Cybersecurity control failures cost enterprises $14 million a year

New York, November 12, 2025 – Panaseer, a leader in cybersecurity posture management powered by Continuous Controls Monitoring, has released the findings of its annual Security Leaders Peer Report, analyzing the cost of cybersecurity control failures on businesses and security teams.

The survey of more than 400 security decision makers (SDMs) across the USA and UK found 84% of enterprises have experienced a cybersecurity breach or incident that was caused or worsened by security control, policy, or governance failures in the past 12 months. This is up from 61% last year. These security incidents cost each impacted organization $14 million per year – equating to 73% of security budgets – representing a total cost to Fortune 500 and FTSE100 companies of more than $7 billion.

The cost of breaches and security incidents indicates the urgent need for improved controls:

• Two thirds (65%) of SDMs think they could be hung out to dry by their employers in the event of a serious breach – and 62% aren’t fully confident the data reported to board members, risk teams and regulators is always accurate.
• Toxic combinations of overlapping risk are exacerbating the impact of breaches, with 75% of incidents exploiting two or more control failures. Yet 54% of SDMs admit that control failures often go undetected until after an incident occurs.
• 64% admit attackers have bypassed existing controls or tools they believed ‘should have prevented’ breaches within the past year – while 77% worry AI-driven threats are evolving faster than they can respond.

“Organizations have the controls to prevent breaches: the challenge is making sure those controls are operating effectively. The complexity of the IT landscape, sprawl of cyber tools, and fast-evolving threat environment, compounded by growing regulator demands, make it very difficult to achieve even basic hygiene," says Jonthan Gill, CEO of Panaseer.

“This in turn causes human friction, where even the best-intentioned professionals don’t have the visibility or understanding they need to protect their environments. The inevitable result is controls drift, leading to preventable breaches, costing companies billions of dollars and security leaders their jobs.”

Security teams are overwhelmed with data, but still have no insight

The data also shows that security teams are overwhelmed by tools and reporting. Organizations are using an average of 61 security tools, which are monitored with 58 dashboards. And they must now perform or respond to 28 internal and external audits combined per year, each taking eight days to prepare on average.

As a result, security teams are forced to spend more than a third (34%) of their time gathering, analyzing, and reporting data. For an average enterprise-sized team, this equates to 1,384 hours per week – the equivalent of 195 back-to-back flights from New York to London.

This fragmentation, demand, and complexity is making it harder than ever for security teams to deliver what the business needs with confidence:

65% say fragmented dashboards and multiple tools are overwhelming teams with incomplete intelligence, while almost three-quarters (71%) worry that the growing pressures of control monitoring, reporting, and compliance are fueling burnout.

77% think traditional controls assurance is not fit for purpose for today's threat landscape, with at least 71% of enterprises having experienced delays in performing or responding to audits, costing companies $247,331 per year on average.

Almost half (43%) say senior executives failing to understand the need for resilience is still the biggest barrier to improving cyber resilience, whilst 50% say proving controls' effectiveness to auditors or leadership is a major or disruptive challenge.

“For CISOs, it is a case of water, water everywhere, but not a drop to drink. They have data, but no way of knowing what their true risk posture is,” continues Gill. “To address the unknowable – the evolving threat landscape, supply chain risk, growing regulatory demands, and even the reasonable but impossible question to answer from the board or internal audit – CISOs have to fully understand the knowable facts within their control. The only way to do this is with a single, trusted source of ground truth data, translated to the language of each stakeholder. Without this, security teams cannot track controls and progress; businesses cannot understand risk; and enterprises will continue losing millions to preventable breaches.”

About Panaseer

Panaseer is an enterprise cybersecurity company that helps organizations improve their security posture by continuously measuring whether controls are fully deployed and working effectively.

It has been recognized by the World Economic Forum as a Technology Pioneer, helping to solve the world’s most pressing issues.

Panaseer’s Continuous Controls Monitoring (CCM) platform gives CISOs a true picture of their security posture by measuring the performance of their cybersecurity defenses against established frameworks and regulations. This enables them to take targeted action to reduce cyber risk and provide accurate data to stakeholders and regulators. CCM also drives more efficient use of resources through automated processes and improved prioritization