Houston, Texas, Dec. 18, 2025 (GLOBE NEWSWIRE) -- APQC has released a new research report, Cybersecurity Risk Management, Reframed: How Top Performers Diffuse Security Through ERM to Operationalize Resilience, introducing the Cyber-ERM Integration Index (CEII)—a new, data-driven model for measuring how effectively organizations integrate cybersecurity into enterprise risk management (ERM).
Based on input from 5,000 business leaders worldwide, the research shows that organizations embedding cybersecurity into ERM recover faster from cyber events, detect incidents sooner, and make more deliberate decisions at the executive and board levels.
“Too many organizations still treat cybersecurity as a technical function rather than an enterprise risk discipline,” said Laura Clymer, Director of Research Services at APQC. “Our research shows that resilience improves when cybersecurity is embedded into the same governance, processes, and decision frameworks leaders already use to run the business. The Cyber-ERM Integration Index gives organizations a practical way to see where they stand today—and where focused integration will deliver the greatest impact.”
Key findings include:
- Only 41% of organizations report any meaningful integration of cybersecurity into ERM
- Just 23% extend cyber risk management to partners and suppliers
- Top performers diffuse up to 35% of security resources across business units and regions
- Organizations that build a stronger risk culture with shared metrics are 24% more likely to feel prepared for cyberattacks.
- Higher CEII scores are linked to faster recovery, improved detection, and stronger governance outcomes
Introducing the Cyber-ERM Integration Index (CEII)
The CEII provides a practical benchmarking lens, scoring organizations on a 0–10 scale based on indicators such as risk culture, governance alignment, third-party risk management, automation, and financial quantification of cyber risk reduction. The report includes a short self-assessment to help leaders benchmark maturity and prioritize next steps.
Five practices that distinguish cyber-resilient organizations
APQC’s statistical analysis identified five ERM-related practices most strongly associated with cyberattack preparedness:
- Strengthening risk culture through shared processes and metrics
- Securing visible C-suite and senior leadership support
- Quantifying how mitigation strategies reduce exposure
- Embedding risk management directly into business processes
- Leveraging AI for detection, monitoring, and predictive risk modeling
Report availability
Cybersecurity Risk Management, Reframed is available from APQC and includes global benchmarking data, the full CEII model, and practical guidance for integrating cybersecurity into enterprise governance and decision-making. The report is designed for board members, CISOs, CROs, and senior leaders responsible for enterprise risk, cybersecurity, and operational resilience.
To learn more or access the full 23-page report, visit: https://www.apqc.org/research-report/cybersecurity-risk-management
About APQC
APQC helps organizations work smarter, faster, and with greater confidence. With more than 45 years of experience, APQC is the world’s foremost authority in benchmarking, best practices, process and performance improvement, and knowledge management. Learn more at www.apqc.org.
Attachment
Paige Dawson APQC 2148087341 paige@mpdventures.com
