Cybersecurity state of the industry report: what teams should benchmark

TL;DR: Cyber Security Tribe’s 2025 annual state of the industry report compares 350-plus cybersecurity professionals’ responses across people, process, and technology, giving practitioners a benchmark for priorities and maturity shifts from 2024 into 2026. The report is most useful as a programme calibration tool, not a vendor scorecard.

NHIMG editorial — based on content published by Cyera: Cyber Security Tribe's 2025 Annual State of the Industry Report

By the numbers:

• The survey gathered responses from over 350 cybersecurity professionals.
• The survey was conducted between December 2024 and January 2025.

Questions worth separating out

Q: How should teams use cybersecurity benchmark reports in identity governance planning?

A: Use them to compare your programme’s operating assumptions with peer priorities, then check whether the gaps are in people, process, or technology.

Q: What does a people, process, and technology model miss in NHI governance?

A: It misses whether the identity subject is actually the same across controls.

Q: How can security leaders tell if their identity programme is over-focused on tooling?

A: If reporting tracks product deployment more closely than access ownership, exception closure, and lifecycle review, the programme is likely over-focused on tooling.

Practitioner guidance

• Re-baseline identity governance against all three operating dimensions Map current controls to people, process, and technology and identify where human IAM coverage does not extend cleanly to service accounts, API keys, tokens, and AI-driven access paths.
• Separate human and non-human benchmarks in reporting Track visibility, ownership, lifecycle, and exception handling for NHIs separately from human access review metrics so that one group’s maturity does not hide the other’s gaps.
• Use the report as a roadmap checkpoint Compare your current 2025 and 2026 priorities against peer benchmarks to see whether remediation work is still centred on tooling when operating-model change is the real constraint.

What's in the full report

Cyera's full report covers the survey detail this post intentionally leaves for the source:

• The year-over-year survey comparisons across people, process, and technology that let you benchmark your own programme.
• The expert commentary sections that explain how practitioners are interpreting the 2025 priorities.
• The full response breakdown from more than 350 cybersecurity professionals for deeper peer comparison.
• The report framing for using the benchmarks as a planning tool through 2026.

👉 Read Cyera's state of the industry report for cybersecurity benchmarks and trends →

Cybersecurity state of the industry report: what teams should benchmark?

Explore further

View Full Forum →  |  NHI Foundation Course →