What: Global CISO survey reveals critical security gaps in retail sector, with 82% of companies lacking strong digital core security maturity while facing increased ransomware and supply chain threats.

Why it is important: As recent attacks on major retailers demonstrate, the findings highlight an urgent need to strengthen cybersecurity foundations, with ransomware and supply chain vulnerabilities now directly impacting market valuations and customer trust.

The 2025 CISO Benchmark Report reveals significant vulnerabilities in retail cybersecurity infrastructure, with only 18% of companies achieving frontrunner status in digital core security maturity. The survey of 171 CISOs identifies ransomware (70%) and supply chain attacks (58%) as the primary security risks, while budget constraints (71%) and competing IT priorities (69%) emerge as major challenges. Business continuity has become the top cybersecurity priority, rising four places from 2024, reflecting the sector's growing focus on operational resilience. The report highlights a significant shift in security workforce composition, with contractors comprising 52% of InfoSec teams, rising to 60% among frontrunners. Despite these challenges, the sector shows promising developments in NIST Framework adoption, with scores rising 25% since 2024 and frontrunners outperforming peers by 12%. The findings emphasise the critical need for retailers to secure their digital core while balancing rapid technological advancement with robust security measures.

IADS Notes: The 2025 CISO Benchmark Report's findings are starkly validated by recent events in the retail sector. The report's emphasis on ransomware as the top security risk (70% of respondents) was demonstrated by the devastating Marks & Spencer attack in April 2025, which wiped £700 million off their market value. The importance of supply chain security, cited by 58% of respondents, was highlighted when both Harrods and Co-op suffered breaches through third-party vulnerabilities in May 2025, with Co-op's incident affecting up to 20 million customers. The report's revelation that 82% of companies lack strong security maturity aligns with the March 2025 Crowdstrike incident, where a single security update failure resulted in £5.4 billion in losses across Fortune 500 companies. These incidents have transformed the cyber insurance landscape, driving a 10% increase in premiums across the UK retail sector, while demonstrating the report's key finding that business continuity has become the top cybersecurity priority.

RH-ISAC: 2025 CISO Benchmark Report