of CISOs said their greatest concern was justifying the failure to leadership.
- 14% worried most about reputational damage if a breach became public.
- Another 18% dreaded standing before the board and investors to account for what went wrong.
The fear of regulatory scrutiny is also growing. A government investigation following a breach was the top concern for 15% of CISOs.
These responses make one thing clear: security leaders aren’t just thinking about breach costs, they’re thinking about accountability. The worst-case scenario isn’t just being breached—it’s being unable to prove that the right security measures were in place before it happened.
Fewer Than 1 in 5 Security Teams Say BAS Is Worth It
Breach & Attack Simulation (BAS) tools are widely adopted, yet many security teams report serious challenges in making them work.
81% of security teams said they use some sort of BAS tool, but many find them frustrating or ineffective.
20% struggle with scalability and integration, while 18% report difficulties getting BAS up and running in their environment.
Complexity is another hurdle—15% find BAS tools too cumbersome to manage, and 11% have abandoned them altogether.
Only 18% of security teams said their BAS tool provides tremendous value. Despite high adoption, many are questioning whether BAS delivers actionable insights—or just creates more work.
The Compliance Trap: Spending More, Securing Less
Security budgets are increasing, but much of that spending is reactive—driven by compliance mandates rather than real risk reduction.
55%of CISOs said their organizations are spending more just to meet evolving regulatory requirements.
46%admitted their security improvements are solely for compliance.
This raises an uncomfortable reality: compliance can be a distraction from true security. Instead of prioritizing real risk reduction, many organizations are focusing on regulatory checkboxes rather than strengthening defenses against real-world attacks.
Security Teams Are Overwhelmed and Understaffed
IT security teams aren’t just fighting attackers—they’re drowning in daily security tasks, making it nearly impossible to be proactive.
- 31% of security professionals said they regularly explain cybersecurity to leadership instead of improving security.
- 29% said security training consumes a significant portion of their workload.
- Another 28% spend most of their time patching vulnerabilities, while 28% are resetting credentials for employees who continue falling for phishing attacks.
With security teams overwhelmed by administrative work, there’s little time for proactive threat hunting or offensive security testing. Organizations stuck in a cycle of reactive security will struggle to keep up as attacks grow more sophisticated.
Third-Party Risk: A Crisis in the Making?
Supply chain attacks are one of the fastest-growing threats in cybersecurity, yet many organizations still don’t treat third-party risk as their problem.
- 34% of CISOs acknowledged that vendors may be transferring cyber risk onto them.
- 23% believed a third-party breach wasn’t their responsibility.
- Only 3% of security leaders said they were concerned about being breached due to a third-party incident.
This is a dangerous assumption. Attackers frequently exploit third-party weaknesses to pivot into larger networks, making a supplier’s breach the customer’s problem. Organizations that fail to assess third-party security properly could be opening themselves up to breaches they never saw coming.
Final Thoughts: What Else Didn’t Make the Cut?
From frustrations with BAS tools to the burden of compliance spending and the growing risks of third-party breaches, these overlooked insights highlight a common theme: many organizations are struggling to keep pace with today’s emerging threats.
And this only scratches the surface. The Horizon3.ai Insights Report: The State of Cybersecurity in 2025 goes even deeper—backed by data from hundreds of CISOs, IT practitioners, and over 50,000 real-world pentests run by NodeZero®.
See what’s really happening in cybersecurity—and how your organization stacks up.
