Mapping control failures across the enterprise
In the past year, 84% of organizations have suffered a breach caused by a failure in controls. Three-quarters (75%) of these were driven by a combination two or more control failures – a toxic mix that turns common control failures into surefire breaches.
With the annual cybersecurity budget standing at $19.3 million, and the fall-out from cyber events costing an estimated $14 million, organizations lost close to the equivalent of three-quarters (73%) of 2025 security spend to hidden gaps in their day-to-day defenses.
Relationship between company size and spend on cyber events
Of firms were hit by a breach linked to control failures in the past 12 months
Of firms hit by incidents with more than one control failure (toxic combinations)
The average yearly cyber losses per enterprise:
Million
Equivalent % of security budgets consumed by breach-related costs
The biggest challenge facing CISOs over the next 12 months is balancing rapidly evolving cyber threats with limited budgets, talent shortages, and increasing regulatory pressure. Too stressful.
Managing complexity and data overload in 2026
It is no coincidence that CISOs and their teams witnessed more control failures when pressure is high, budgets are stretched, and resourcing is low, as teams grapple with more regulation, more oversight, and a faster-moving threat landscape than ever before.
The daily reality for CISOs and their teams has shifted.
There are now 61 different security tools in use across enterprise organizations. Each with siloed dashboards, alerts, and unique reporting parameters that add another level of confusion and complexity when trying to normalize data and understand trends. Each new tool brings the promise of reducing risk, but without an aggregate common understanding about how these tools work together, these new tools are actually moving organizations further away from proactive cyber resiliency.
Of teams are overwhelmed with incomplete data
cybersecurity tools
Is the average number used at enterprise organizations
Of firms are facing controls environments that are too complex to manage without automation
Of cyber teams' time is spent on reporting efforts
Between the steady rush of new AI threats and the tangle of overlapping compliance demands, even the best teams admit they’re stretched thin, and having a lot of tools is not the same as having control. More tools equal more complexity, and that complexity is leading directly to control gaps and failures as teams struggle to keep up.
We surveyed leaders across a diverse range of industries, organizational size, cybersecurity budgets, and team structures. Each sector faces the same challenges, no matter the size of the organization. In fact, visibility gaps are just as prevalent in large enterprises as they are in smaller organizations, pointing to an industry-wide challenge.
Click the arrows to see demographic data
Between the steady rush of new AI threats and the tangle of overlapping compliance demands, even the best teams admit they’re stretched thin, and having a lot of tools is not the same as having control. More tools equal more complexity, and that complexity is leading directly to control gaps and failures as teams struggle to keep up.
We surveyed leaders across a diverse range of industries, organizational size, cybersecurity budgets, and team structures. Each sector faces the same challenges, no matter the size of the organization. In fact, visibility gaps are just as prevalent in large enterprises as they are in smaller organizations, pointing to an industry-wide challenge.
Despite what many have long touted, having a lot of tools is not the same as having control. More tools = more complexity. And complexity is now leading directly to control gaps and failures.
© 2025 Panaseer Limited. Reg in England and Wales with the company registration 09098199 Reg address: Ashcombe Court, Woolsack Way, Godalming, Surrey, GU7 1LQ UK.