As the digital threat landscape continues to evolve, so too does the role of the CISO. The newly released 2025 RH-ISAC CISO Benchmark Report, developed in partnership with Accenture, offers a compelling snapshot of how cybersecurity leaders across retail and hospitality are adapting to new challenges, investing in resilience, and aligning security with business strategy.
Here are the key takeaways every security and business leader should know.
1. Ransomware and Supply Chain Attacks Still Dominate
Ransomware remains the top threat, cited by 70% of CISOs, followed closely by supply chain attacks (58%) and phishing (47%). These persistent risks are driving a renewed focus on business continuity and disaster recovery, which rose to the #1 cybersecurity initiative in 2025—up from #4 the previous year.
2. Budgets are Holding Steady—with Strategic Shifts
Despite economic uncertainty, 44% of CISOs expect budget increases in 2025, while another 44% anticipate no change. Only 13% foresee cuts. Notably, spending on third-party security services rose 11% year-over-year, reflecting a growing reliance on external expertise.
Where’s the money going?
- 33% to staff and compensation
- 27% to cloud-based software
- 13% to outsourcing and MSSPs
3. The Cybersecurity Workforce is Expanding
With 38% of organizations planning to grow their cybersecurity teams, talent remains a top priority. The largest share of InfoSec full-time employees (FTEs) is focused on:
- IT and security operations
- Identity and access management (IAM)
- Governance, risk, and compliance (GRC)
Interestingly, while third-party risk is a top concern, staffing in that area declined by 2 percentage points from 2024.
4. CISOs are Becoming Business Leaders
The CISO role is evolving beyond technical oversight. In 2025:
- 19% of CISOs report to business executives, up from just 7% in 2024.
- There’s been a 26 percentage point increase in data management responsibilities, largely driven by AI adoption.
- More CISOs are aligning cybersecurity with broader business goals, positioning security as a strategic enabler.
5. NIST CSF Remains the Gold Standard
Adoption of the NIST Cybersecurity Framework (CSF) continues to grow, with 83% of organizations using it to assess and improve their security posture. Average maturity scores rose to 3.1, a 25% increase since 2024.
Final Thoughts: Cybersecurity as a Business Imperative
The 2025 report makes one thing clear: cybersecurity is no longer just about defense: it’s about resilience, innovation, and competitive advantage. CISOs are stepping into more strategic roles, leveraging AI, and embracing managed services to scale their impact. As threats grow more sophisticated, so must our response. The organizations that thrive will be those that treat cybersecurity not as a cost center, but as a core business function.
Read the full report to explore all the data and insights.
