Failed Cybersecurity Controls Costing U.S. Businesses $30 Billion Yearly

Panaseer recently released ControlWatch and the Continuous Controls Battle: Panaseer 2025 Security Leaders Report examining the cost of cybersecurity control failures and the impact of growing personal liability for security failings on security leaders.

The report analyzes the findings of a survey of 400 security decision makers (SDMs) across the US and UK. It shows that security leaders feel under increasing pressure to provide assurances around cybersecurity, exposing them to greater personal risk – yet many lack the data and resources to accurately report and close cybersecurity gaps.

Key findings include:

The billion $ cost of cybersecurity control failures: 61% of organizations have suffered a security breach in the past year because their policies, governance, and controls failed or were not working effectively. This is costing US businesses a total of $30bn per year1. As a result, 90% of SDMs say they’re being expected to provide greater assurances specifically around security control performance.

Pressure is mounting but many security leaders don’t trust their numbers: 85% of SDMs are facing greater scrutiny from the board. 57% say they are constantly being asked to provide assurances, but lack the trusted data they need to provide them – while only 55% are fully confident that data presented to senior management and the board is fully accurate.

Personal indemnity insurance is a must-have – but some may not be as protected as they think: 72% of security leaders have taken out personal indemnity insurance in the past year to protect themselves from the consequences of security failures, and a further 20% are looking into it. However, just 34% of those with insurance have it in perpetuity; leaving them vulnerable if they leave their current company. “

In the wake of highly publicized attacks – such as the SUNBURST SolarWinds breach – regulators like the SEC are enforcing criminal charges and stringent rules on CISOs, who are under a corporate sword of Damocles. Their feet are being held to the fire by boards and regulators, but they lack the data to provide accurate insights that would help hold the business accountable. After all it’s business risk, not CISO risk,” says Jonathan Gill, CEO at Panaseer. “Some CISOs have been forced to plaster over the cracks with personal indemnity insurance. But this treats the symptoms without addressing the causes. If this blame game culture continues while CISOs are left powerless to provide accurate assurances, many will leave the industry – either of their own volition, or at the behest of courts.”

75% of security leaders feel they have greater personal liability for security failures now compared to two years ago. Most SDMs (72%) think this is at least somewhat fair, with 44% saying it will be a good thing, as it will lead to higher standards in the industry – and 47% saying it has made them even more cautious, which is not a bad thing. A further 31% are primed to take advantage of the changes, saying that they can ask for greater renumeration now that the stakes are higher.

However, a significant minority disagree with increased liability falling on their shoulders. More than a quarter (28%) of SDMs think it’s unfair that CISOs and security leaders can be held personally accountable for security failures, with 23% saying it makes them ‘angry’ that they should have personal risk around security failings. A further 15% say they have considered leaving the industry, while 41% say they are feeling more anxious about their decision making.

“It’s understandable that security leaders have mixed feelings about having greater liability. For some, it will sharpen the mind – raising standards across the industry. For others, it’ll pile more pressure onto an already demanding role,” says Gill. “Ownership, accountability, and responsibility are positives in cybersecurity, but if those tenets go too far, they put undue stress on individuals, rather than the collective. The industry must avoid putting a target on a single person’s back. CISOs shouldn’t be made scapegoats for security incidents, while ignoring all the good work they do.”

One of the major issues outlined in the report adding to security leaders’ trepidation is the extra reporting pressure security teams are under, with 72% stating that if their team could spend less time on reporting they would prevent more breaches. Yet many lack the data and insights needed to provide assurances to the board and senior management. Security teams are being asked to provide assurances on an increasing range of areas – from the company's overall risk of a data breach (65%); to its compliance posture and how to reach/maintain it (48%); right through to business loss impact (37%). Furthermore, 89% of security leaders are expected to provide more data around the role and effectiveness of security investments – with 76% saying they are under greater pressure to provide metrics to justify cyber ROI.

However, 67% say cybersecurity teams are not equipped with the specialized analytical tools needed to provide these assurances to boards and regulators. As a result, 70% of SDMs say they have visibility gaps that prevent them from having a clear picture of risk as there are too many unknowns. This lack of tooling is adding pressure onto teams, with 85% saying they have to influence and drive accountability for implementing security controls with a greater number of teams outside of security.

“While other business units are empowered with specialized tools – like SAP and Salesforce – to enable data-driven insight, CISOs are often left to make do with disparate tools and no single, trusted view,” says Gill. “We need to even the odds, giving security leaders a system of record that offers a transparent view of every asset within an organization. Armed with this golden source of truth, CISOs are empowered to provide assurances, report risk in good faith, discover gaps in security and plug them before security incidents take place, protecting both themselves and their company.”

Featured

  • Evolving Cybersecurity Strategies: Uniting Human Risk Management and Security Awareness Training

    Organizations are increasingly turning their attention to human-focused security approaches, as two out of three (68%) cybersecurity incidents involve people. Threat actors are shifting from targeting networks and systems to hacking humans via social engineering methods, living off human errors as their most prevalent attack vector. Whether manipulated or not, human cyber behavior is leveraged to gain backdoor access into systems. This mainly results from a lack of employee training and awareness about evolving attack techniques employed by malign actors. Read Now

  • Report: 1 in 3 Easily Exploitable Vulnerabilities Found on Cloud Assets

    CyCognito recently released new research highlighting critical security vulnerabilities across cloud-hosted assets, revealing that one in three easily exploitable vulnerabilities or misconfigurations are found on cloud assets. As organizations increasingly shift to multi-cloud strategies, the findings underscore significant security gaps that could provide attackers with potential footholds into networks. Read Now

  • Built for Today, Ready for Tomorrow

    Selecting the right VMS is critical for any organization that depends on video surveillance to ensure safety, security and operational efficiency. While many organizations focus on immediate needs such as budget and deployment size, let us review some of the long-term considerations that can significantly impact a VMS's utility and flexibility. Read Now

  • Paving the Way to Smart Buildings

    In today's rapidly evolving security landscape, the convergence of on-prem, edge and cloud technologies are critical. The physical security landscape is undergoing a profound transformation, driven by the rapid digitalization of buildings and the evolving needs of modern organizations. As the buildings sector pivots towards smart, AI and data-driven operations, the integration of both edge and cloud technology has become crucial. Read Now

  • The Cybersecurity Time Bomb

    If you work in physical security, you have probably seen it: a camera, access control system, or intrusion detection device installed years ago, humming along without a single update. It is a common scenario that security professionals have come to accept as "normal." But here is the reality: this mindset is actively putting organizations at risk. Read Now

New Products

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame.

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions.