Most organizations miss business context when assessing cyber risk, finds new research from Qualys
Nearly half of organizations (49%) surveyed for Qualys' 2025 State of Cyber-risk Assessment report, today have a formal business-focused cybersecurity risk management program. However, just 18% of organizations use integrated risk scenarios that focus on business-impacting processes, showing how investments manage the likelihood and impact of risk quantitatively, including risk transfer to insurance. This is a key deficiency, as business stakeholders expect the CISO to focus on business risk.
Key findings from the research include:
Formal Risk Programs are Expanding, But Business Context is Still Missing
49% of surveyed organizations report having a formal cyber risk program in place which looks like a promising statistic on the surface. But dig deeper, and the data shows otherwise:
Business Alignment Gaps: Only 30% report that their risk management programs are prioritized based on business objectives
Recent Implementations: 43% of existing programs have been in place for less than two years, indicating a nascent stage of maturity
Future Plans: An additional 19% are still in the planning phase
More Investment ≠ Less Risk: Why the Cyber ROI isn't Adding Up
Cybersecurity spending has continued to grow. Yet one of the most revealing insights from the study is that a vast majority (71%) of organizations believe that their cyber risk levels are rising or holding steady.
51% say their overall cyber risk exposure is increasing
20% say it remains unchanged
Only 6% have seen risk levels decrease
The Missing Metric: Business Relevance in Asset Intelligence
Visibility in cyber risk management is about a principle that hasn't changed in 20 years: you can't protect what you can't see. Yet even in 2025, asset visibility remains one of the biggest blind spots:
83% of organizations perform regular asset inventories, but only 13% can do so continuously
47% still rely on manual processes
41% say incomplete asset inventories are among their top barriers to managing cyber risk
Risk Prioritization Needs to be a Business Conversation, Not a Technical One
Another illusion that persists is the idea that all risks can and should be patched. The longstanding practice of prioritizing vulnerabilities based solely on severity is no longer sufficient. The industry looks to be grasping the fact that risk prioritization needs to go beyond single scoring methods like CVSS alone, with 68% of respondents using integrated risk scoring combining threat intelligence or using cyber risk quantification with forecasted loss estimates to prioritize risk mitigation actions. However, these next data points show that the industry still has some way to go:
Nearly one in five (19%) of organizations continue to rank vulnerabilities using a single score like CVSS alone
Just 18% update asset risk profiles monthly
Reporting Risk in Business Terms, Not Security Jargon
Executives do not want to hear how many vulnerabilities have been patched. They want to understand what the organization stands to lose, and what's being done to protect it. Yet the study finds that while 90% of organizations report cyber-risk findings to the board:
Only 18% use integrated risk scenarios
Just 14% tie risk reports to financial quantification
Business stakeholders are only involved less than half the time (43%)
And only 22% include finance teams in cyber risk discussions
'The key takeaway from the research isn't just that cyber risk is rising. It's that current methods are not effectively reducing that risk by prioritizing the actions that would make the greatest impact to risk reduction, tailored to the business. Every business is unique; hence, each risk profile and risk management program should also look unique to the organization. Static assessments, siloed telemetry, and CVSS-based prioritization have reached their limit,' commented Mayuresh Ektare, Vice President, Product Management, Enterprise TruRisk Management, Qualys.
'To address this, forward-leaning teams are adopting a Risk Operations Center (ROC) model: a technical framework that continuously correlates vulnerability data, asset context, and threat exposure under a single operational view. The ROC model provides a proven path forward for organizations ready to manage cyber risk the way the business understands it and expects it to be managed,' Ektare continued.
Below are some recommendations to help businesses better align cybersecurity risk with business priorities:
Business risk is all about context. In order to have a good understanding of organizational risk, a business first needs to understand what their business-critical assets are, then understand their risk factors or threats as it relates to those crown jewel assets. Without this context, vulnerabilities or threats are just information.
If everything is critical, nothing is. Prioritizing risks is paramount as organizations do not have unlimited resources. In order to be capitally efficient, companies need to spend as little as possible to avoid the largest possible amount of risk. Whatever is not mitigated through technology represents risk that needs to be accepted, or transferred to cyber insurance.
To get a good read of the cyber-risks across the enterprise, organizations need a diverse telemetry of risk signals. Organizations can't rely on just one — such as scanning for vulnerabilities — instead, companies need visibility into their application security, identity security stack, and more, every part of the enterprise that is exposing your attack surface.
Instead of focusing on reactive incident response — for example with a SIEM or a SOC — organizations need a better system that proactively looks to predict risks and works to reduce the likelihood of an event happening by implementing a Risk Operations Center (ROC). This approach to risk management helps leaders make better, more informed decisions based on their unique business context.
Organizations need to overhaul the way they are communicating cyber-risk to the board. Integrated risk scenarios that focus on business-impacting processes, such as how investments and insurance impact risk, will be the future of 'business-oriented' risk reporting, and much more effective at the purpose of communicating to board members.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
The National
an hour ago
- The National
IMF's Gita Gopinath to leave fund and rejoin Harvard University
Gita Gopinath, the second-highest ranking official at the International Monetary Fund, will be leaving her role next month to rejoin Harvard University, the IMF said on Monday. The IMF said Ms Gopinath will return to the Ivy League university, where she will be the inaugural Gregory and Ania Coffey Professor of Economics in the Department of Economics. She first joined Harvard in 2005 before being appointed to the IMF as its first female chief economist in 2019. Ms Gopinath was promoted to first deputy managing director in 2022. 'She came to the Fund as a highly respected academic in macroeconomics and international finance,' IMF Managing Director Kristalina Georgieva said in a statement. Ms Gopinath served as the fund's chief economist during the Covid-19 pandemic, which Ms Georgieva said was an 'unprecedented challenge to our membership'. Ms Gopinath also co-authored the fund's pandemic plan on how to end the Covid-19 crisis, which the fund touted as a key contribution in setting global vaccination targets at a doable cost. As first deputy managing director, Ms Gopinath oversaw the fund's surveillance and analysis on fiscal and monetary policy, debt and international trade. She most recently represented the IMF at the G-20 summit in KwaZulu-Natal, South Africa. There, she warned that economic uncertainty remains high due to downside risks dominating the global outlook. The fund is due to release its updated global economic forecast later this month. She also laid out multiple priorities for policymakers, including building resilience and boosting medium-term growth. The fund said Ms Georgieva will name Ms Gopinath's replacement 'in due course'. 'I am truly grateful for my time at the IMF, first as Chief Economist and then as First Deputy Managing Director,' Ms Gopinath said in a statement. 'I now return to my roots in academia, where, I look forward to continuing to push the research frontier in international finance and macroeconomics to address global challenges, and to training the next generation of economists.'
The National
3 hours ago
- The National
US warns about Microsoft Sharepoint cyber vulnerability
A cyber security vulnerability in Microsoft 's SharePoint collaboration software has been added to the US Cybersecurity and Infrastructure Security Agency (Cisa) exploitation list as customers deal with the potential fallout. Computer security experts say hackers have exploited the loophole and potentially compromised private and public computer networks in the US. The individual or groups behind the software exploitation is not yet known. 'The incident reveals the growing sophistication of threat actors who have gained internal access to an environment and can now leverage existing resources (like Microsoft Exchange, SharePoint,) to conduct nefarious missions beyond just ransomware attacks, like 'wiper' malware that deletes data,' said Morey Haber, a chief security adviser at cyber security company BeyondTrust. Mr Haber said Microsoft appears to have responded quickly once the vulnerability to Sharepoint was identified, but added that for some, it might be too little, too late. 'Considering the speed of exploitation, some organisations may be waking up Monday morning to a fresh series of attacks,' he explained. The various editions of Microsoft Sharepoint are also making it more difficult to provide a one-size-fits-all solution. Microsoft pointed out that it released a security update for SharePoint 2019, and that other fixes would be on the way. 'We are actively working on updates for SharePoint 2016,' the Redmond, Washington software company posted on X. Santiago Pontiroli, lead researcher at cyber protection company Acronis, shared more some perspective as to the scale and affect of the cyber attack. 'This incident continues a trend of high-impact attacks against Microsoft infrastructure, including the Exchange mass exploitation in 2021 and the 2023 cloud email breach,' he said. 'Over the past several years, state-aligned and advanced persistent threat groups have repeatedly abused vulnerabilities in Microsoft platforms to gain initial access, steal sensitive data, and establish long-term footholds in enterprise networks.' Microsoft does, however, invest heavily in trying to prevent such breaches from occurring. Federal law enforcement agencies regularly work with the company and have a presence at the company's cyber crime centre in Redmond. That said, Mr Pontiroli pointed out that cyber security is a continuing game of whack-a-mole, and that companies and entities using Sharepoint should take it seriously. 'Organisations still running on-premises SharePoint need to act now,' he said. 'Apply the latest updates, monitor for signs of compromise, and assume exposure if systems were only partially patched.'
The National
5 hours ago
- The National
Trump Media buys $2 billion in Bitcoin continuing crypto boom
Trump Media has accumulated roughly $2 billion in Bitcoin and related securities as part of its previously announced Bitcoin Treasury Plan, the company announced on Monday. The holdings now account for about two thirds of Trump Media's approximately $3 billion in liquid assets, it said. The company also said about $300 million in additional capital was allocated to an options acquisition strategy for related securities. Trump Media, which owns the Truth Social media platform, said it plans to continue purchasing Bitcoin and related assets and convert its options into spot Bitcoin, depending on market conditions. The company will use the assets to potentially 'acquire additional crypto assets', it said. 'We're rigorously implementing our publicly announced strategy and fulfilling our Bitcoin Treasury Plan,' Trump Media president Devin Nunes said. 'These assets help ensure our company's financial freedom, help protect us against discrimination by financial institutions, and will create synergies with the utility token we're planning to introduce across the Truth Social ecosphere.' Shares in Trump Media rose 5.46 per cent to $19.67 per share following the announcement. The US President Donald Trump's media company had said in May that it plans to raise $2.5 billion to establish a Bitcoin treasury. The price of Bitcoin has surged since Mr Trump took office in January. The cryptocurrency climbed above $123,000 for the first time last week in anticipation of a slate of crypto-friendly bills being passed by Congress. The price of Bitcoin was trading 0.44 per cent higher at $118,958.86 as of 6.30pm UAE time. Bitcoin's gains extended to crypto-linked stocks on Monday, with shares in the crypto exchange Coinbase Global rising more than 3 per cent to $432.50. Circle Internet Group gained 0.4 per cent. The price of Ethereum also gained 1.75 per cent to $3,823.45. Meanwhile, the S&P 500 and Nasdaq Composite both hit new intraday highs after rising 0.6 and 0.7 per cent, respectively. The Dow Jones Industrial Average rose 0.54 per cent, or 241.03 points, to 44,583.22. Leading industry optimism last week was the signing of the Genius Act, which would allow private companies to issue stablecoins. The ruling also establishes a regulatory framework for the stablecoin market. The week, which has been dubbed 'crypto week' by Republicans, marked the culmination of Washington's embracing of an industry that had clashed with former president Joe Biden's administration. 'The signing of the Genius Act into law marks an important milestone in the effort to bring regulatory clarity to crypto,' the Securities and Exchange Commission commissioner Hester Peirce said in a statement at the time. Ms Pierce also said the act would help the SEC give guidance on how registrants can use payment stablecoins. World Liberty Financial, a crypto start-up backed by Mr Trump, previously launched its own dollar-pegged stablecoin with BitGo. The House of Representatives last week also passed the Clarity Act, which is designed to help establish the roles of the SEC and Commodities Futures Trading Commission in overseeing crypto assets. The bill will now be considered in the Senate. The House also passed the CBDC Anti-Surveillance State Act, which blocks the Federal Reserve from issuing a central bank digital currency (CBDC) without congressional approval. Unlike cryptocurrencies, a CBDC is issued and supported by a central bank. The House Financial Services Committee chairman French Hill said the bill 'safeguards the privacy of Americans by prohibiting the creation of a Central Bank Digital Currency in the United States'.
