GuidePoint Security has published its 2026 State of Cyber Risk Management Report, produced with the FAIR Institute and SAFE. The study found cyber risk management is playing a larger role in business decision-making.
The report draws on responses from 400 cyber risk, security, technology and risk management professionals at organisations with 1,000 or more employees. It highlights stronger board attention, wider use of automation and artificial intelligence, and a persistent gap between confidence in cyber risk programmes and execution.
Nearly 89% of organisations said they expect demand for cyber risk management to rise over the next three years. Meanwhile, 72% plan to increase investment in cyber risk management over the next 12 months.
Board involvement featured prominently in the findings. Some 89% of organisations reported board-level approval for defined risk appetite and tolerance levels, while 90% of those using fully quantitative measures said they now express cyber risk in financial terms.
This suggests cyber security teams are increasingly framing risk in language that senior finance and business leaders can use. The top outcomes linked to cyber risk management were greater risk reduction, improved credibility for cyber security teams, and better alignment of security resources with business priorities.
Execution gap
Despite that progress, the study identified weaknesses in governance and communication. While 76% of organisations said they are effective at translating risk assessments into business decisions, only 35% described their formal governance groups as fully effective.
Cross-functional coordination also remains a challenge. The report found that 46% of respondents cited poor cross-departmental communication as a governance and accountability gap, while 33% identified gaps between cyber security silos as a primary challenge.
These findings point to a divide between how organisations assess the maturity of their cyber risk efforts and how consistently those efforts work in practice. That divide appears most often in governance effectiveness, communication across departments and fragmented security structures.
GuidePoint also linked programme maturity with a more proactive cyber security posture. In the survey, 62% of organisations described their cyber security efforts as proactive.
That figure rose to 91% among organisations with very high cyber risk management maturity. Among those with moderate maturity, the figure was 37%.
Most respondents, 85%, said their risk treatment or response processes were effective. This suggests more mature frameworks are associated with more reliable execution once risks have been identified.
AI in workflows
Automation and artificial intelligence are also becoming more common in cyber risk operations. According to the findings, 64% of organisations reported mostly or fully automated cyber risk management systems, and 80% said they are using or experimenting with AI.
The main areas where respondents saw potential for AI were automated risk quantification, workflow automation, forecasting and scenario simulation. These uses suggest AI is being tested not only for efficiency gains, but also to support risk analysis and reporting.
Brian Betterton, VP of GRC at GuidePoint Security, commented on the findings.
"Organisations have made real progress building cyber risk management programs, but maturity doesn't always translate into consistent execution," said Brian Betterton, VP of GRC at GuidePoint Security.
"The opportunity now is to make risk practices more visible, repeatable and connected to business decisions. AI is accelerating that shift by moving risk management from a quarterly exercise to real-time decision support."
Betterton said the next stage of development will depend less on formal structures and more on whether those structures are used in decision-making.
"Cyber risk management has earned a seat at the business table, but that only matters if programs can deliver," he said.
"The next phase will be defined by organizations that stop measuring maturity by what they have in place and start measuring it by what actually gets used. Financial quantification and materiality analysis are the differentiators because they turn risk data into decisions CFOs and boards can act on."