Cybersecurity’s maturity: CompTIA’s State of Cybersecurity 2025 report

What does the maturing of cybersecurity look like in today’s tech landscape? Explore what the CompTIA State of Cybersecurity 2025 report has to say.

WRQ-198_ACHE_BlogThumbnail_Current Cyber Trends_10.6
If April is the cruelest month, then October is absolutely the most intriguing. Why? Because it’s when we share the CompTIA State of Cybersecurity 2025 report, not only as a way to welcome Cybersecurity Awareness Month, but to highlight the latest measures, trends, and data regarding the industry.  

Let’s take a look at some of the more nuanced and intriguing findings the report has to offer. While it’s undisputed that there's still so much progress that needs to happen in the field, there is some real evidence that the cybersecurity industry is continuing to grow and evolve in the right direction.  

The rise of multiple security architectures 

The phrases “security architecture” and even “zero trust architecture” have been bandied about for years. But, rarely have I ever seen a report discussing the need to use multiple architectures to implement, at the minimum, adequate cybersecurity measures. 

Presumably, the cybersecurity industry’s goal is to reduce the attack surface, and therefore lower the cost and rate of cybersecurity incidents and data breaches while bolstering overall data security. To bring this about, the cybersecurity industry has created dozens (if not hundreds) of initiatives, directives, cybersecurity frameworks and methodologies and lifecycles. Yet, this is the first time I’ve seen a report discuss the need to modularize cybersecurity into multiple architectures. 

WRQ-192_GOV_Blog Image 1_James Stanger Cybersecurity Report Take_10.18

 

I think that addressing business logic first – which includes executive buy-in to budgeting – is a brilliant move. It reflects a certain maturity in the cybersecurity industry. Cybersecurity– a notion that once seemed confined to tech departments within organizations, is getting the recognition it deserves among the people at the helm of business operations. This executive buy-in ensures that best practices for safeguarding systems extend beyond just the tech department and influences the behaviors of individuals in all parts of an organization.  

As much as I love to discuss application workflows, data architectures, and the fun, greasy techie stuff, it’s a truly useful step to put “business architecture” first. That does mean this report is aimed solely at enterprises or MSPs or for-profit organizations: It states that once you get your business process ducks in a row, you’re off to a great start. If cybersecurity involves successful iteration, then it’s vital that you have a clear-cut set of policies to establish a clear path forward.  

Addressing disconnects: A new look at “gaps” 

Notice that the report eschews the phrase “skills gap.” Instead, it addresses multiple gaps that effectively become silent but powerful barriers that sap an organization’s will to implement cybersecurity. Some of the gaps – which the report calls disconnects, are discussed in the table below. 

Cybersecurity gap

Description

Value

A disconnect between planned investments in technology and business process changes and perceived actual results.

Methodology

Slow adoption of proven cybersecurity strategic approaches, including incident response, governance, and data defense.

Budget

There is a chronic discrepancy between what leaders say about cybersecurity being a priority, and the money they subsequently (don’t) pony up. In a recent webinar I gave, a CISO wrote in a comment that read, “There’s never any budget until after an attack happens.”

Process

The report does a fantastic job of showing the importance of each architecture necessary to cybersecurity (business, application, data, and technology.

 

The overall result is a cybersecurity confidence gap. Here’s hoping that organizations see how looking into each of these gaps can help them improve their processes and make meaningful progress. 

Notice that the table doesn’t list a “skills gap.” I don’t list it, because similar to the letters, “AI,” it is a phrase that is increasingly shopworn. Furthermore, the phrase doesn’t capture the nuances as found in the report. The report discusses how specialized skills are important. Specific skills that are increasingly important include: 

  • Network monitoring and security 

  • Security analytics 

  • Governance 

  • Risk management and analysis 

  • Cloud security 

  • Operational Technology 

Moving the needle  

The report then includes a list of ways that organizations are improving the use of cybersecurity technologies and processes. As you would expect, it primarily focuses on executive buy-in, but, it doesn’t stop there: The report then discusses the need for IT and cybersecurity workers to better visualize the impact of the tools they use. This also highlights the importance of having skilled cybersecurity professionals who can execute these needs.  

WRQ-192_GOV_Blog Image 2_James Stanger Cybersecurity Report Take_10.18

 

In other words, it’s important to better articulate the value that specific initiatives bring to the organization. Once again, it appears that the cybersecurity industry is making some progress at demonstrating its business value. 

Are we getting past peak AI hype? 

So much surface level documentation about artificial intelligence (AI) and its implications on cybersecurity has come about. It’s refreshing to see that the report investigates the hype surrounding AI. For example, the report states that only 7% of firms state that they have fully implemented AI in their operations. The report also reveals another tell-tale sign of AI hype: For now, AI is increasing, and not decreasing, cybersecurity complexity, mainly because organizations are still trying to figure out exactly where to use it.  

In fact, the report states that 47% of the respondents feel that they’re still trying to figure out what the emergence of generative AI really means; I think that’s remarkable: It demonstrates honesty and curiosity: Two elements that are extremely valuable, yet not often discussed in the cybersecurity industry. 

So, the jury is still out on AI, though one point is clear. AI-enabled cybersecurity use cases seem to favor content-based approaches. The graphic below that shows AI-enabled cybersecurity measures suggests that AI has the ability to monitor network traffic content, do threat modeling, and predictive analytics. 

 

WRQ-192_GOV_Blog Image 3_James Stanger Cybersecurity Report Take_10.18

 

 AI remains the most compelling poster child for automation. It’s revealing that cybersecurity workers and leaders continue to suggest that they are just starting a meaningful journey into the practical use of AI. 

Curious and want to dive deeper? I highly recommend that you check out the report. It provides quite a snapshot of an industry that, while it sometimes fails to make as much progress as it should, seems to be getting increasingly serious about solving long-standing problems. Read the CompTIA State of Cybersecurity 2025 report  

Blog contribution by Dr. James Stanger, CompTIA Chief Technology Evangelist 

Email us at blogeditor@comptia.org for inquiries related to contributed articles, link building and other web content needs.

Read More from the CompTIA Blog

Leave a Comment