Osterman Research surveyed 500 cybersecurity leaders and practitioners in the United States and the United Kingdom for this report, with a focus on how organizations perceive and measure readiness. The survey data we collected and analyzed for Immersive was combined with proprietary performance and benchmarking data from Immersive’s platform and a crisis simulation they ran.

Key findings:

• The cybersecurity industry has become expert at measuring readiness by activity not by outcome.
• Nearly every organization believes it is prepared for the next major incident – but underlying performance data doesn’t support such a conclusion.
• Leaders are relying on false metrics – ones that prove nothing about performance under pressure.
• The are four missteps holding readiness back, including practicing the past, fixating on fundamentals, and excluding the business.
• Organizations are failing for a lack of practiced coordination – not a lack of knowledge.

If cyber readiness and resilience in the face of growing cyber attacks is important to your organization, please get a copy from the Immersive web site, grab a cup of coffee or tea, and read to learn / adjust / improve.

Next action: get your copy of the report – 2025 Cyber Workforce Benchmark Report.

AvePoint has just published its latest report – The State of AI: Go Beyond the Hype to Navigate Trust, Security, and Value. We conducted the underlying survey (775 respondents across 18 countries) and prepared the results for the AvePoint team. To portray the breadth of the data we collected, the report clocks in at 61 pages – although there are many graphs and charts, sub-title pages, and expert perspectives throughout. Please, grab yourself a copy and have a read if AI in the enterprise is relevant to your work and future.

From the research data, we found a set of concerns around trust, security, and value that organizations will need to factor into their AI strategies. For example:

• Inaccurate AI output (68.7%) and data security concerns (68.5%) top the list of factors for why organizations are slowing the rollout of generative AI assistants.
• 75% of organizations experienced at least one AI-related data breach in the past year.
• 90.6% of organizations claim effective information management programs, but only 30.3% have implemented effective data classification systems. Gaps in data governance and information management create significant obstacles to safe AI implementation.
• 70.7% of organizational data is more than five years old, creating significant training data quality issues for AI systems.
• Nearly 20% of organizations expect generative AI to create more than half their data within 12 months.
• … and much, much more. This is a very data rich report.

For us, it was a tremendous opportunity to work with the AvePoint team to pull this research together. For you, we hope it provides tremendous insight and assistance as you navigate your AI journey.

Next action: get your copy of the report – The State of AI: Go Beyond the Hype to Navigate Trust, Security, and Value.

It was the data-driven finding from our initial Cybersecurity Investment Priorities program in 2023 that really hit the home run on the importance of visibility for us. We’d just run a large survey to gauge investment priorities among CISOs and CIOs over the coming year, which had included a deep dive into four specific cybersecurity topics. During the data analysis phase of the research, we correlated the data on how visibility affected prioritization, and the relationship was clear (“self-evident” / “stark” / choose your “oh wow!” word): the better the visibility, the higher the priority. This was one of those post-survey data analysis moments where you see “A-ha!” written all across the spreadsheet and you want to fist-bump the data. The importance of visibility has been a recurring theme throughout our cybersecurity research ever since.

Sometimes, though, visibility is more than just a recurring theme within the research … and takes a starring role in the program itself. That’s the case for our latest report into identity security – with a focus on visibility, governance, and autonomous remediation. Last year we took on the question of MFA posture – which included a visibility angle – but this year the intent was to look much wider than just MFA. This research project has been on the wish list for a long time, and it’s a delight to make it available. Please see Strengthening Identity Security: Visibility, Governance, and Autonomous Remediation, sponsored by Abnormal AI, Constella Intelligence, Enzoic, NinjaOne, and Silverfort.

What’s the big idea underlying this research? IAM – identity and access management – is an established control for managing which identities can access what resources. Few organizations don’t have an IAM system in place in 2025, but even with a mature IAM system, organizations continue to suffer from identity-led and identity-implicated attacks and breaches. IAM was not designed to protect against:

• A threat actor using credentials they compromised through a phishing attack. An IAM system will see the credential pair as valid and give access.
• A threat actor using credentials they purchased from the dark web. Ditto.
• A threat actor bypassing strong IAM controls like MFA through various means, including MFA bombing attacks. An IAM system can’t see whether the MFA approval is from the intended user or a malicious one.
• A threat actor accessing data after compromising a credential because the IAM system is out of date, thereby allowing the employee’s now compromised credential to access data that was validly needed one or two job roles before but that has never been revoked. An IAM system effectively shrugs its shoulders saying “looks fine to me.”
• Malicious changes to identity configurations in order to engineer greater access than what should be allowed.
• … and many others.

Identity-led and identity-implicated attacks are front-and-center across most cyberattacks. Snowflake – check. Colonial Pipeline – check. There’s often an identity component in 80% to 90% of breaches, depending on which study you read.

The lesson … is that IAM is no longer enough. In response to the changing and challenging threat landscape, startups and established vendors alike have been building new layers of identity protections – some to beef up underlying IAM processes directly, and some to create ways of protecting identity protections. Our report looks at identity security solutions in three groupings – visibility (think identity security posture management and the detection of compromised credentials), governance (think identity governance and administration), and autonomous remediation (think identity threat detection and response; and identity platform backup and recovery).

It’s not a light read nor a short report. It’s 25 pages of hard data and analysis. We’re all about crafting insightful research that impacts organizations, and this program is no different. We want to facilitate the discussions internally within organizations that need to happen about strengthening identity security protections and approaches. If that sounds like your bailiwick, please get a copy.

We’ve been heads-down on several major reports over the past couple of months (hence the near radio silence), and the first of those has recently been published. Please check out Radware’s 2025 Cyber Survey: Application security at a breaking point (published June 12). This is the third year running we’ve had the privilege of working on Radware’s application security research, and this year’s research extends, expands, and tightens the nature of this annual research program.

From an extend perspective, the 2025 survey had a much higher focus on the role of AI in cybersecurity – from both the offensive and defensive sides. AI in cybersecurity has become a significant research area for Osterman Research, and each research program gives us the opportunity to refine our questions and contextualize those within a specific strand of the cybersecurity matrix. As you’ll see from the findings for this research program, the threat of AI being used to intensify hacking tradecraft is of highest concern to the organizations we surveyed. There’s a common set of refrains among respondents about the effect of AI on threat evolution, detection difficulty, and growing threat diversity. Unsurprisingly, there’s also a common refrain on strengthening application security defenses via AI-based cybersecurity solutions.

From an expand perspective, the research encompassed new threat areas we haven’t looked at over the past couple of research rounds. The major addition was API business logic attacks – a new class of threat – which is already being experienced with high frequency. On page 9 of the report, we say: Business logic attacks present an ideal opportunity for threat actors to use emerging offensive AI capabilities. For example, AI agents can automate the malicious exploration of API sequencing, looking for unexpected logic vulnerabilities and loopholes to exploit. Organizations should expect hackers to develop and share newly crafted playbooks to amplify threat opportunities. Our annual diagram on the cadence of different attack types portrays good news – in that average cadence is lower than our previous data set – along with a dire warning, in that the amplification of threat actor capabilities via AI is likely to increase attack cadence over the next 12 months.

And finally, from a tighten perspective, this year’s research doubled the number of organizations surveyed to allow a deep dive focus on two specific industries (financial services and healthcare) compared to all other industries. There are cohort-to-cohort comparisons throughout the report, with the interesting findings where financial services and healthcare are different to the overall data set or the other two cohorts noted. These are oriented around different attack patterns (page 6), API usage (page 7), documentation status (page 8), among others.

Please get your copy of the full report from the Radware web site.

Join the webinar on June 26

We will be presenting the key findings from our research with Radware later this week. The webinar is on Thursday June 26 – please register to attend. We’d love to have you there.

With our footprint of research across the cybersecurity sector over the past decade, we have valued Executive Orders from respective Presidents that strengthen the context for taking required actions to provide protection against cyber threats. Our research several years ago, for example, highlighted the systematic weaknesses across the government sector, with ransomware being the threat of highest concern. On page 11 of our 2021 report, we said in relation to the United States:

The Biden administration is placing increasing emphasis on developing resilience in the face of cybersecurity threats against the government and other industry sectors. Ransomware is a key concern, considering recent disruption to critical infrastructure such as the Colonial Pipeline and JBS attacks. While there is a high focus on better securing government agencies, the administration is also directing American businesses to take cyberthreats and ransomware seriously. Many of the directives parallel what is required of government agencies. Three specific initiatives from the United States government are:

• Executive Order on Improving the Nation’s Cybersecurity
  Issued in May 2021, Executive Order 14028 mandates improved information sharing on cybersecurity between the U.S. government and the private sector, requires stronger cybersecurity standards within the federal government (e.g., widespread adoption of multi-factor authentication, encryption, and zero trust), removes current barriers for service providers to share threat intelligence, elevates the importance of security in the software supply chain (including visibility into software composition), and establishes the Cyber Safety Review Board to analyze significant cyber incidents and make recommendations, among others. The administration is working with private sector organizations to improve the nation’s cybersecurity readiness, has
  secured significant commitments from Apple, Google, Microsoft, and Amazon, and is working with others to address the cybersecurity skills shortage.
• Joint Cyber Defense Collaborative (JCDC)
  Part of the Cybersecurity & Infrastructure Security Agency (CISA), the JCDC was created in 2021 to lead the development of cyber defense plans in the United States to safeguard critical infrastructure and national interests. Its mission includes working with private and public sector organizations.
• StopRansomware.gov
  Multiple federal government agencies, including the Department of Homeland Security and the Department of Justice, launched a one-stop resource for combating ransomware. Released in mid-July 2021, the website consolidates the ransomware resources from all federal government agencies into a single location, replacing the previous approach of resources being distributed across a variety of locations.

While we didn’t state it in these words at the time, we were applauding the actions of the Biden Administration to strengthen the fabric of cybersecurity as it affected government agencies and the private sector.

CISA gets a mention above. CISA wasn’t created by President Biden. That was an action taken by President Trump in November 2018 via the CISA Act, where an existing program inside the Department of Homeland Security was reorganized and rebranded. The leader of the earlier DHS program – Christopher Krebs – was appointed the first director of CISA. Over the next several years, CISA took an activist role in championing for heightened cybersecurity across the United States (and beyond). Our research has referenced the following articles and updates from CISA:

• CISA Launches Campaign to Reduce the Risk of Ransomware
• Alert AA20-345A – Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
• Joint Cyber Defense Collaborative
• Executive Order on Improving the Nation’s Cybersecurity
• Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities
• Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities
• Shields Up
• Selecting a Protective DNS Service
• StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities
• CISA, EPA, and FBI Release Top Cyber Actions for Securing Water Systems
• ED 24-02: Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System
• FY22 Risk and Vulnerability Assessments (RVA) Results
• CISA Releases Analysis of FY22 Risk and Vulnerability Assessments
• CISA Analysis: Fiscal Year 2022 Risk and Vulnerability Assessments

There was a lot more in addition to the above list that CISA did in providing leadership and direction, and as with the actions above from the Biden Administration, we applaud their contributions.

Our hands are not clapping for the recent Presidential Memoranda targeting Christopher Krebs, SentinelOne, and CISA. Christopher Krebs earlier bore the public brunt of President Trump’s ire after disagreeing with the President on the security of the 2020 election, a stance for which he was fired from his director position at CISA via Twitter. Five years later, President Trump appears to seek additional retribution for this stance against Krebs personally, even though the overwhelming weight of evidence after 60 court cases on alleged election fraud backs Krebs not Trump.

This Presidential Memoranda is very bad form, in bad taste, and opens the door to a President throwing the weight of the US Government against a named individual who is perceived as an opponent. This is not behavior consistent with what we want our children to view as appropriate for the President of the United States.

The Presidential Memoranda and all related statements should be rescinded immediately, the consequential active investigation into Christopher Krebs cancelled forthwith, and the sanctions against Krebs and SentinelOne lifted.

On one point, however, we do agree with a statement in the Presidential Memoranda, albeit with a wording change. The directive to “do a comprehensive evaluation of all of CISA’s activities over the last 6 years” is a worthwhile activity. The wording change, however, is that it should not focus on points where conduct “appears to have been contrary to the purposes and policies in Executive Order 14149.” A much better standard would be alignment with the major cybersecurity challenges facing the United States over the next 20 years, which includes election security and countering the proliferation of disinformation and misinformation that undermine election integrity. This would position the agency for ongoing relevance over the long-term, not one that is weakened by short-term partisan vendettas.

CrowdStrike published its Global Threat Report in February 2025. We have been reading it carefully over the past month. First off, many thanks to CrowdStrike for assembling this data and designing such a well-presented report. The report is rich in details and examples; we took a lot of notes based on what CrowdStrike has seen during 2024. 

Highlights:

• CrowdStrike writes about threat actors using AI, something we have highlighted too. Key points made by CrowdStrike on the use of AI: threat actors are increasing their productivity by using AI, threat actors are “early and avid adopters” of generative AI, and it’s still early days for the weaponization of AI in malicious attacks (we don’t yet know how far it will go). CrowdStrike’s conclusion is clear through: all the evidence points to threat actors making greater use of generative AI in 2025 in multiple types of threat campaigns, e.g., social engineering, network intrusion, insider threat, and election interference.
• The report is rich in details on the cyber threat and espionage activities of nation-state and nation-aligned actors (e.g., North Korea, China). For what CrowdStrike refers to as China-nexus adversaries, 2024 was a year in which “operations matured in capability and capacity” and involved “increasingly bold targeting, stealthier tactics, and specialized operations.” CrowdStrike tracked significant growth in intrusions from China-nexus adversaries in 2024 across all sectors, along with efforts by adversaries to obfuscate their threat operations. From an Osterman Research perspective, if there was ever a time when other nations need at least top-level defensive programs and government agencies providing point on responding to cyber activities, now is it. In this regard, the current political games around CISA are undermining national security and cybersecurity within the United States.
• Email security is a significant research area at Osterman Research. CrowdStrike asserts that threat actors are moving away from phishing to alternative access methods for gaining a foothold into networks, with a particular emphasis on social engineering with phone calls, including callback phishing and help desk social engineering attacks. Yes, we agree that there is growth in the second, but whether that’s at the expense of the first or in combination with the first is unclear. We’d agree that threat actors are increasingly using multi-stage phishing attacks that use some combination of email, phone interaction, and an attempt to shift interactions to other less-secured apps rather than phishing by email alone.
• The report profiles the efforts of North Korea-nexus adversaries at infiltrating organizations with IT workers. This offers access to sensitive data and system privileges for malicious purposes, as well as the salary. IT workers from North Korea that infiltrate organizations set up means of retaining access to cloud and IT resources even if their employment is terminated.
• The threat of identity compromise is a theme in the report, with CrowdStrike indicating that attacks leveraging compromised identities are “among the most effective entry methods” and the primary initial vector for one third of all cloud incidents in 1H 2024. On page 23, CrowdStrike talks about a malvertising campaign linked with identity security compromise. You won’t get disagreement from us on the threat of compromised identity. See our recent research on MFA for our 2024 contribution to strengthening identity security. We will be extending this in 2025, as there is more to be done. 
• The section on exploiting vulnerabilities (starts page 34) talks about exploit chaining, among other approaches used by threat actors. The report raises a fundamental implication of exploit chaining for how organizations prioritize patches. Since vulnerabilities are often analyzed by defenders in isolation based on their individual characteristics, decisions on which ones to patch and on what cadence ignore the calculus of chaining. CrowdStrike gives the example of pre-authentication vulnerabilities being patched faster than post-authentication vulnerabilities, the latter of which may be ignored altogether, which is good news for threat actors looking at vulnerabilities more holistically because of the unpatched post-auth backlog just waiting for the right conditions.
• Also from a vulnerabilities perspective, we often see patching at a slower cadence than threat actors’ exploitation activities. CrowdStrike gives an example of this on page 39, where early exploitation activity for three vulnerabilities is detected only 24 hours after a technical blog was published providing exploitation guidance.

In conclusion, the report is excellent. It is replete with rich details. It will, mind you, take a while to read and digest fully.

What’s missing from CrowdStrike’s report?

The report is missing a major threat section and specific cybersecurity incident. The missing section would be titled “Supply chain cybersecurity risks” and the incident the one that CrowdStrike inadvertently unleashed on the world on July 19, 2024. The fallout from that incident caused disruption to some 8.5 million computers, bringing entire companies to a halt, including banks and airlines. The direct financial costs of the incident were estimated at $5.4 billion, not including the indirect and consequential costs of lost productivity and reputational damages. Organizations need protections in place against the threats and risks that CrowdStrike so well covers in its report, but at the same time, protections against single point of failure incidents that disrupt business operations around the globe.

• Coalition asserts that “Businesses that reinforced their security controls and embraced partnership with cyber insurance providers were generally more secure than other organizations.” Coalition advocates for an “active approach to cyber risk management.”
• 56% of claims fielded by Coalition were categorized as “funds transfer fraud” or “business email compromise.” Both types of incidents start in the email inbox, highlighting [1] the success that threat actors are achieving with financially-motivated cybercrime that starts with email, and [2] the criticality of protecting email from all types of cyberthreats.
• Funds transfer fraud is where a business is tricked into transferring money into a fraudster’s bank account, usually based on a fraudulent email request. The average loss across 2023 (the reporting timeframe of the 2024 report) was $278,000. On page 11 of the report is a paragraph we could have written based on our recent research – “Cybersecurity trends point to threat actors using generative artificial intelligence (AI) tools to launch more sophisticated attacks. Phishing emails are becoming more credible and harder to detect, and threat actors are believed to be using AI to parse information faster, communicate more efficiently, and generate campaigns targeted toward specific companies — all of which may contribute to increases in FTF claims.” At Osterman, we’d just call this business email compromise.
• Coalition gives the example of a client who transferred $4.9 million to a bank account in Hong Kong based on a fraudulent invoice. Through Coalition’s assistance and their coordination with the FBI and law enforcement agencies, they got all the money back.
• In Coalition’s use of terms, business email compromise incidents, by comparison, are defined as events where a threat actor gains access to the inbox but doesn’t get direct access to funds. Instead, they use the compromised account to “wait inside the network and send phishing emails to compromise a user with direct access to money.” At Osterman, we’d call this account takeover and note its correlation with internal phishing and supply chain compromise scenarios.
• The frequency of ransomware incidents is much lower than the high water mark of 2021, but the average cost per incident is significantly higher than 2021. In other words, fewer attacks but for more per each.

For more, get your copy from Coalition’s web site.

The data comes from a survey of 268 CISOs and CIOs in the United States, at organizations with more than 1,000 employees. This is the second time we’ve run this research program. The first program was run in 2023, and this program builds on and extends our earlier research.

The key takeaways from this research are:

• Cybersecurity driven by changing threat response calculus
  Increasing prices for cybersecurity insurance, the growing use of AI in cyberattacks, software supply chain compromise, and return-to-office mandates for employees are the top trends and challenges driving how CISOs and CIOs approach cybersecurity in 2025. All force a reevaluation of how best to address current and emerging threats.
• Cloud infrastructure security, cybersecurity talent availability, and control and
  ethical processing of data top the priority stack
  Out of 24 potential investment areas for cybersecurity, two thirds of organizations assigned the highest priority to cloud infrastructure, internal cybersecurity talent, and compliant data processing. They see weaknesses in their current posture that are misaligned with where they want to be and are investing the resources to do something about it.
• Budgets continue to rise, showing resilience across economic cycles
  Almost all organizations have received a higher budget for cybersecurity over the previous two years, and most believe they could put even more budget to productive and effective use.
• Strong risk management disciplines make a significant difference
  Organizations with higher efficacy in managing the business risks associated with key cybersecurity areas such as applications, cloud, and identities show much higher commitment to address security weaknesses and are spending accordingly. Being able to see what is and isn’t happening drives change.
• Organizations must do the work to understand their priorities
  Investment priorities for any given organization must be set within the context of their current posture, real-world threat data, and known areas of concern (and unknown areas of weakness). This is the fundamental work that cybersecurity decision-makers and influencers must coordinate.

This research was sponsored by BIO-key International, OpenText, and Salt Security.

If your firm provides cybersecurity solutions AND you would like to spread this research to your customers and prospects, please get in contact to talk about licensing options.

Key stats and ideas from the report:

• 94% of survey respondents have some level of concern about the security implications of deepfakes.
• The increasing sophistication of deepfake technologies has left many people struggling to differentiate artificially generated content from reality.
• The worst of what deepfake-enabled threats has to offer is still yet to come. 64% of respondents believe the volume of these attacks will increase in the next 12-18 months.
• 53% of respondents say that email is an “extreme threat” as a channel for deepfake attacks.

Our POV:

• 94% said they had concern and about deepfakes, and so they should. We think that 100% of respondents should have been concerned. It is still very early days for the weaponization of deepfake technology, and the various ways in which this will be used by threat actors for malicious ends remains to be seen. As an industry, we don’t have a good enough grasp of the full picture yet, such as whether deepfake threats are just audio and video, whether they originate in email or whether they are subsequent attack methods in a multi-stage coordinated targeted attack, and so on.
• Deepfakes – especially of the live audio and video kind – are a uniquely AI-enabled cyberthreat. This will demand AI-powered cybersecurity solutions to detect and respond.
• As an industry, we’ve talked about impersonation as a threat for a long time, often in the context of vendor impersonation (for business email compromise) or domain impersonation (for phishing attacks in general). Deepfakes is several next levels up on the impersonation side. We’ll need to be careful re language though, to differentiate different types of attacks and by implication different types of approaches for detecting and stopping such attacks. It doesn’t make a lot of sense for everything that’s fake to become a “deepfake.”

And just a reminder: IRONSCALES is a client at Osterman Research. We’ve had the privilege of working with IRONSCALES on multiple research projects in recent years. We didn’t, however, have any participation in the formulation, execution, or delivery of this research.

The research programme:

• Collected data from a global audience of critical infrastructure organizations, with representation across North America, EMEA, and APAC. The survey was balanced to get around 40% of responses from North America, 20% from EMEA, and 40% from APAC.
• Engaged with leaders within these organizations that have IT or security responsibility and knowledge of their email security posture.
• Drew on CISA’s list of critical infrastructure sectors, such as chemicals, commercial facilities, communications, critical manufacturing, dams, and more. CISA says there are 16 sectors classified as critical infrastructure. CISA defines these sectors on this basis: sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. While this definition is US-centric, the same principle applies in other places, too.

Once the research design was agreed, we worked on the survey questions, took this to field, and analyzed the data. You can get your copy of the results from the OPWAT website. But here’s a preview:

• Critical Infrastructure Remains a Target
  80% of critical infrastructure entities fell prey to email-related security breaches within the past 12 months, highlighting their attractiveness to cyber threat actors.
• Lingering Vulnerability
  Despite advancements in cybersecurity, 48% of organizations lack confidence in their existing email security defenses, leaving them vulnerable to potentially devastating cyberattacks.
• Noncompliance presents significant operational and business risks
  Shockingly, 65% of organizations are not compliant with regulatory standards, exposing themselves to significant operational and business risks.

A major recommendation in the report is finding email security capabilities that “preclude and prevent threats” from finding their way into an organization’s email system. While this is critical for critical infrastructure organizations, it is no less so for those in other sectors.

Check out OPSWAT’s site for your copy.