RH-ISAC's 2025 CISO Benchmark Report spotlights top threats facing retail and hospitality
The Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) has released its 2025 CISO Benchmark Report, offering a detailed look at the industry’s growing focus on proactive, business-enabling cybersecurity strategies.
The 2025 report, developed in partnership with Accenture, draws on input from nearly 200 cybersecurity leaders across retail and hospitality. It highlights ransomware, third-party supply chain attacks, and phishing as the top three threats facing the sector.
Business continuity and disaster recovery emerged as the top cybersecurity initiative for 2025, rising from the number four spot in last year’s report and signaling a deliberate shift towards proactive risk management. Smaller organizations are closing the gap when comparing cyber maturity with larger companies, and cybersecurity budgets are showing consistent increases year-over-year.
Other key findings from the 2025 report include:
-
A 25% improvement in average NIST CSF maturity scores from 2024 to 2025, indicating stronger and more repeatable processes
-
A 12% rise in CISOs reporting directly to senior business leadership, showing that cybersecurity is increasingly being seen as a factor in business outcomes
-
An 11% increase in spending on third-party security services, with penetration testing and security operations centers as the most commonly outsourced services
-
Growth in security staffing, with nearly 40% planning to expand full-time employee headcount
-
A growing focus on collaboration, collective intelligence, and early warning systems to help companies detect and prevent attacks before damage occurs
“This year’s report shows how far the industry has come,” said Suzie Squier, President of RH-ISAC. “Retail and hospitality security leaders are building stronger foundations, embracing emerging technologies, and helping create a culture of intelligence sharing and trust. That’s the kind of momentum that raises the bar for everyone.”
“Cyber threats are evolving fast, and we need to work together to stay ahead of them,” said Rich Agostino, board chair of RH-ISAC and senior vice president and chief information security officer at Target. “Through RH-ISAC, we’re seeing the power of real-time intelligence sharing, benchmarking, and collaboration in action. I’m proud of Target’s deep engagement with RH-ISAC to help the industry become stronger and more resilient.”
The report calls on organizations to continue to prioritize security as a strategic business function, close maturity gaps, adopt zero-trust frameworks, and modernize legacy systems.
The full report is available for RH-ISAC members. A TLP:Clear version of the report is available here.