Key Focus for Cybersecurity Leaders in Germany

In recent years, the landscape of cybersecurity concerns has shifted significantly between nations, particularly between Germany and the United States. A recent survey revealed fascinating differences in how businesses in these two countries assess their vulnerabilities, especially regarding specific security breach categories. In the survey, a substantial 72% of US respondents indicated that data breaches were their primary concern when asked to identify their top two worries. In contrast, only 37% of German companies reported data breaches as a primary concern. This disparity might stem from the considerable investments German companies have made in privacy controls following the implementation of the General Data Protection Regulation (GDPR).

For German firms, ransomware has emerged as the leading threat, with 39% of respondents naming it their top concern. Other notable concerns include data breaches, which ranked second, followed closely by Distributed Denial-of-Service (DDoS) attacks at 32% and supply chain attacks at 28%. This highlights a more balanced apprehension across various types of threats among German companies compared to their American counterparts.

A Look at German Cyber Risk Maturity

Germany’s self-assessment of its cybersecurity maturity levels indicates a critical, yet promising perspective among respondents. While 71% of German firms labeled their cyber risk management practices as at least moderately mature—slightly surpassing the global benchmark of 67%—only 17% regarded themselves as very mature. This figure lags behind the US status, where 28% of firms consider themselves very mature. Encouragingly, just 1% of German firms admit to being very immature, and only 11% report a moderate level of immaturity, significantly better than the global average of 20%.

Despite these promising numbers, there remains significant room for improvement. A mere 81% of German companies have a formal cyber risk management program, falling short of the 92% seen in the US and 87% in the UK. Furthermore, only 26% of German businesses believe their programs are well-aligned with overarching business objectives.

Does your organization have a formal cyber risk management program that monitors, prioritizes, and manages cyber risk in the context of business risk?
	Germany	US	UK
Yes, we have a formal program, but we’re still working on managing cyber risk in the context of business priorities	55%	58%	54%
Yes, and it is well-aligned with the business	26%	34%	32%

Visibility Benchmarks

The challenges surrounding visibility in German firms are often linked to the absence of formalized risk management programs. The survey results reveal that only 40% of German organizations continuously monitor their assets, and a mere 17% possess the capability to regularly map threats across their environment while contextualizing the data with risk factors. This contrasts significantly with the 54% of US firms engaged in continuous monitoring and the 22% able to contextualize their data.

German companies report having a robust 81% of exposure management programs, with many deploying attack surface management tools to enhance their efforts. However, only 29% believe that their processes for running these programs are mature. Additionally, there’s an evident struggle in managing third-party cyber risks, with fewer than a third (26%) of German firms continuously monitoring all their third-party relationships. This is significantly below global figures and especially lacking compared to firms in the UK and US.

We continuously monitor all of our third-party relationships for cyber risk
Germany	Global	UK	US
26%	33%	43%	38%

This deficiency in visibility impacts organizations in various ways, extending to the well-being of cybersecurity professionals. The global findings suggest that companies leveraging asset monitoring for exposure mitigation reduce the chances of employee burnout by 30%. Alarmingly, 49% of German firms reported that their cybersecurity staff feel some degree of burnout.

Continuous Monitoring as a Top Spending Priority

Despite these challenges, there’s some optimism around continuous monitoring as a significant focus for security budgets in the coming year. Almost 31% of German firms identified continuous monitoring as their most urgent spending initiative, ahead of identity and access management (IAM), vulnerability management, endpoint management, and security training.

Which security and risk initiatives do you consider most urgent for the next year (2025)? Select top three	Germany	Total
Continuous monitoring	31%	31%
Identity and access management	29%	29%
Vulnerability management	27%	29%
Endpoint management	26%	25%
Security training	26%	22%
Software supply chain security	25%	24%

The 2025 State of Cyber Risk and Exposure report indicates that while German organizations are making strides in their cybersecurity efforts, they still face significant challenges in identifying and contextualizing business risks regarding cyber exposures. Effectively recognizing vulnerabilities is merely the first step; it is essential for security teams and business stakeholders to mesh risk data with business priorities and actionable threat intelligence. For a deeper dive into these trends and to unravel the implications of the survey for enterprises, check out the full State of Cyber Risk Intelligence 2025 report here.