From Compliance to Confidence: Key Takeaways from ISMS.online’s State of Information Security Report 2025

As digital transformation accelerates, the line between compliance and cybersecurity is blurring. Organisations aren’t just looking to tick the box, they’re striving to build trust, as well as demonstrate resilience in a world where cyber threats evolve daily.

Our partners at ISMS.online have released their State of Information Security Report 2025, offering one of the clearest pictures yet of where businesses stand today, and where they need to go next. Drawing on insights from over 3,000 security professionals across the UK and US, the report highlights both encouraging progress and pressing challenges in the road to resilience.

The Expanding Attack Surface

According to the report, 2025 is shaping up to be a year defined by complexity.
As organisations double down on digital transformation, their attack surface continues to grow.

• 42% cite an information security skills gap as their top challenge.
• 41% struggle to manage third-party risk and compliance.
• And 40% say “shadow IT” remains their most common employee security mistake.

The rise of shadow AI, employees using generative AI tools without approval, is also emerging as a serious concern, cited by 37% of respondents.

“Businesses are evolving faster than ever, but so are attackers,” says Jai Aenugu, CEO and Founder of TechForce Cyber. “It’s not enough to just protect systems, organisations need to build resilience into their operations, processes, and partnerships. That’s why frameworks and collaboration are so important.”

AI: The Double-Edged Sword

Artificial intelligence is transforming both sides of the cybersecurity equation.
ISMS.online’s report found that 79% of organisations have adopted AI or machine learning in the past year, yet 54% admit they moved too quickly and are now struggling to manage adoption responsibly.

The dangers of “shadow AI” are clear: employees unintentionally exposing sensitive data to public models, using unvetted tools, and creating compliance risks that could breach GDPR. But AI isn’t just a risk, it’s also a powerful defensive ally.

96% of respondents plan to invest in GenAI-powered threat detection and 94% in deepfake validation tools. And with 95% now investing in AI governance and policy enforcement, the message is clear: responsible AI use is now a board-level issue.

“AI governance is the next frontier for cybersecurity,” Jai adds. “We’re already seeing more clients asking how to align their AI strategy with security and compliance frameworks like ISO 42001. That’s where our partnership with ISMS.online helps, bringing structure and accountability to something that’s evolving incredibly fast.”

The Compliance Crunch

If there’s one standout theme from the 2025 report, it’s that compliance is no longer just about avoiding fines.

While 71% of organisations experienced a data protection fine in the past 12 months, with nearly a third exceeding £250,000, many are now viewing frameworks like ISO 27001, and SOC 2 as strategic enablers rather than burdens.

In the words of Sam Peters, Chief Product Officer at ISMS.online,

“Done well, compliance does more than reduce risk; it supports growth.” He continues, “And as regulations continue to evolve, strong compliance won’t just protect against penalties; it will become one of the main drivers of trust and long-term resilience.”

This shift from compliance to confidence is one we see echoed across TechForce Cyber’s own client base. Organisations want to simplify how they manage audits, reduce duplication, and gain real-time visibility of risk.

“The businesses that thrive are those who see compliance as part of their value proposition,” Jai explains. “When customers can see that you take security seriously, through certifications, transparency, and consistent improvement, it builds trust that lasts.”

People Still Make the Difference

Despite the surge in technology investment, the report highlights that people remain central to every security strategy.

Skills shortages, burnout, and awareness gaps persist, with 32% of respondents citing team burnout and 29% pointing to staff turnover as ongoing challenges.

At the same time, 38% say a lack of employee awareness is contributing to incidents such as phishing, shadow IT, and misuse of AI tools.

“Technology alone won’t solve the problem,” Jai notes. “Security is a culture, not a checklist. That’s why awareness, leadership buy-in, and continual improvement are key pillars of cyber resilience.”

Both ISMS.online and TechForce Cyber emphasise a people-process-technology approach: empowering teams to make secure decisions while streamlining the compliance workload through automation and guidance.

Resilience by Design

Perhaps the most encouraging insight from the report is a growing sense of confidence among security leaders.

• 75% say their confidence in cybersecurity has increased in the past year.
• 97% believe they could respond effectively to a major incident.
• And 84% feel prepared for AI-driven threats such as deepfakes or data poisoning.

This represents a significant shift from reactive firefighting to proactive strategy.
Investments are growing in incident response, AI defence, and quantum risk readiness, showing that organisations are thinking long-term, not just short-term protection.

“Resilience isn’t just about stopping attacks, it’s about being ready when they happen,” Jai says. “What ISMS.online’s research shows is that more businesses are finally treating cybersecurity as a driver of growth and trust. That’s the mindset that builds lasting security maturity.”

Closing Thoughts

The State of Information Security Report 2025 from ISMS.online provides a timely reminder that compliance, governance, and security are no longer separate conversations, they’re one and the same.

For UK organisations, especially SMEs, this means the focus should now be on integration: unifying processes, people, and platforms to create a single source for risk, compliance, and resilience.

At TechForce Cyber, we’re proud to partner with ISMS.online to help organisations across the UK achieve just that, transforming compliance from a checkbox exercise into a continuous advantage.

Download the full report from ISMS.online to explore all the insights, statistics, and trends shaping the year ahead.

And if you’d like to learn how TechForce Cyber can help you strengthen compliance and build resilience, get in touch with our team today.