In an era where digital transformation is not just a buzzword but a business necessity, cybersecurity readiness has emerged as a critical component of enterprise strategy. I finally had time to read Cisco’s 2025 Cybersecurity Readiness Index, which offers a comprehensive analysis of how organizations worldwide are navigating this complex landscape.
Key Findings: The Readiness Gap
Cisco’s assessment of more than 8,000 security leaders across 30 global markets delivers a sobering message: most organizations simply aren’t ready for today’s cybersecurity realities, let alone what’s coming next.
Just 4% of respondents achieved a “Mature” level of cyber readiness — up 1% from last year, and frankly, alarmingly low given the rapid evolution of threat actors and tactics. Even more concerning? A full 70% of organizations sit squarely in the “Beginner” or “Formative” categories — categories that reflect fragmented, underdeveloped security postures. That’s not just a gap, it’s a gaping chasm.
Thankfully, it does look like things are moving in the right direction, the data suggests otherwise. The percentage of companies in the “Beginner” tier decreased from 11% in 2024 to 9% in 2025. It’s a small progression, but one that shouldn’t be overlooked.
The takeaway here is clear: the cybersecurity maturity curve is steep, and far too many organizations are stuck at base camp. The threats are evolving faster than the defenses. If cybersecurity isn’t already at the top of the enterprise priority list, it’s time for a reset. Because in today’s landscape, cyber readiness isn’t just an IT problem, it’s a business survival issue.
Key Pillars of Cybersecurity Readiness
In the report, Cisco’s stated goal was to gain insight into cybersecurity readiness based on five critical pillars. The data again presents a sobering reality — starting to see a trend here, aren’t we?
- Identity Intelligence: Only 6% of companies have mature capabilities in managing and securing identities, indicating a significant gap in access control measures.
- Machine Trustworthiness: This area saw the most improvement, with 12% of organizations achieving maturity, up from 7% in 2024. However, the majority still struggle with securing endpoints and devices.
- Network Resilience: Only 7% of survey respondents shared they have mature network defenses, unchanged from 2024, leaving many vulnerable to network-based attacks.
- Cloud Reinforcement: With just 4% maturity, again stagnant from the year prior, it is glaringly obvious that cloud security remains a critical concern as businesses increasingly rely on cloud services.
- AI Fortification: Very little has changed about AI readiness with only 7% reaching maturity, the same as 2024. This underscores the challenges organizations face in utilizing AI systems, and I’ll dive more into this in a moment.
Size Matters: Why Smaller Companies Are Falling Behind
One of the clearest takeaways from Cisco’s research: Company size directly correlates with cybersecurity maturity, and not in the way you might expect.
While large enterprises (1,000+ employees) are the most likely to reach the “Mature” stage of readiness, only 6% have done so. Of deep concern is that fact that survey respondents indicated that more than half (56%) of large companies remain stuck in the Formative stage, and 6% are still Beginners.
Mid-sized organizations (250–999 employees) are holding their own, with 5% hitting the Mature benchmark and 31% classified as Progressive. This agility often allows them to implement security improvements more quickly than larger peers weighed down by bureaucracy.
Small businesses (10–249 employees), however, are in trouble. Only 2% qualify as “Mature,” while a whopping 65% are in the Formative category and 13% are in the Beginner stage. Perhaps most concerning? Many small firms report minimal visibility into how employees are using AI tools, especially generative AI, and that’s a blind spot that’s both dangerous from a risk standpoint, but which will undoubtedly also prove increasingly costly from a competitive standpoint.
Cybersecurity isn’t just an enterprise problem. Attackers don’t discriminate, and small companies with limited resources are often the easiest entry points into broader supply chains. If you’re a smaller org without a comprehensive security roadmap, now’s the time to act.
AI is Reshaping the Cyber Threat Landscape—Fast
The arrival of Gen AI isn’t just changing how we work, it’s changing how attackers operate. Nearly nine in ten (86%) security leaders reported experiencing at least one AI-related security incident in the past year.
Top AI-related threats include:
- Model theft and unauthorized access (43%)
- AI-enhanced social engineering (42%)
- Data poisoning attempts (38%)
- Prompt injection attacks (35%)
And yet, only 48% of companies responding in the Cisco survey believe their employees understand how malicious actors are using AI to augment these attacks. Even fewer, just 45%, believe their organizations have the internal resources to conduct comprehensive AI security assessments.
That gap between AI adoption and AI governance is widening. Today, 22% of companies allow unrestricted access to public Gen AI tools. Combine that with limited visibility (60% of IT teams can’t see employee prompts), and it’s a recipe for risk.
Shadow AI is real, and it’s growing. Without firm guardrails, employee experimentation with AI tools could inadvertently open the door to massive data breaches, insider threats, or compliance violations.
AI Fortification: Cautious Progress, But Too Slow
While the threat landscape evolves rapidly, organizational readiness around AI Fortification is lagging. As I mentioned earlier, only 7% of companies report they are at the “Mature” level in this pillar, one of the lowest across all five measured categories.
What’s slowing progress? Trust and integration. While 97% of companies would be comfortable with some form of AI-driven security automation, only 33% are ready to fully automate their defenses. In other words: we trust AI to help, but not to take the wheel. Understandable, to a certain degree, but that must change.
The most common AI deployments today are in:
- Threat detection (84%)
- Threat response (71%)
- Incident recovery (70%)
Still, most implementations are partial, not fully automated. Red teaming, rule testing, and infrastructure policy creation remain largely human-driven, with AI acting as an assistant, not a leader.
Despite the hesitation, there’s movement. Companies are already using AI to enhance policy compliance, checking for duplicate or conflicting rules (78%), making enforcement recommendations (78%), and even helping automate policy decisions (71%).
In short, AI Fortification isn’t just an emerging discipline, it’s the next frontier. The organizations that move now to embed AI in meaningful, structured ways will be the ones leading tomorrow’s security playbooks.
Investment Trends: A Step in the Right Direction
The good news? Survey respondents shared that organizations are opening their wallets. 98% of those surveyed plan to increase cybersecurity spending in the next 12–24 months. That’s encouraging, and a trend that is not surprising, but money without strategy is just noise.
Upgrades to existing infrastructure are on the roadmap for 63% of companies. And 58% say they’re investing in AI-driven technologies like generative AI. That’s a smart move; AI isn’t just a threat vector, it’s also one of the most powerful tools defenders have today.
But here’s the rub: point solutions won’t cut it anymore. The companies that win in cybersecurity will be the ones who embrace a platform approach — integrated, AI-enhanced, and built to scale.
Strategic Recommendations: Building a Resilient Cybersecurity Framework
What do to moving forward? For starters, organizations stop putting off taking action and understand the very real risks that AI-powered cyber threats pose. And know that those threats are going to multiply, and quickly, as threat actors get even more adept at using generative AI as part of their toolkits. To bridge the readiness gap, organizations should consider the following strategic actions:
- Adopt an Integrated Platform Approach. Silos are a reality in today’s tech stack, but moving away from siloed solutions and toward integrated platforms that provide comprehensive visibility and control is the path forward.
- Prioritize Identity and Access Management. With 85% of breaches involving human error, having robust identity management solutions in place is crucial.
- Implement Zero Trust Architectures. The time to embrace zero trust is now. Embracing zero trust principles and implementing zero trust architectures will ensure that every access request is verified, regardless of origin.
- Leverage AI and Automation. Utilizing AI-powered analytics and automation have also quickly become business mission critical, allowing organizations to detect and respond to threats in real-time.
Conclusion: The Path Forward
The Cisco 2025 Cybersecurity Readiness Index serves as a wake-up call for organizations to reassess their cybersecurity strategies. In a digital-first world, cybersecurity readiness is not optional, it’s a strategic imperative. By adopting integrated, AI-powered, and platform-based security strategies, organizations can enhance their resilience and safeguard their digital transformation journeys.
This article was originally published on LinkedIn.
Read more of my coverage here:
Command Zero: Reimagining Cybersecurity Investigations for the AI Era
How LogicMonitor’s Customer-Centric Approach Is Redefining Observability Success