This is part two of a three-part series takes another dive into the CompTIA State of Cybersecurity 2025 Report to address cybersecurity imperatives across the Enterprise Architecture Model. Please refer to the entire CompTIA report for additional information.¹
The dilemmas of a strategic technology mindset and a robust cybersecurity approach are tightly intertwined. Cybersecurity efforts must not only respond to changes in technology operations- but also influence the decision process more heavily than in the past. As organizations solve both sides of the equation, the four layers of the Enterprise Architecture Model can provide a structure for making decisions and setting priorities to move toward effective cybersecurity. The Enterprise Architecture Model will be summarized by defining each of its four layers, including:
Applying the enterprise architecture model to overall technology efforts will call attention to issues across all four primary technology domains which include infrastructure, software, data, and cybersecurity. Cybersecurity is unique among these domains in that it has a more direct impact on business viability. As such, cybersecurity has become a business imperative with considerations for all levels of an organization—staff, management, executives, and governing bodies. This significance allows the Enterprise Architecture Model to be applied directly to cybersecurity efforts alongside broader technology strategy.
Cybersecurity takes the top spot for perceived organizational priority over IT support, staff productivity, and infrastructure, among others. At the business architecture level, the main issue to resolve is the ongoing operational process around cybersecurity based on the priority within the organization. The first question, then, is what priority the firm places on cybersecurity. While the data may be somewhat skewed in coming from a cybersecurity-focused survey, it is no surprise to see that cybersecurity ranks as the top priority among many different technology initiatives, at least in terms of perception. Cybersecurity incidents are high-profile with broad impacts, so it makes sense that organizations would assign a high priority.
Carving out cybersecurity budget numbers is challenging because of the way cybersecurity is woven into other activities. Choosing a cloud infrastructure provider or performing a compliance audit may be driven by other departments, but the cybersecurity team clearly plays a large role. With that said, the general attitudes around cybersecurity funding point to a discrepancy between stated priority and available budget. While 78% of CompTIA member respondents state that cybersecurity is a high priority at their firm, only 49% feel that it is relatively easy to procure funds for cybersecurity activities or feel that cybersecurity budgets are increasing. Even that number may be elevated, as 60% of executives say that cybersecurity funding is relatively easy to procure compared to only 46% of IT staff.
Establishing agreement on processes aligned with priority requires collaborative effort. For business leaders, this may involve an examination of corporate structure, whether that means the composition of the cybersecurity team or the involvement of cybersecurity within governing practices. For cybersecurity leaders, this will require a deeper understanding of how cybersecurity impacts business viability. The proficiency in describing these high-level effects comes from incorporating cybersecurity principles at lower layers of the Enterprise Architecture Model.
While the data layer is more foundational than the individual applications used for internal operations, the applications combine into an overall workflow, and defining this workflow drives implications for technology decisions.
Risk analysis is a critical component of defining workflow, and it has also become the guiding principle for cybersecurity efforts. The exact practices of risk analysis are somewhat objective from one organization to another, but CompTIA’s data shows relatively strong adoption of formal or informal risk analysis procedures. As expected, the use of a formal framework such as the NIST Risk Management Framework or the IRGC Risk Governance Framework is more prevalent among larger companies. That is offset somewhat by a larger percentage of small and medium-sized businesses that perform informal risk analysis, making risk management a familiar concept for most.
Once again, though, the details matter. Most importantly, the output of risk analysis is often not considered as a broad organizational concern. The vast majority of businesses view risk analysis as an activity confined within the technology function, with more than four in ten firms further stating that risk analysis is specific to cybersecurity specialists.
The risks most commonly identified in analysis center around technology elements. The core components of cloud usage, tech procurement, data classification, or mobile device implementation are all tech-related; however, the analysis should not be limited to the specific security measures for each of these components. The costs and tradeoffs of security choices should be evaluated in the context of organizational goals.
Today, artificial intelligence is the most prominent technology component featured in both corporate aspirations and cybersecurity analysis. Although AI has been a part of emerging technology discussions for several years, the arrival of generative AI has kicked off a new hype cycle. It is not surprising and rather quite expected that businesses are eager to capture whatever value they can from this new trend. The ability to do so will depend on a solid understanding of how AI fits into an evolving technology stack.
As with any hype cycle, initial excitement is beginning to run up against implementation obstacles. Across a standard four-stage adoption curve, 41% of survey respondents identify as performing education/pilot programs and 36% identify as performing low-priority implementations. This places the majority of businesses at the beginning of an AI journey, which is typical for new technology but probably contrary to expectations created by media and cutting-edge enterprise firms. History tells us that progress will be impeded by internal and external factors, with slow additions to the 16% of firms citing high-priority implementations and the 7% of firms citing full transformation of workflows.¹
Data architecture follows application architecture from a decision-making perspective, but clearly not from a priority perspective. Overall, 46% of firms say they place far more emphasis on data today compared to two years ago. Very large companies lead this charge, powered by the resources they can apply toward data management and analysis. Executives also drive this sentiment, as data analytics and visualization have led to greater data-driven decision-making.
There are several reasons for data’s rise in importance, and there is significant overlap between the fields of data and cybersecurity. As computing resources became somewhat commoditized across companies (especially with the adoption of cloud computing), data became a critical area to build differentiation. More recently, the strong interest in AI has accelerated the need for robust practices that produce data fit for training AI algorithms.
In a Zero-Trust framework, data security ensures that all data access requests are continuously verified and monitored, preventing unauthorized access and reducing the risk of breaches. By implementing robust encryption, access controls, and activity monitoring, organizations can protect sensitive information and maintain a secure environment.
This dependence on data leads to the first overlap with cybersecurity. Among many different elements of data management and analytics, securing data is clearly top of mind. The elimination of secure perimeters for cloud operations led to focused security for both data and applications, and cybersecurity teams are still building methodologies to protect data in each phase of use. Securing data is perhaps the leading tenet of a zero-trust framework, as corrupt data that is unverified can have a devastating impact on data-dependent operations.
A second overlap between data and cybersecurity takes place as cybersecurity experts perform their own data analysis while monitoring threats and responding to incidents. The combination of digital acceleration and resource constraints creates an overwhelming amount of information for cybersecurity professionals to digest, so advanced data analysis techniques along with automation are critical for staying on top of things.
Finally, data can help undergird new metrics that organizations are using to define success or progress with cybersecurity strategy. While only 29% of responding companies report that they have started using new cybersecurity metrics in the past year, 38% of executives identify new metrics as a key process change. This indicates the need to incorporate cybersecurity into the discussion around business health, which will grow as a norm as companies drive their objectives with technology. ¹
At the lowest layer of the Enterprise Architecture Model, the focus turns to tactics. This is where the situation most closely resembles a traditional view of cybersecurity, with technology products integrated into a comprehensive solution that protects against attacks and mitigates risk.
The dynamic threat landscape presents the first tactical challenge for cybersecurity professionals. To start, there are longstanding threats that still run rampant as bad actors target organizations with weak cybersecurity. Malware has certainly evolved over the decades, but many core principles remain the same, as do the common defenses. Even so, malware is listed as a top three concern that organizations want to understand better.
The other two concerns in the top three are ransomware and phishing, attack vectors that have proven extremely potent for cybercriminals. One interesting note about these two threats is that technology plays less of a role in prevention and mitigation. Instead, well-defined processes and effective end-user education and training are key elements in avoiding damage.
These three threats alone require significant time and effort in monitoring and mitigation, but there is a wide range of other threats that must be taken into account. Supply chain attacks take advantage of automated software update processes and complex technology stacks. Data poisoning complicates a data management process that many companies are in the early stages of building. Cyber extortion is a variant of ransomware where the attackers threaten to make data public rather than simply making it unusable.
Of course, outside forces are not the only—or the largest—concern for organizations. Internal human error continues to play a significant role in cybersecurity events. Phishing and social engineering rely on end users making mistakes, and these attacks have become incredibly sophisticated. In addition, the most common cybersecurity incident cited by companies is the old standby of a lost device. Cybersecurity incidents cause high amounts of disruption.
When it comes to the impact of cybersecurity incidents, the data shows why cybersecurity remains a hot button for most firms. Nearly six in ten businesses say that the impact of cybersecurity incidents in the past year has been moderate to severe, with clear downsides for both finances and productivity. It is an oversimplification to say that cybersecurity remains a priority because the problem has not been solved, but the fact remains that cybersecurity is a discipline that many organizations still struggle to fully understand.
That struggle largely stems from the explosion in complexity that cybersecurity teams are asked to address. Sixty percent of firms say that they have over 1,000 assets under management, including endpoints, cloud systems, and operational technology (OT). OT, in particular, provides a good example of the complex environment, as cybersecurity professionals have to understand physical infrastructure components such as building utility systems or manufacturing equipment that has been digitized and network-connected.
The sobering reality is that there is relatively low confidence in the level of visibility and control across all asset categories. IT staff, who might be expected to have the best knowledge of cybersecurity capabilities, consistently rate as the group with the lowest levels of confidence. When cybersecurity deals with a lower number of threats targeting a smaller attack surface, the job could be handled as a portion of overall infrastructure responsibilities. Today’s environment demands a different approach and much deeper skills.
Next Up
Stay tuned for Part III, where we will focus on building cybersecurity skills as a foundational imperative to achieving organizational cyber competency.
¹: CompTIA State of Cybersecurity 2025 Report