New data shows peer comparisons strongly influence respondents’ approaches (89%), and benchmarking remains a cornerstone of effective cyber risk strategy.
LONDON, UK — 18 November 2025 — A new industry survey, Cyber Risk Management 2025: The Path to Effective Risk Prioritisation, reveals that more than half (56%) of organisations now conduct cyber risk assessments at least weekly, with an average cadence of 6.79 times per month. This frequency signals a strong operational commitment to cybersecurity, though many organisations continue to face challenges in visibility and effectiveness due to siloed tools and outdated practices. The findings underscore the need for more efficient, data-driven assessments – the kind enabled by unified platforms that connect risk, governance, and operations to measurable outcomes.
Commissioned by Derive, the cybersecurity risk and operations platform that helps teams quantify risk, prioritize actions, and prove impact, and conducted by Opinion Matters, an independent research company, it surveyed 200 cybersecurity and cyber risk management professionals working in UK organisations with between 2000 and 5000 employees across a range of industries.
Compliance and Leadership Reporting Drive Assessment Purpose
According to the survey, compliance is the primary reason for conducting cyber risk assessments, as identified by nearly one quarter (23%) of respondents. However, when questioned regarding their organisation’s method for prioritising cyber risks in terms of mitigation or remediation, 65% reported that guidance from leadership is the primary factor determining prioritisation.
Findings highlighted that many tools still rely on static reports and scheduled assessments, offering a limited snapshot of risk. The report calls for a shift toward continuous monitoring and real-time validation of risk mitigation activities, enabling faster response, more accurate quantification, and improved prioritisation.
“Cyber teams are working harder than ever, but too often without clear visibility into what’s actually reducing risk,” said Alex Nette, CEO of Derive. “This data confirms what we see every day – organizations need a single, data-driven platform that connects risk, governance, and operations so they can prioritize what matters, automate the rest, and prove impact in real time.”
Key Challenges: Fragmentation, Skills Gaps, and Communication Barriers
The most persistent challenges respondents reported when undertaking risk assessments include fragmented platforms (32%), a skills gap (30%), and difficulty communicating value to leadership (29%) followed by reliance on outdated data and manual processes (26%). These barriers highlight the urgent need for integrated platforms like Derive that unify cyber risk, governance, and operations data – enabling automation, measurable impact, and clear investment justification.
Legacy Tools Still Dominate
In fact, despite technological advancements, many organisations continue to depend on external consultants (44%), manual processes (44%) and spreadsheets (43%). Larger organisations (5000+ employees) are significantly more likely to use third-party tools (49% versus 38% average), suggesting both cost constraints and legacy habits are stopping smaller businesses from benefiting from specialist tools. This presents an opportunity to democratise access to cost-effective modern risk assessment tools that deliver more meaningful results.
Budget Influence and Decision-Making
Cyber risk assessments play a critical role in budget decisions. Half of those surveyed (50%) say assessments are strongly influential and 13% say they are the sole driver. However, decision-making is often hindered by an overload of unprioritised options (21%) and difficulty proving value to leadership (18%).
All respondents report some ability to measure business impact, with top metrics including:
- Improved response time (50%)
- Audit satisfaction (47%)
- Revenue/cost outcomes (43%)
- Risk exposure reduction (41%)
This partial ability to measure the impact of cyber risk assessments, combined with prioritisation difficulties and challenges of proving value to leadership, points to a reality where risk teams are struggling to deliver risk models at the pace and accuracy required.
Peer Benchmarking Gains Traction
Peer comparisons influence 89% of respondents, reinforcing the importance of benchmarking. Here, it is important to undertake peer benchmarking that identifies truly comparable firms by normalising financial data
and aligning accounting practices to enable accurate performance and valuation comparisons.
“Benchmarking and automation are now critical to closing the gap between analysis and action,” said Corey Neskey, CTO of Derive. “By combining real-world peer data with continuous risk modeling, teams can focus resources on the actions that truly reduce loss.”
