Business context still missing in most cyber risk programmes
The 2025 State of Cyber Risk Assessment Report, conducted by Dark Reading and commissioned by Qualys, surveyed more than 100 IT and cybersecurity leaders across a range of industries. The findings indicate that although almost half of organisations (49%) have implemented a formal cyber risk programme, most still depend on manual processes and isolated metrics, often prioritising vulnerabilities solely by severity without considering the associated asset value or wider business context.
Mayuresh Ektare, Vice President, Product Management, Enterprise TruRisk Management at Qualys, commented on the report's findings: The research shows that the technical foundation for cyber-risk management exists - but what's missing is strategic alignment between security operations and business priorities. Cybersecurity can no longer operate in isolation, yet many organisations continue to spread resources thinly across their attack surface without clearly understanding which risks actually matter to the business.
He continued by outlining how this disconnect might be addressed: To close this gap, cybersecurity must evolve from an IT function to a business function - one that can quantify loss, model risk scenarios, prioritise decisions, and demonstrate a measurable return on risk reduction. That evolution starts with business context, not just more data. It's a shift from detection to direction, and from siloed operations to aligned outcomes. To mature their cyber-risk programs, security leaders must integrate asset criticality, financial impact and business context into every decision.
Risk programme maturity
The report reveals that, among organisations with formal risk management efforts, only 30% say their programmes are guided by business objectives. Additionally, 43% have only established these initiatives in the last two years and 19% are still in the planning stages. The findings suggest there remains a significant maturity gap, as sustained commitment to embedding business context into risk management is still developing.
Spending and risk
Despite increasing levels of cybersecurity spending, 71% of organisations believe their cyber risk exposure is either mounting or unchanged, and only 6% report that risk levels are falling. This raises questions about the effectiveness of increased investment where programmes may not fully address business-relevant risks.
Asset intelligence
Another challenge identified in the research is the ongoing struggle with asset visibility. While 83% of those surveyed claim to conduct periodic IT asset inventories, just 13% are able to perform this continuously, and nearly half continue to rely on manual inventory methods. The report points to persistent difficulties in establishing up-to-date, comprehensive asset intelligence.
Risk prioritisation practices
When it comes to prioritising risks, most organisations do not sufficiently assess how vulnerability maps to critical business assets. While 68% use integrated risk scoring techniques that combine threat intelligence or leverage cyber risk quantification, 19% still use single-score metrics such as the Common Vulnerability Scoring System (CVSS) alone. In addition, only 18% review and update asset risk profiles on a monthly basis.
Board engagement
Cyber risk is being reported to executive leadership in most organisations, with 90% providing updates to the board. However, the substance of reporting is often lacking in business relevance - only 18% use integrated risk scenarios, and just 14% tie these reports to financial quantification. Business stakeholders outside security are included in these discussions less than half the time (43%), and finance teams are involved in only one in five cases (22%).
Top cyber threats
The survey also identified the human factor as a key dimension of risk. Phishing, ransomware, and insider threats are cited as the top three concerns for digital assets. This highlights the importance of user education and the incorporation of identity-aware risk management strategies to mitigate potential threats driven by end-user behaviour.
The report suggests that despite significant efforts and investments, many organisations have yet to fully integrate business context into their cyber risk assessment and mitigation activities, pointing to a continuing evolution of cyber risk management practices in the years ahead.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Techday NZ
7 days ago
- Techday NZ
Business context still missing in most cyber risk programmes
New research from Qualys reveals that many organisations are still treating cyber risk primarily as a technical issue despite growing pressures to align cybersecurity with overarching business priorities. The 2025 State of Cyber Risk Assessment Report, conducted by Dark Reading and commissioned by Qualys, surveyed more than 100 IT and cybersecurity leaders across a range of industries. The findings indicate that although almost half of organisations (49%) have implemented a formal cyber risk programme, most still depend on manual processes and isolated metrics, often prioritising vulnerabilities solely by severity without considering the associated asset value or wider business context. Mayuresh Ektare, Vice President, Product Management, Enterprise TruRisk Management at Qualys, commented on the report's findings: The research shows that the technical foundation for cyber-risk management exists - but what's missing is strategic alignment between security operations and business priorities. Cybersecurity can no longer operate in isolation, yet many organisations continue to spread resources thinly across their attack surface without clearly understanding which risks actually matter to the business. He continued by outlining how this disconnect might be addressed: To close this gap, cybersecurity must evolve from an IT function to a business function - one that can quantify loss, model risk scenarios, prioritise decisions, and demonstrate a measurable return on risk reduction. That evolution starts with business context, not just more data. It's a shift from detection to direction, and from siloed operations to aligned outcomes. To mature their cyber-risk programs, security leaders must integrate asset criticality, financial impact and business context into every decision. Risk programme maturity The report reveals that, among organisations with formal risk management efforts, only 30% say their programmes are guided by business objectives. Additionally, 43% have only established these initiatives in the last two years and 19% are still in the planning stages. The findings suggest there remains a significant maturity gap, as sustained commitment to embedding business context into risk management is still developing. Spending and risk Despite increasing levels of cybersecurity spending, 71% of organisations believe their cyber risk exposure is either mounting or unchanged, and only 6% report that risk levels are falling. This raises questions about the effectiveness of increased investment where programmes may not fully address business-relevant risks. Asset intelligence Another challenge identified in the research is the ongoing struggle with asset visibility. While 83% of those surveyed claim to conduct periodic IT asset inventories, just 13% are able to perform this continuously, and nearly half continue to rely on manual inventory methods. The report points to persistent difficulties in establishing up-to-date, comprehensive asset intelligence. Risk prioritisation practices When it comes to prioritising risks, most organisations do not sufficiently assess how vulnerability maps to critical business assets. While 68% use integrated risk scoring techniques that combine threat intelligence or leverage cyber risk quantification, 19% still use single-score metrics such as the Common Vulnerability Scoring System (CVSS) alone. In addition, only 18% review and update asset risk profiles on a monthly basis. Board engagement Cyber risk is being reported to executive leadership in most organisations, with 90% providing updates to the board. However, the substance of reporting is often lacking in business relevance - only 18% use integrated risk scenarios, and just 14% tie these reports to financial quantification. Business stakeholders outside security are included in these discussions less than half the time (43%), and finance teams are involved in only one in five cases (22%). Top cyber threats The survey also identified the human factor as a key dimension of risk. Phishing, ransomware, and insider threats are cited as the top three concerns for digital assets. This highlights the importance of user education and the incorporation of identity-aware risk management strategies to mitigate potential threats driven by end-user behaviour. The report suggests that despite significant efforts and investments, many organisations have yet to fully integrate business context into their cyber risk assessment and mitigation activities, pointing to a continuing evolution of cyber risk management practices in the years ahead.
Techday NZ
01-07-2025
- Techday NZ
Exclusive: Qualys' Sam Salehi explains why ANZ firms are turning to risk platforms
Cybersecurity is changing fast - and Australian and New Zealand businesses are struggling to keep up. According to Sam Salehi, Managing Director of Qualys for Australia and New Zealand, the region is facing a combination of a skills crisis, evolving threat landscape and rising customer expectations. Salehi has led the ANZ arm of the cybersecurity company for just over a year. His number one focus is supporting customers while growing his team and expanding services through partners. "In the next 12 months, we will continue to develop our managed risk operation centre (mROC) services in partnership with MSSPs," he said. "I'll also focus on hiring more people and expanding the team in the ANZ region." However, talent is hard to come by. "My take on it is cybersecurity moves really fast," he said. "We haven't paid enough attention to educating the younger generation to enter this field. Also, many people are coming from other industries, which means it takes longer to upskill." He referenced a global estimate predicting over three million cybersecurity jobs will be vacant in 2025. While that figure is staggering, Salehi said it highlights the importance of building an ecosystem of partners and investing in automation. That thinking has led Qualys to embrace a "channel-first" strategy in ANZ. "My team is around seven people, so shifting to channel-first helps us expand market reach and accelerate growth," he said. "We now have more than 80 active partners in this region." The company also created a new role - channel account manager - to support those partners and ensure they're equipped to help customers. It's part of a wider effort to raise awareness of what Qualys actually offers. "Though we are a household brand when it comes to vulnerability management, we do 20 different things that people don't know about," Salehi said. "That really shocked me." He added that many customers still assume Qualys is only a VMDR vendor. "When I tell them we play in API security, AI, patching - they're surprised," he said. "Some of them ask, 'Since when are you doing this?' And I say, 'It's been five years.'" Salehi believes part of the issue lies in how the company traditionally went to market, and hopes the channel-first model will broaden its reach and change perceptions. That ties into another growing trend he sees: platformisation. "Companies are now looking for best of platforms, not best of breed," he said. "Instead of having ten vendors, they want to narrow it down to three and get better outcomes." Cloud security and remediation are also top requests from customers, alongside automation tools that help lean teams do more with less. To support that, Qualys recently launched TruRisk Eliminate - a platform offering patching, mitigation and isolation from a single console. It's aimed at overwhelmed security teams who need more efficient ways to reduce exposure. "There are ready-made playbooks so your team doesn't have to spend hours researching how to fix something," Salehi explained. "The isolation feature is also granular - you can lock a server to run just a few specific applications." Another recent addition is Policy Audit, an enhancement to the company's existing compliance tools. "This drastically cuts manual audit preparation time," he said. "It helps organisations stay audit-ready, especially with increasing regulations like the SOCI Act and mandatory data breach notifications." Qualys has also leaned into education and community building. Over the past year, Salehi and his team delivered 20 risk quantification workshops across ANZ, led by US-based expert Richard Seiersen. "When you give back to your community and enhance knowledge around a critical topic like risk management, it builds trust," he said. The workshops were free and well attended, each drawing 8 to 12 senior stakeholders from across industries. Salehi described Seiersen as "a celebrity in cybersecurity risk". "People want help communicating cyber risk in a business context," he said. "That's still missing in the market." Salehi says one of the most impactful developments for Qualys in this space is the company's Enterprise TruRisk Platform, which underpins its Risk Operations Centre (mROC) offering. It unifies cybersecurity, operational and financial risk insights into a single pane of glass. "It enables business context," he said. "Not all vulnerabilities matter equally - it depends on their impact. This helps customers focus on what matters first." That solution is also available via a managed version (mROC), delivered in partnership with MSSPs. "These partners become strategic advisors to customers," he said. "They help with risk advisory, onboarding, integration and continuous monitoring." "Reflecting on the past 13 months, Salehi said his focus was on bringing everyone together - being a small team, fostering a culture of support and collaboration was key". "It took time to bring everyone together and build a culture of support," he said. "We're a small team, and some functions like HR and legal are offshore, so collaboration is key." Despite being part of a publicly listed company, Salehi said Qualys has a family-like culture. Much of that comes from CEO Sumedh Thakar, who's been with the business for over two decades. "He's so approachable and empowering," he said. "It inspired me to lead the same way in ANZ." For Salehi, customer relationships remain a top priority. "I've had over 100 customer meetings this year," he said. "It's not about selling a product, it's about understanding the person in front of you."
Techday NZ
30-04-2025
- Techday NZ
Diligent teams with Cloudflare, Qualys to deliver cyber risk tool
Diligent has announced a partnership with Cloudflare and Qualys to provide a new cyber risk reporting solution designed for boards and both executive and security leaders. The Cyber Risk Report, now available on the Diligent One Platform, integrates Cloudflare's real-time threat intelligence and Qualys' cyber risk surface insights with Diligent's cyber risk dashboard. The solution is intended to provide a holistic, real-time view of the most pressing cyber threats facing organisations and to support strategic decision-making among board members and executives. Brian Stafford, President and Chief Executive Officer of Diligent, said: "In today's complex cyber landscape, boards and executives are demanding faster access to insights. The new Cyber Risk Report provides a holistic view of an organisation's risk posture, mitigating the chance of vulnerabilities to high impact threats. Combined with Diligent's AI-powered risk and governance solutions, this report arms CISOs with the tools for proactive risk management and strong cybersecurity governance." Diligent's recent 2025 What Directors Think report revealed that while 61% of directors acknowledge the strategic risks from cyber threats, nearly 30% of boards still do not receive regular security updates. The report underscores the challenges that security teams face, including an overload of data, constant emergence of software vulnerabilities, and new risks associated with AI tools. The new Cyber Risk Report aims to bridge this gap by merging internal controls data, third-party threat intelligence, and business context into a single, executive-focused resource. Its real-time integrations with Cloudflare and Qualys are designed to remove the need for manual reporting cycles and reliance on spreadsheets, streamlining processes such as control testing, evidence collection, and issue remediation through automation. Grant Bourzikas, Chief Security Officer at Cloudflare, commented: "Severe repercussions of recent attacks, and new threats posed by emerging technologies have moved cyber to the forefront of business leaders' concerns. And while the reckoning that cyber is at the crux of enabling business has finally come, communicating risk clearly, in business terms, is still a major challenge for CISOs. The Cyber Risk Report - underpinned by Cloudflare's telemetry, based on our global network that's one of the largest in the world - will enable security leaders to pinpoint exact relevant issues, overlay them with comprehensive context and ultimately provide clarity to the board on the overall state of your organisation's resilience." The development of the Cyber Risk Report included feedback from more than 50 chief information security officers and board members. The report offers features such as built-in trend analysis, peer comparisons, and intuitive dashboards, designed to help CISOs prioritise vulnerabilities according to their business impact and convey actionable recommendations to boards. The collaboration allows integration of technologies from both Cloudflare and Qualys into the Diligent One Platform and is intended to provide a basis for future cyber security solutions. Rich Seiersen, Chief Risk Tech Officer of Qualys, said: "CISOs don't need more dashboards; they need a smarter, business-focused strategy. At Qualys, we help our customers be more effective at measuring, communicating and eliminating their cyber risk with the Risk Operations Center (ROC). Together with Diligent and Cloudflare, we're redefining how cyber risk is communicated to the board, translating technical data into the financial language of business - dollars and cents. At the same time, we're empowering CISOs with clear, actionable insights to manage their risk surface, drive down risk, boost efficiency and elevate security as a true business enabler." The partnership is expected to address the ongoing challenges faced by security teams in translating technical cyber risk data into information that is meaningful for business and board-level decision-making.
