Verizon's DBIR 2025 Versus Your Board: What They're Missing

Verizon’s DBIR 2025 Versus Your Board: What They’re Missing

By Phil Muncaster • 24 June 2025

CISOs are increasingly invited to board meetings. A Splunk survey from January found that 83% participate somewhat often or most of the time, while a similar share interacts directly with the CEO. Yet fewer than a third of respondents say the board includes one or more members with cyber expertise. That means CISOs may be talking without really being heard.

The Verizon Data Breach Investigations Report (DBIR) is an excellent opportunity to set the records straight. It’s packed with valuable threat landscape insight that could be used as a springboard to strategic conversations. CISOs not talking about these breach trends in leadership meetings may be leaving their organisation exposed.

A Communication Breakdown?

Research tells us that in many organisations, CISOs either aren’t speaking the language of the board/business, or the board doesn’t want to listen – or both. FTI Consulting research reveals that nearly a third (31%) of executives don’t fully understand technical concepts used by the CISO and that over half (58%) of CISOs struggle to convey this language in a way senior leadership can understand. A further third of executives claim their CISOs are hesitant to raise potential security issues to their attention.

Yet the problem swings both ways. A Trend Micro study from 2024 claims that four-fifths (79%) of global CISOs have felt boardroom pressure to downplay the severity of cyber risks – often because they’re seen as being “nagging” or “overly negative”. A third say they have been dismissed out of hand. This can be linked to a common accusation: that boards still consider cyber to be a matter for the IT department and not the business. Only half (54%) of CISOs Trend spoke to said they are confident their board completely understands the organisation’s cyber risks – a figure that has barely shifted in three years.

“The board listens when cyber risk sounds like business risk – that’s how you move from the server room to the board room. CISOs must translate technical complexity into business relevance,” advises Mick Baccio, global security advisor at Splunk SURGe.

“To be heard, they must bridge that gap and frame cybersecurity as a business enabler: aligning security metrics to revenue protection, regulatory compliance, and customer trust. Equally important is building informal relationships with board members to become a trusted advisor, not just a compliance messenger.”

DBIR Breach Trends to Watch

Assuming CISOs can get the ear of their board, what should they be worried about? Verizon’s latest DBIR is based on an analysis of over 22,000 security incidents, including 12,195 confirmed data breaches. It highlights several trends of concern, including:

An annual rise in “system intrusion” events from 36% to 53% of data breaches. These are more sophisticated attacks characterised by malware and hacking.
The above finding is driven by a surge in ransomware attacks, which rose in number by 37% since last year and are now present in 44% of breaches, despite a decrease in the median ransom amount paid. SMBs are disproportionately affected.
40% of ransomware victims had corporate email addresses stolen by infostealers.
Credential abuse (22%), exploitation of vulnerabilities (20%) and phishing (19%) were the main data breach attack vectors.
Generative AI is a growing risk on two fronts: synthetically generated text in malicious emails (i.e., phishing) doubled over the past two years, while 14% of employees routinely access GenAI systems on their corporate devices. A majority (72%) used a non-corporate email as their account identifier, hinting at shadow AI use
Human involvement in breaches remains high, at around 60%, most notably credential abuse and social engineering.
There was a 34% increase in vulnerability exploitation as a breach attack vector, especially zero-day exploits targeting perimeter devices and VPNs. Only half (54%) of perimeter device vulnerabilities were fully remediated, and it took a median of 32 days to do so.
The percentage of breaches involving third parties doubled to 30%.
BYOD remains a threat: 46% of systems compromised by infostealers with corporate logins stolen were personal devices.

CISOs should be having “risk realism” conversations with their boards on the back of these findings, says Baccio.

“If your crisis plan stops at your own firewall, you don’t have a crisis plan. Verizon’s report is clear: the attack surface has expanded, and attackers are exploiting the human, technical, and supply chain layers simultaneously. Directors must move beyond box-ticking and ask: Where are we truly most vulnerable?'” he tells ISMS.online.

“Third-party risk and edge device exposures must be treated as business continuity threats, not just IT issues. The board should demand regular scenario planning around credential abuse, ransomware extortion, and insider-driven data leaks.”

Trend Micro’s director of cyber strategy, Jonathan Lee, argues that the report should be another “wake-up call” for boards about the need to align security strategy with operational resilience.

“We only have to look at the recent high-profile incidents impacting UK retailers to see the lost revenue, lost profit and lost reputation that can follow an attack. In some cases, being breached can be an existential threat to an organisation. In a public service context, this can have a real-world physical impact too, such as the clinical harm that was caused following the NHS supply chain attack on Synnovis,” he tells ISMS.online.

“Simply acknowledging that these risks exist and adding them to a risk register is insufficient. Why wait for a breach to hit your organisation? Isn’t it better to be proactive and prepared, rather than reactive and unprepared for if the worst happens?”

Bridging the Gap with Compliance Programmes

Best practice standards like ISO 27001 can help here by providing boards and security leaders with a common language and risk-based approach via which to improve cyber resilience.

“Compliance frameworks won’t stop every attacker, but they will stop chaos in your response. Frameworks like ISO 27001 and SOC 2 provide a common language and structure to align cybersecurity controls with business objectives,” says Splunk’s Baccio.

“They offer repeatable, auditable evidence of risk management without being as prescriptive, or slow, as regulatory regimes like NIS2. The value is not just in the certification but in the discipline and clarity it brings to cybersecurity strategy and reporting.”

Trend Micro’s Lee says these standards can even provide a handy onramp to compliance with regulations like NIS2 and the forthcoming UK Cyber Security & Resilience Bill.

“As well as hardening defences from attackers, such an approach also demonstrates a commitment to maintaining high-security standards to your supply chain and digitally interconnected partners,” he concludes.

“By utilising these compliance programmes, CISOs can bridge the gap between cybersecurity and their organisations, ensuring that security measures are seen as a core part of their organisation’s success and resilience.”

Phil Muncaster

Phil Muncaster has been an IT journalist for 20 years. He started out as a reporter on enterprise IT title IT Week in 2005 and progressed to the role of News Editor before leaving to pursue a freelance career. Since then, Phil has written for titles including The Register, where he worked as Asia correspondent whilst based in Hong Kong for over two years, MIT Technology Review, SC Magazine, Infosecurity Magazine and others.

Is the Government’s Cyber Action Plan Fit for Purpose?

It’s not often the government admits it was wrong. Yet at the start of the year, we were treated to a rare mea culpa: a recognition that a previous...

Phil Muncaster

Cyber security 3 February 2026

WEF Report: Fraud Is Now CEOs’ Biggest Cyber Concern, but It’s Not the Only One

Five years is a long time in cybersecurity. Yet that’s how long the World Economic Forum (WEF) has been polling CEOs for its Global Cybersecurity O...

Phil Muncaster

Cyber security 27 January 2026

Privacy Matters: What Compliance Teams Can Expect in 2026

January 28 is Global Privacy Day – an occasion to celebrate the right to data privacy and protection that many of us take for granted today. It was...

Phil Muncaster