2025 CISO Benchmark Report Highlights: 81% Would Lose Brand Trust Post Retail Breach & More

New research reveals that 81% of consumers would lose trust in a brand if their personal data was breached — even once.  

The 2025 CISO Benchmark Report, published by the Retail and Hospitality ISAC (RH-ISAC), examines the effects of digital transformation on cybersecurity initiatives within these sectors.  

Notably, the report emphasizes the need to secure the digital core, champion cybersecurity as a key business driver, and leverage automation and AI to scale security to today’s demands. 

Admitting the Security Maturity Gap: Even the Frontrunners Behind Benchmark 

According to the report, 75% of all retail and hospitality organizations are accelerating their ‘technical reinvention’ efforts. However, all were under the mark in meeting global industry benchmarks. 

Organizations were judged on the security maturity of their digital core, or the “foundation that integrates advanced platforms, AI-driven cybersecurity, and zero-trust architectures.” Tested areas included DevSecOps, threat modelling, coverage, zero trust, cyber-physical systems, automation of security, and state of security. 

Overall, 18% emerged as “Frontrunners,” displaying a higher digital core security maturity score than the rest. However, even then, Frontrunners only scored a collective 53 points out of 100; the Rest scored a meager 17. All scored significantly under the global security targets for each category. 

What were the blockers? 71% cited budget constraints, 69% cited competing IT and cyber priorities, and 45% couldn’t do it all while keeping up with the speed of business. 

The good news? Those companies that did display a cyber-mature digital core witnessed: 

• A 30% boost in NIST scores 

• 2.5X more technical debt reduction 

• 40% more profitability and 60% higher revenue growth 

Ransomware, Third Parties, and Phishing: Oh, My 

The top information security risk facing retail and hospitality companies per this year’s report was ransomware/malware (70%). Following that were third party/supply chain attacks (58%) and phishing (47%). 

As noted on RH-ISAC's website, in 2024, phishing rose within these sectors by 22% and ransomware accounted for nearly one in three of all reported incidents. Ransomware attacks led to an average downtime of 72 hours, with lost revenue and recovery losses costing businesses up to $1.4 million per attack. 

Interestingly, the top ten ways these businesses plan to fight back have remained consistent over the past two years, though the orders have changed. Notably, “business continuity and disaster recovery” has risen from the fourth spot to number one. Frontrunners, however, ranked it as priority number two, with “vulnerability management identification/remediation” first. 

Here are the top five key initiatives planned to mitigate risk in retail and hospitality overall: 

1. Business continuity & disaster recovery strategies (51%) 

2. Vulnerability management identification/remediation (50%) 

3. Zero trust security architecture (43%) 

4. Security for hybrid cloud/on-premises environments (38%) 

5. Vendor oversight (38%)  

As RH-ISAC states on their site, “Third-party supply chain breaches accounted for 41% of reported incidents within the sector.” 

83% Industry Adoption of NIST CSF 

Although a voluntary framework, NIST CSF scores among retail and hospitality organizations have risen 25% since 2024.  

Despite there being other security regulations like PCI DSS and GDPR, NIST CSF remains the gold standard for security improvement within these sectors. The rollout of NIST CSF 2.0 in February of last year could have something to do with that.  

With the application expanded beyond critical infrastructure, retailers and others found the standard immediately applicable. CSF 2.0 also places greater emphasis on supply chain risk management, adding a specific category for it at a time when four in ten industry cyberattacks came through third parties. 

On a scale of one to five, Frontrunners outpaced the Rest in NIST maturity with a score of 3.2, a figure only set to rise in 2026.  

What This Means for Businesses and CISOs 

As RH-ISAC sums up, “The organizations that thrive will be those that treat cybersecurity not as a cost center, but as a core business function.”  

This trend is reflected in the changing role of CISOs. According to the report, the number of CISOs now reporting directly to executives jumped from just seven percent last year to nearly one in five (19%). Now, seven percent report directly to the Board and CEO. 

Additionally, as data continues to underpin decisive action and feed AI models, CISOs have experienced a 26% increase in data management responsibilities. Now, over 90% of CISOs consider themselves responsible for: 

• Security Awareness 

• Vulnerability Management 

• Security Operations/Incident Response 

• Cloud Security 

• Threat Intelligence 

As organizations come to see security as a core business enabler, CISOs’ impact, involvement, and accountability will continue to grow. 

Future Retail and Hospitality Growth Depends on Good Data 

Fortra enables CISOs to do their job and keep data risks to a minimum. As AI models feed growth within customer-facing sectors like retail and hospitality, the burden of clean, protected data will only increase.  

Fortra keeps data safe by breaking the attack chain that ultimately ends in exfiltration and exploitation. Retailers and hospitality businesses like hotels and airlines are constantly improving with the latest apps to give their customers the best experience. In this flurry of innovation, data can get lost.  

• Fortra Data Security Posture Management (DSPM) finds, classifies, and protects sensitive information, no matter where it lives.  

• Fortra Data Loss Protection (DLP) enables immediate visibility into your assets, automated remediation (across endpoints, the network, and the cloud), and zero-trust network access.  

• Fortra Data Classification Suite (DCS) boosts DLP effectiveness with persistent metadata, additional context, and the ability to enforce policies across platforms like Windows, Microsoft Office, Outlook Web App, and more. 

The future of retail and hospitality cybersecurity depends on strategic leadership. As the threat landscape changes, that means embracing AI, automation, and other ways to broaden cyber defense.  

CISOs who recognize their responsibility as business enablers will seek out solutions that do the one thing that matters most to that growth: protect data and do it at scale.