Articles | December 01, 2025

Cyber-ERM Integration: Leadership’s Next Test

Your security foundation is strong. Risk management seems robust. But something still feels off. The missing piece is integration. APQC introduces the first evidence-based assessment tool and roadmap to maturity.

Most leaders who trust their enterprise risk programs and digital security defenses to stop cyberattacks are fooling themselves. 

Across industries, the two functions still tend to move on separate tracks. Each does important work, but they rarely intersect enough to adequately drive strategic decisions or fortify risk culture. That lack of coordination leaves room for small choices inside the business to create the conditions cyber criminals seek to exploit. It also leaves leaders with a false sense of security, even when the programs look strong on paper.

In a new report, Cybersecurity Risk Management, Reframed, research by the American Productivity & Quality Center shows how widespread this disconnect has become – and what to do about it. Drawing on global surveys of 5,000 organizations, the report introduces the first evidence-based tool designed to help leaders assess how well cyber risk management is woven into enterprise risk frameworks. It includes a detailed roadmap for reframing cybersecurity as a strategic concern, enhancing integration, and operationalizing resilience. 

The report outlines why better integration is essential and what happens when organizations fail to achieve it. Key findings include:

  • Security-ERM integration remains limited. Only 41 percent of organizations report any level of integration between cybersecurity and enterprise risk management.

  • Culture is a powerful differentiator. Organizations that not only foster but also measure risk culture report significantly higher maturity and preparedness.

  • Third-party exposures remain a blind spot. Just one in four organizations extends its risk framework to suppliers and partners, even as ecosystem vulnerabilities grow.

  • Financial framing is rare. Few organizations express cyber risk reduction in financial terms, limiting leaders’ ability to weigh security against other strategic decisions.

 

Cybersecurity Risk Management, Reframed brings these insights together in a way that shifts the conversation. The research exposes gaps that many organizations overlook and reveals practices that set resilient enterprises apart. It shows how cybersecurity gains strength when it is integrated with the systems and frameworks that guide strategy, processes, data, and decision making. The companies that act on these findings now will be the ones setting the standard for resilience in the years ahead.

Download the full report today to gain access to insights few organizations have yet uncovered—and learn how to make resilience a source of value.

Related Resources

About this Content

This content can include median values sourced from APQC's Open Standards Benchmarking database. If you're interested in having access to the 25th and 75th percentiles or additional metrics, including various peer group cuts, they are either available through a benchmark license or the Benchmarks on Demand tool depending on your organization's membership type.

APQC's Resource Library content leverages data from multiple sources. The Open Standards Benchmark repository is updated on a nightly cadence, whereas other data sources have differing schedules. To provide as much transparency as possible, APQC will always attempt to provide context for the data included in our content and leverage the most up-to-date data available at the time of publication.