RH-ISAC | 2025 RH-ISAC CISO Benchmark Report - RH-ISAC

The 2025 RH-ISAC CISO Benchmark Report, developed with Accenture, offers a data-driven look at how cybersecurity leaders are navigating risk, resilience, and innovation. With input from nearly 200 CISOs across retail and hospitality, this year’s report reveals a clear shift: cybersecurity is no longer just an IT concern—it’s a business imperative.

Key Findings at a Glance

🔐 Top Cybersecurity Risks

#1: Ransomware (70%)
#2: Supply Chain Attacks (58%)
#3: Phishing (47%)

💸 Budget & Spending Trends

44% of CISOs expect budget increases in 2025.
Only 13% anticipate cuts.
Third-party security services spending is up 11% YoY.
33% of cybersecurity budgets go to staff and compensation.

👥 Workforce Outlook

38% plan to expand full-time cybersecurity teams in 2025.
Largest FTE allocation (44%) goes to IT, security ops, IAM, and GRC.
Despite rising third-party risk, staffing in that area declined by 2pp.

📊 NIST CSF Adoption

83% of organizations use the NIST Cybersecurity Framework.
25% increase in NIST maturity scores since 2024.
Average score across functions: 1 in 2025.

🧭 Evolving CISO Responsibilities

+26pp increase in data management responsibilities, driven by AI.
19% of CISOs now report to business executives, up from 7% in 2024.
Growing emphasis on cybersecurity as a strategic business driver.

Strategic Recommendations

Make Cybersecurity a Business Priority

Align security with business goals.
Share accountability across the C-suite.
Track performance with shared metrics.

Leverage AI & Automation

Use AI for red teaming, threat detection, and response.
Automate routine tasks to boost efficiency.
Explore Cybersecurity-as-a-Service (CSaaS) to scale operations.

Join this community!

If you’re ready to be a part of the RH-ISAC community, fill out a membership inquiry today.