2025 State of Cybersecurity Report: Paradigm Shift

Show Notes

Ivanti’s research — a global study of over 2,400 security and IT professionals and executive leaders —examines how organizations can embrace a more effective and evolved approach to managing cybersecurity risk by embracing exposure management.  

Despite 89% of boards calling security a priority, the research reveals gaps in organizations' ability defend against high-risk threats. As attack surfaces continue to expand and cyber attacks grow more complex and sophisticated, businesses need a more comprehensive, strategic approach to vulnerability management.  

How can cybersecurity teams combat critical concerns like tech debt to data silos? Learn how shifting your cybersecurity mindset to exposure management can help organizations combat potential threats and be proactive about how they identify, measure and protect themselves from risk.  

 Get more resources 

To read the report and access additional media, including presentation-ready slides and downloadable charts and graphs, visit ivanti.com/stateofcyber.  

For more Ivanti research on IT, security and the future of work, visit ivanti.com/research. 

About Ivanti 

Ivanti elevates and secures Everywhere Work so that people and organizations can thrive. We make technology work for people, not the other way around. Today’s employees use a wide range of corporate and personal devices to access IT applications and data over multiple networks to stay productive wherever and however they work. Ivanti is one of the only technology companies that finds, manages and protects each IT asset and endpoint in an organization. Over 40,000 customers, including 88 of the Fortune 100, have chosen Ivanti to help them deliver excellent digital employee experiences and improve IT and security team productivity and efficiency. At Ivanti, we strive to create an environment where all perspectives are heard, respected and valued, and we are committed to a more sustainable future for our customers, partners, employees and the planet. For more information, visit ivanti.com and follow @GoIvanti. 

Chapters

• 0:00: Introduction
• 0:39: Part 1: Unlocking exposure management
• 6:11: Part 2: Data silo damages
• 10:35: Part 3: Assessing risk tolerance
• 15:17: Part 4: Tackling tech debt
• 20:58: Part 5: A call for change
• 24:41: Outro

Transcript

Exposure management — a transformative update to traditional vulnerability management practices — requires a more holistic approach to mitigating risk. Getting it right means changing mindsets and organizational culture. 

You’re listening to the audio version of Paradigm Shift, Ivanti’s 2025 State of Cybersecurity Report. To see more Ivanti research and get additional materials, including downloadable charts and graphs, visit ivanti, I-V-A-N-T-I.com/research.  

[Music begins]  

Part one: Unlocking exposure management 

Exposure management requires an all-encompassing, highly contextual view of cybersecurity risk. Ivanti’s latest research documents the paradigm shift. 

[Music ends]  

An organization’s attack surface is constantly changing. The traditional parameters that once defined the attack surface — mostly software and hardware — no longer take into account all the complexity and considerations for a modern security strategy: the cloud, third-party vendors, IoT, social networks and even human vulnerabilities. 

Measuring, monitoring and protecting an organization's attack surface requires a wholly new approach to match the complexity and sophistication of such threats. 

Enter exposure management. 

Exposure management is a comprehensive, highly contextual view of cybersecurity risk. Rather than viewing security as a singular, isolated objective, organizations weigh vulnerabilities and risks across a broad set of objectives — including business objectives — to intentionally balance risk and reward. 

Cybersecurity and business leaders view exposure management as a more evolved approach to managing cybersecurity risk given the wide spectrum of threats organizations face — a landscape so large and complex that defending against all threats at all times is simply neither realistic nor sustainable. 

Ivanti’s research shows that security professionals worry about a wide array of security risks and attack vectors — from ransomware and phishing to software vulnerabilities and supply chain threats. 

These findings also reveal significant gaps in current levels of preparedness. (Gaps are areas where threat levels exceed preparedness.) For example, preparedness for ransomware attacks and API-related vulnerabilities is especially low in comparison to the threat level. 

These shortcomings are especially concerning given that all of these threats are likely to be amplified by gen AI. For example, more than 1 in 3 (38%) say ransomware will become even more dangerous when powered by AI. 

The good news: Viewing cybersecurity as a business priority — a key principle of exposure management — appears to be well understood and widely supported in concept among both security professionals and business leaders, even if it’s not yet consistently practiced. 

And cybersecurity has a high degree of C-level support, as well as broad visibility at the board level. 

89% of security professionals and organizational leaders say cybersecurity is discussed at the board-of-directors level. 

81% say their board of directors includes someone with cybersecurity expertise. 

88% say their organization’s CISO is invited to high-level strategic meetings about business decision making and organizational planning. 

And nearly 3 in 4 say their cybersecurity budgets are growing. Even more impressive, 81% say their security budgets for 2025 are sufficient to achieve their 2025 security goals. 

The less-good news: While leaders say they understand and value exposure management, they often approach it in a piecemeal fashion via disparate point products, rather than using an integrated strategy that can provide a comprehensive view of the organization’s total risk posture. The research points to this uneven approach. 

Exposure management ranks last as a key area of investment, even though components of exposure management, such as cyber asset attack surface management (or CAASM) and external attack surface management (or EASM), are considered priorities by many. More mature companies – those that describe themselves as having an advanced ability to fend off threats – are significantly more likely (1.6x more likely) to invest in exposure management. 

Ivanti’s research shows that organizations with a more advanced level of cybersecurity maturity (i.e., a self-reported, proven ability to fend off advanced threats) are significantly more likely to say they are increasing investments in exposure management. 

26% of advanced Level 4 organizations are increasing investments compared to just 16% of the least mature (i.e., Level 1) organizations. (Skip ahead to part 4 for more details on Ivanti’s Maturity Model.) 

Overall, the industry appears to be supportive of the principles of exposure management, even if many have not taken actionable steps toward adopting and executing it. 

Exposure management represents a disruptive paradigm shift for the industry. 

It requires a comprehensive, integrated view of cybersecurity risk, including the myriad pressures that lie outside of IT and cybersecurity. And it requires a highly integrated, contextual view of an organization’s security posture and risk / reward tradeoffs. 

Adopting exposure management means learning and executing new ways of measuring, managing and talking about risk — and it will force security leaders to rethink existing teams, processes and solutions in ways that are both disruptive and highly impactful. 

[Music begins]  

Part two: Data silo damages 

Data silos significantly weaken an organization’s cybersecurity posture. Organizations have finally taken note, but much work remains. 

[Music ends]  

Data silos limit visibility into threats, impede incident response, and create inconsistencies in security policies and practices across the enterprise. Progress has been made year over year, but the majority of organizations (55%) still report security and IT data silos, as well as the massive challenges associated with them. 

The research also underlines the impacts of silos: 62% say silos slow security response times, and 53% claim silos weaken their organization’s security posture. 

Security professionals also report many areas in which data and insights are missing or insufficient, such as detecting shadow IT (45%), confidently identifying specific vulnerabilities based on existing data (41%), and determining patch compliance and meeting patch SLAs (37%). All of these create serious security blind spots related to understanding the company’s attack surface, identifying exposures and complying with regulations. 

 The data silo problem is particularly visible in the relationship between IT and security. 44% say they struggle to manage security risks due to a challenging security / IT relationship, and 40% point out that IT and security teams use different tools, amplifying the problem. 

Security professionals also worry about IT teams’ mindsets and training. 46% of security professionals say IT teams lack urgency when it comes to cybersecurity issues, and 40% say IT teams don’t understand the organization’s risk tolerance. 

Fixing these problems won’t be easy. 

Leaders and security professionals estimate it would take six years on average to break down existing silos within their organizations. 

 Silos are the enemy of effective exposure management — and here we’re talking about more than just data silos. Organizational silos are forms of isolation within a company’s overall management/structure — whether divisions between IT and security, or other manifestations of difference or separation across the organization. And they can be just as damaging. 

One example is leadership silos: 

 Conflicting approaches to management and operations lead to lack of focus and an inefficient use of resources. For IT and security, leadership silos create roadblocks and slow down each team’s ability to deliver on objectives. They also strain budgets due to duplicated efforts, overlapping tech investments and inefficient use of talent. 

We also observe business process & workflow silos: 

 Departments such as IT and cybersecurity often work independently of one another with limited collaboration, which can lead to competing priorities, lower productivity and even lower employee satisfaction. 

 And finally, we deal with the effects of technology silos, where technology decisions within organizations are made at the department level and/or on an ad hoc basis to solve a singular problem. For the IT/secuity relationship, the impacts are enormous: reduced visibility and efficiency, as well as higher levels of tech debt. 

 Ultimately, security must be a business enabler; this is the foundation of an exposure management strategy. Beyond the expected areas of responsibility, such as minimizing downtime and making the organization resilient in the face of threats, security teams must also be responsible for broader, business-wide priorities like: 

Driving revenue by building trust, supporting innovation, and helping the organization enter new markets with new regulations. 

 Supporting remote work and flexibility for organizations that have made this a priority. 

And driving digital transformation by allowing an organization to take on new digital initiatives, knowing that security measures are in place to protect against potential risks. 

 [Music begins]  

Part three: Assessing risk tolerance 

Security professionals are bullish about their ability to measure risk exposure, yet they apply frameworks inconsistently … and often ineffectively. 

[Music ends]  

Exposure management relies on a highly sophisticated approach to assessing risk, including: 

Taking a holistic view of an organization's entire attack surface… including how to mitigate third-party risk and how to secure IoT devices. (51% of our survey group report the number of IoT devices they manage will rise in 2025 compared to 2024.) 

It also includes continuously identifying exploitable vulnerabilities, attack vectors and breach pathways. 

It includes proactively anticipating the potential consequences of a wide range of cyber-attack types — and prioritizing actions based on real-time data and analysis. 

And finally, exposure management includes aligning cybersecurity efforts with business objectives, meaning that risk-reduction decisions are not wholly owned by security leaders, but shared across both security and business stakeholders — and crucially, based on a shared understanding of organizational risk appetite. 

Ivanti’s research shows that security professionals have a high degree of confidence about their ability to measure risk exposure, but it also suggests these high marks may be unwarranted. 80% rate themselves as “good” or “excellent” in their ability to measure risk exposure. 

Truly defining and quantifying business risk, however, remains a challenge. Even though 83% say they have a documented framework for identifying risk tolerance, just over half (51%) of those say their current risk tolerance framework is not followed closely — which is about as effective as not having a framework at all. 

When organizations don’t follow their risk tolerance framework closely, the impacts can be far-reaching — from financial losses and reputational damage to regulatory fines. 

Ivanti’s research shows that leaders and security professionals alike struggle to measure and communicate risk exposure. 

51% cite lack of talent as a barrier to measure risk exposure. 

And 49% cite lack of access to relevant data as a barrier to measure risk exposure. 

Organizations also face challenges conveying a clear sense of risk exposure to the organization’s broader leadership. 

While 48% of leaders say security leaders communicate risk exposure to broader leadership very effectively, only 40% of security professionals say the same. 

Organizations are increasingly looking to their CISOs for strategic business advice, including guidance about AI adoption and managing supply chain risk. And boards are becoming increasingly involved. Our research shows cybersecurity is already a topic at the board level. 89% say cyber risk is discussed at the board level, and 88% say CISOs are invited to high-level strategic meetings about business decision making, organizational planning, etc. 

And yet, many CISOs operate with a primary focus on downtime risk rather than seeing the bigger picture. 

To evolve into strategic players, security leaders must learn to speak the same language as their CEOs and boards — translating technical know-how into business priorities, such as the financial and reputational impacts of attacks, as well as the legal and regulatory ramifications of data breaches. 

Currently, organizational leaders and security teams are not on the same page. For example, when we asked which are the most important and impactful areas of cyber risk, leaders were most likely to choose financial impacts like loss of revenue or higher expenses, while security professionals chose operational impacts such as downtime or loss of productivity. 

Bridging this divide requires security organizations to undergo a mindset shift — from protecting the company from the latest threat to supporting company growth, innovation and sustainability. Adopting an exposure management approach — combined with strong data management practices — will allow security teams to right-size the management of risk — effectively matching the size/impact of the threat with the size/urgency of the response. 

And it will help layer on a business context to ensure non-security decision-makers understand how cyber risks impact the organization's objectives — including financial, regulatory and reputational risk — and allocate resources accordingly. 

[Music begins]  

Part four: Tackling tech debt 

Technical debt is both common and corrosive. Ivanti’s research explores the extent of the problem and how organizations are addressing it. 

[Music ends]  

Among security and leadership professionals Ivanti surveyed, 1 in 3 say tech debt is a serious concern. The level of concern varies tremendously by industry. Those in the healthcare industry report the highest degree of concern (40% report “very serious” or “extremely serious” levels of debt), followed by those in manufacturing and tech. 

The causes of tech debt vary, but most commonly, security professionals point to two primary drivers: the high interdependence of their existing systems, and the need to secure systems that have rapidly evolving requirements. (Not surprising to industry insiders: Half of organizations surveyed — 51% — say they use software that has reached end of life.) 

The impacts of tech debt are far-reaching: 

There are clear impacts for cybersecurity: Across all respondents, at least 1 in 3 agree: Their security position is seriously compromised by legacy systems. Fully 37% say their tech infrastructure is so complex that they can’t uphold basic security practices, and 43% say accumulated tech debt makes their systems more susceptible to security breaches. 

There are also impacts for business: Overall, 39% say tech debt significantly slows growth. Among those who name tech debt an “extremely serious” concern within their organization, 71% report slowed growth. And 43% say tech debt slows innovation. (This number jumps to 56% for those with the highest levels of tech debt.) 

Perhaps most surprising of all is the impact of serious tech debt on the work life of security professionals: 35% say tech complexity makes them feel burned out at work, and the same proportion say tech complexity is a workplace hazard for IT and security professionals. 

When organizations adopt third-party solutions and components, these investments can introduce tech debt if not properly managed. That’s because, as supply chain components age, they can add to technical debt if they’re not updated and patched regularly. 

Vendor sprawl exacerbates the problem. With so many disparate tools to stay on top of — and given that third-party components in an organization’s software supply chain are an extension of its attack surface — it's just one more way that tech debt negatively impacts security posture. 

The vast majority of security professionals (84%) say it’s “very important” to monitor the software supply chain, and 73% say they’re “very effective” at monitoring the software supply chain. Yet nearly half (48%) have not yet identified the most vulnerable components in their supply chain. 

What do software supply chain best practices look like? We asked survey-takers who work in cybersecurity to rate their organization’s level of cybersecurity preparedness — from basic (Level 1) to best-in-class (Level 4) — to develop a Cybersecurity Maturity Model. 

Using this model, we can understand what the most advanced organizations are doing differently to secure their software supply chains compared to less mature organizations. 

71% of Level 4 (the most mature) organizations review all software vendors for security, more than twice the rate of Level 2 organizations. 

43% of Level 4s require vendors to provide evidence of internal pen testing. Just 24% of Level 2s require this. 

And 49% of Level 4s complete a vendor security assessment questionnaire for new purchases, compared to 27% of Level 2s. 

Organizations responding to the Ivanti survey have different approaches to who “owns” software security, though Level 4 organizations are most likely to say it’s a shared responsibility between the software vendor and customer. 

Less mature organizations (Level 2s) are significantly more likely than mature organizations to say the vendor wholly owns security responsibility. This point of view may be driven by resource constraints, a lack of technical expertise to address specific responsibilities or even a false sense of security that cyberattacks only target large corporations with sensitive data. 

No matter the reason, believing security should be upheld fully by vendors can lead to a false sense of security. What’s more, these organizations can become overly reliant on vendor-provided solutions, neglecting to implement layered security measures and best practices. 

Software security should be a shared responsibility. 

Vendors are responsible for implementing secure development practices, including regular code reviews, vulnerability scanning, and penetration testing throughout the software development lifecycle. And they must provide timely security updates and patches to address newly discovered vulnerabilities. 

Additionally, buyers must commit to promptly applying security updates and patches and implementing a systematic process for tracking and deploying them across the organization. They must also implement and maintain strong access controls, including role-based access and regular review of user privileges. And they should conduct regular security assessments, including vulnerability scans and penetration tests, to identify potential security flaws on a consistent, ongoing basis. 

[Music begins]  

Part five: A call for change 

Effective cybersecurity must go beyond the traditional view of risk. 

[Music ends]  

As organizations' digital footprints continue to grow — encompassing a complex web of on-premises infrastructure and cloud-based services — their attack surfaces are expanding at an unprecedented rate. But the problem is not just the size and scale of the attack surface. 

Organizations simply cannot realistically mitigate all risks in our current environment. The threat landscape is continually evolving, complex tech systems are inherently vulnerable, and organizations must work within resource constraints. 

The situation demands a more sophisticated and adaptive approach to cybersecurity, one that views security as a complex balancing act — trading off business risk and reward — rather than a protect-at-all-costs strategy. 

Exposure management promises a more intelligent approach to managing risk. 

Ivanti’s research shows that the concept of exposure management is well understood; for example, 49% of security professionals say their company leaders possess a high level of understanding of exposure management. Yet few organizations are taking steps to embrace the practice; just 22% say they are increasing investments in exposure management in 2025. 

Exposure management offers organizations a more nuanced – and effective – approach to managing risk. It does this by taking into account the full spectrum of business risk rather than a narrower view of cyber risk. 

Yet to embrace exposure management, an organization must undertake a challenging process: Aggregate its data so that it is truly inclusive of all aspects of the organization’s attack surface, conduct data-backed risk assessments that include the organization’s risk appetite, and direct its limited resources to mitigating the vulnerabilities that pose the greatest risk to the organization. 

And to operationalize exposure management, organizations must finally break down silos — not simply those within the security realm, but across the organization. Doing this will empower security teams to identify, assess and categorize potential threats for the entire organization based on severity, likelihood and impact. 

Most organizations continue to operate business-as-usual when it comes to breaking down data and organizational silos. For example: 

88% of security professionals report significant data blind spots — areas with insufficient data to make informed security decisions — such as shadow IT, patch compliance, vendor risk-management information and dependency mapping. 

44% say they struggle to manage security risks due to a challenging security/IT relationship. 

And 40% say IT and security teams use diverging tools for the same activities. 

The extreme degree of complexity in today’s threat landscape requires new ideas and approaches — and security leaders must lead this charge. 

It’s time for cybersecurity teams to take on a more strategic role: securing critical assets, safeguarding customer trust, maintaining global compliance, sustaining business continuity … in other words, driving an organization’s resilience and competitive edge. This will require a new level of collaboration and communication between security leaders and business leaders — a true mindset change, and even cultural change for many organizations. 

[Sting]   

If you enjoyed listening to this report and want even more Ivanti research, you can subscribe to this podcast to get the latest Ivanti research in your feed as soon as it’s released.   

You can read the report, download charts and graphs, and see the rest of Ivanti’s research at ivanti, I-V-A-N-T-I.com/research.   

You can follow Ivanti on social media at Go Ivanti, and you can visit us at ivanti.com to learn more about our products and solutions.   

Thanks for listening!