Latest news with #DarkReading
TECHx
13 hours ago
- Business
- TECHx
Qualys Report Reveals Gaps in Cyber Risk Management
Home » Top stories » Qualys Report Reveals Gaps in Cyber Risk Management Qualys has revealed key findings from its 2025 State of Cyber-risk Assessment report, highlighting major gaps in cybersecurity risk management despite rising investments. The research, conducted by Dark Reading and commissioned by Qualys, shows that most organizations still struggle with aligning cyber risk programs to business priorities. While 49% of surveyed organizations report having a formal cyber risk management program, only 18% use integrated risk scenarios that quantify business impact, including insurance risk transfer. The report notes that 30% align risk programs with business objectives, while 43% of programs are less than two years old. An additional 19% are still in the planning stage. Cybersecurity investments are growing, but 71% of organizations believe cyber risk levels are either increasing or unchanged: 51% report increasing cyber risk exposure 20% say risk remains steady Only 6% have seen a decrease Asset visibility remains a key challenge. Although 83% perform regular inventories, only 13% do so continuously. Furthermore, 47% rely on manual processes, and 41% cite incomplete inventories as a top barrier. Risk prioritization also lacks maturity. Only 68% use integrated risk scoring methods, while 19% still rely solely on CVSS scores. Just 18% update asset risk profiles monthly. While 90% report cyber-risk findings to the board, only 14% include financial quantification, and just 22% involve finance teams. Business stakeholders are included less than half the time. Mayuresh Ektare, Vice President of Product Management at Qualys, stated that current approaches fail to reduce cyber risk effectively. He emphasized adopting a Risk Operations Center (ROC) model that integrates vulnerability, asset, and threat data for a unified view. The report recommends organizations: Understand and prioritize risks based on business-critical assets Use diverse risk signals beyond vulnerability scans Transition from reactive incident response to proactive risk reduction Ektare added that integrating business-impacting risk scenarios will lead to more effective board-level communication and better-informed decision-making.
Channel Post MEA
3 days ago
- Business
- Channel Post MEA
Business Context Missing In Most Cyber Risk Programs: Qualys
According to new research commissioned by Qualys and conducted by Dark Reading, despite rising investments, evolving frameworks, and more vocal boardroom interest, most organizations remain immature in their risk management programs. Nearly half of organizations (49%) surveyed for Qualys' 2025 State of Cyber-risk Assessment report, today have a formal business-focused cybersecurity risk management program. However, just 18% of organizations use integrated risk scenarios that focus on business-impacting processes, showing how investments manage the likelihood and impact of risk quantitatively, including risk transfer to insurance. This is a key deficiency, as business stakeholders expect the CISO to focus on business risk. Key findings from the research include: Formal Risk Programs are Expanding, But Business Context is Still Missing 49% of surveyed organizations report having a formal cyber risk program in place which looks like a promising statistic on the surface. But dig deeper, and the data shows otherwise: Business Alignment Gaps: Only 30% report that their risk management programs are prioritized based on business objectives Recent Implementations: 43% of existing programs have been in place for less than two years, indicating a nascent stage of maturity Future Plans: An additional 19% are still in the planning phase More Investment ≠ Less Risk: Why the Cyber ROI isn't Adding Up Cybersecurity spending has continued to grow. Yet one of the most revealing insights from the study is that a vast majority (71%) of organizations believe that their cyber risk levels are rising or holding steady. 51% say their overall cyber risk exposure is increasing 20% say it remains unchanged Only 6% have seen risk levels decrease The Missing Metric: Business Relevance in Asset Intelligence Visibility in cyber risk management is about a principle that hasn't changed in 20 years: you can't protect what you can't see. Yet even in 2025, asset visibility remains one of the biggest blind spots: 83% of organizations perform regular asset inventories, but only 13% can do so continuously 47% still rely on manual processes 41% say incomplete asset inventories are among their top barriers to managing cyber risk Risk Prioritization Needs to be a Business Conversation, Not a Technical One Another illusion that persists is the idea that all risks can and should be patched. The longstanding practice of prioritizing vulnerabilities based solely on severity is no longer sufficient. The industry looks to be grasping the fact that risk prioritization needs to go beyond single scoring methods like CVSS alone, with 68% of respondents using integrated risk scoring combining threat intelligence or using cyber risk quantification with forecasted loss estimates to prioritize risk mitigation actions. However, these next data points show that the industry still has some way to go: Nearly one in five (19%) of organizations continue to rank vulnerabilities using a single score like CVSS alone Just 18% update asset risk profiles monthly Reporting Risk in Business Terms, Not Security Jargon Executives do not want to hear how many vulnerabilities have been patched. They want to understand what the organization stands to lose, and what's being done to protect it. Yet the study finds that while 90% of organizations report cyber-risk findings to the board: Only 18% use integrated risk scenarios Just 14% tie risk reports to financial quantification Business stakeholders are only involved less than half the time (43%) And only 22% include finance teams in cyber risk discussions 'The key takeaway from the research isn't just that cyber risk is rising. It's that current methods are not effectively reducing that risk by prioritizing the actions that would make the greatest impact to risk reduction, tailored to the business. Every business is unique; hence, each risk profile and risk management program should also look unique to the organization. Static assessments, siloed telemetry, and CVSS-based prioritization have reached their limit,' commented Mayuresh Ektare, Vice President, Product Management, Enterprise TruRisk Management, Qualys. 'To address this, forward-leaning teams are adopting a Risk Operations Center (ROC) model: a technical framework that continuously correlates vulnerability data, asset context, and threat exposure under a single operational view. The ROC model provides a proven path forward for organizations ready to manage cyber risk the way the business understands it and expects it to be managed,' Ektare continued. Below are some recommendations to help businesses better align cybersecurity risk with business priorities: Business risk is all about context. In order to have a good understanding of organizational risk, a business first needs to understand what their business-critical assets are, then understand their risk factors or threats as it relates to those crown jewel assets. Without this context, vulnerabilities or threats are just information. If everything is critical, nothing is. Prioritizing risks is paramount as organizations do not have unlimited resources. In order to be capitally efficient, companies need to spend as little as possible to avoid the largest possible amount of risk. Whatever is not mitigated through technology represents risk that needs to be accepted, or transferred to cyber insurance. To get a good read of the cyber-risks across the enterprise, organizations need a diverse telemetry of risk signals. Organizations can't rely on just one — such as scanning for vulnerabilities — instead, companies need visibility into their application security, identity security stack, and more, every part of the enterprise that is exposing your attack surface. Instead of focusing on reactive incident response — for example with a SIEM or a SOC — organizations need a better system that proactively looks to predict risks and works to reduce the likelihood of an event happening by implementing a Risk Operations Center (ROC). This approach to risk management helps leaders make better, more informed decisions based on their unique business context. Organizations need to overhaul the way they are communicating cyber-risk to the board. Integrated risk scenarios that focus on business-impacting processes, such as how investments and insurance impact risk, will be the future of 'business-oriented' risk reporting, and much more effective at the purpose of communicating to board members.
Zawya
3 days ago
- Business
- Zawya
Most organizations miss business context when assessing cyber risk, finds new research from Qualys
According to new research commissioned by Qualys and conducted by Dark Reading, despite rising investments, evolving frameworks, and more vocal boardroom interest, most organizations remain immature in their risk management programs. Nearly half of organizations (49%) surveyed for Qualys' 2025 State of Cyber-risk Assessment report, today have a formal business-focused cybersecurity risk management program. However, just 18% of organizations use integrated risk scenarios that focus on business-impacting processes, showing how investments manage the likelihood and impact of risk quantitatively, including risk transfer to insurance. This is a key deficiency, as business stakeholders expect the CISO to focus on business risk. Key findings from the research include: Formal Risk Programs are Expanding, But Business Context is Still Missing 49% of surveyed organizations report having a formal cyber risk program in place which looks like a promising statistic on the surface. But dig deeper, and the data shows otherwise: Business Alignment Gaps: Only 30% report that their risk management programs are prioritized based on business objectives Recent Implementations: 43% of existing programs have been in place for less than two years, indicating a nascent stage of maturity Future Plans: An additional 19% are still in the planning phase More Investment ≠ Less Risk: Why the Cyber ROI isn't Adding Up Cybersecurity spending has continued to grow. Yet one of the most revealing insights from the study is that a vast majority (71%) of organizations believe that their cyber risk levels are rising or holding steady. 51% say their overall cyber risk exposure is increasing 20% say it remains unchanged Only 6% have seen risk levels decrease The Missing Metric: Business Relevance in Asset Intelligence Visibility in cyber risk management is about a principle that hasn't changed in 20 years: you can't protect what you can't see. Yet even in 2025, asset visibility remains one of the biggest blind spots: 83% of organizations perform regular asset inventories, but only 13% can do so continuously 47% still rely on manual processes 41% say incomplete asset inventories are among their top barriers to managing cyber risk Risk Prioritization Needs to be a Business Conversation, Not a Technical One Another illusion that persists is the idea that all risks can and should be patched. The longstanding practice of prioritizing vulnerabilities based solely on severity is no longer sufficient. The industry looks to be grasping the fact that risk prioritization needs to go beyond single scoring methods like CVSS alone, with 68% of respondents using integrated risk scoring combining threat intelligence or using cyber risk quantification with forecasted loss estimates to prioritize risk mitigation actions. However, these next data points show that the industry still has some way to go: Nearly one in five (19%) of organizations continue to rank vulnerabilities using a single score like CVSS alone Just 18% update asset risk profiles monthly Reporting Risk in Business Terms, Not Security Jargon Executives do not want to hear how many vulnerabilities have been patched. They want to understand what the organization stands to lose, and what's being done to protect it. Yet the study finds that while 90% of organizations report cyber-risk findings to the board: Only 18% use integrated risk scenarios Just 14% tie risk reports to financial quantification Business stakeholders are only involved less than half the time (43%) And only 22% include finance teams in cyber risk discussions 'The key takeaway from the research isn't just that cyber risk is rising. It's that current methods are not effectively reducing that risk by prioritizing the actions that would make the greatest impact to risk reduction, tailored to the business. Every business is unique; hence, each risk profile and risk management program should also look unique to the organization. Static assessments, siloed telemetry, and CVSS-based prioritization have reached their limit,' commented Mayuresh Ektare, Vice President, Product Management, Enterprise TruRisk Management, Qualys. 'To address this, forward-leaning teams are adopting a Risk Operations Center (ROC) model: a technical framework that continuously correlates vulnerability data, asset context, and threat exposure under a single operational view. The ROC model provides a proven path forward for organizations ready to manage cyber risk the way the business understands it and expects it to be managed,' Ektare continued. Below are some recommendations to help businesses better align cybersecurity risk with business priorities: Business risk is all about context. In order to have a good understanding of organizational risk, a business first needs to understand what their business-critical assets are, then understand their risk factors or threats as it relates to those crown jewel assets. Without this context, vulnerabilities or threats are just information. If everything is critical, nothing is. Prioritizing risks is paramount as organizations do not have unlimited resources. In order to be capitally efficient, companies need to spend as little as possible to avoid the largest possible amount of risk. Whatever is not mitigated through technology represents risk that needs to be accepted, or transferred to cyber insurance. To get a good read of the cyber-risks across the enterprise, organizations need a diverse telemetry of risk signals. Organizations can't rely on just one — such as scanning for vulnerabilities — instead, companies need visibility into their application security, identity security stack, and more, every part of the enterprise that is exposing your attack surface. Instead of focusing on reactive incident response — for example with a SIEM or a SOC — organizations need a better system that proactively looks to predict risks and works to reduce the likelihood of an event happening by implementing a Risk Operations Center (ROC). This approach to risk management helps leaders make better, more informed decisions based on their unique business context. Organizations need to overhaul the way they are communicating cyber-risk to the board. Integrated risk scenarios that focus on business-impacting processes, such as how investments and insurance impact risk, will be the future of 'business-oriented' risk reporting, and much more effective at the purpose of communicating to board members.
Techday NZ
3 days ago
- Business
- Techday NZ
Business context still missing in most cyber risk programmes
New research from Qualys reveals that many organisations are still treating cyber risk primarily as a technical issue despite growing pressures to align cybersecurity with overarching business priorities. The 2025 State of Cyber Risk Assessment Report, conducted by Dark Reading and commissioned by Qualys, surveyed more than 100 IT and cybersecurity leaders across a range of industries. The findings indicate that although almost half of organisations (49%) have implemented a formal cyber risk programme, most still depend on manual processes and isolated metrics, often prioritising vulnerabilities solely by severity without considering the associated asset value or wider business context. Mayuresh Ektare, Vice President, Product Management, Enterprise TruRisk Management at Qualys, commented on the report's findings: The research shows that the technical foundation for cyber-risk management exists - but what's missing is strategic alignment between security operations and business priorities. Cybersecurity can no longer operate in isolation, yet many organisations continue to spread resources thinly across their attack surface without clearly understanding which risks actually matter to the business. He continued by outlining how this disconnect might be addressed: To close this gap, cybersecurity must evolve from an IT function to a business function - one that can quantify loss, model risk scenarios, prioritise decisions, and demonstrate a measurable return on risk reduction. That evolution starts with business context, not just more data. It's a shift from detection to direction, and from siloed operations to aligned outcomes. To mature their cyber-risk programs, security leaders must integrate asset criticality, financial impact and business context into every decision. Risk programme maturity The report reveals that, among organisations with formal risk management efforts, only 30% say their programmes are guided by business objectives. Additionally, 43% have only established these initiatives in the last two years and 19% are still in the planning stages. The findings suggest there remains a significant maturity gap, as sustained commitment to embedding business context into risk management is still developing. Spending and risk Despite increasing levels of cybersecurity spending, 71% of organisations believe their cyber risk exposure is either mounting or unchanged, and only 6% report that risk levels are falling. This raises questions about the effectiveness of increased investment where programmes may not fully address business-relevant risks. Asset intelligence Another challenge identified in the research is the ongoing struggle with asset visibility. While 83% of those surveyed claim to conduct periodic IT asset inventories, just 13% are able to perform this continuously, and nearly half continue to rely on manual inventory methods. The report points to persistent difficulties in establishing up-to-date, comprehensive asset intelligence. Risk prioritisation practices When it comes to prioritising risks, most organisations do not sufficiently assess how vulnerability maps to critical business assets. While 68% use integrated risk scoring techniques that combine threat intelligence or leverage cyber risk quantification, 19% still use single-score metrics such as the Common Vulnerability Scoring System (CVSS) alone. In addition, only 18% review and update asset risk profiles on a monthly basis. Board engagement Cyber risk is being reported to executive leadership in most organisations, with 90% providing updates to the board. However, the substance of reporting is often lacking in business relevance - only 18% use integrated risk scenarios, and just 14% tie these reports to financial quantification. Business stakeholders outside security are included in these discussions less than half the time (43%), and finance teams are involved in only one in five cases (22%). Top cyber threats The survey also identified the human factor as a key dimension of risk. Phishing, ransomware, and insider threats are cited as the top three concerns for digital assets. This highlights the importance of user education and the incorporation of identity-aware risk management strategies to mitigate potential threats driven by end-user behaviour. The report suggests that despite significant efforts and investments, many organisations have yet to fully integrate business context into their cyber risk assessment and mitigation activities, pointing to a continuing evolution of cyber risk management practices in the years ahead.
Channel Post MEA
09-04-2025
- Business
- Channel Post MEA
1 In 5 Security Professionals Struggle Applying Security Updates
New research commissioned by Qualys and conducted by Dark Reading shines new light on the various ways information security professionals are coping — or struggling — with the difficulties and nuances of safeguarding cloud and SaaS assets, including measuring, communicating, and eliminating cyber risk in the cloud. Key findings from the research include: Cloud adoption is ubiquitous and complex: Most organisations polled (57%) use two to three cloud service providers, and 58% have at least five corporatewide SaaS applications deployed. To secure this complex environment, the majority (60%) must manage and reconcile outputs from two or more separate cloud and SaaS security tools — a task they find challenging and suboptimal. Most organisations polled (57%) use two to three cloud service providers, and 58% have at least five corporatewide SaaS applications deployed. To secure this complex environment, the majority (60%) must manage and reconcile outputs from two or more separate cloud and SaaS security tools — a task they find challenging and suboptimal. Sleepless nights: Professional defenders singled out cost (54%), system reliability and performance (36%), and limited cloud-specific security staff skills (27%) as the cloud and SaaS issues that concerned them the most. Professional defenders singled out cost (54%), system reliability and performance (36%), and limited cloud-specific security staff skills (27%) as the cloud and SaaS issues that concerned them the most. Attacks are relentless: Moving data and applications to the cloud and adopting SaaS come with a whole set of risks. Enterprises are worried about threats such as account hijacking, phishing, ransomware and malware, data exfiltration, advanced persistent threats, and distributed denial-of-service attacks. Moving data and applications to the cloud and adopting SaaS come with a whole set of risks. Enterprises are worried about threats such as account hijacking, phishing, ransomware and malware, data exfiltration, advanced persistent threats, and distributed denial-of-service attacks. Config chaos: One place just about all parties find common ground when assessing cloud and SaaS risk is in the thorny issue of misconfigurations, one of the top concerns for both cloud (24%) and SaaS (33%). The level of concern, however, appears to fall well short of the scope of the actual misconfiguration problem in the wild. One place just about all parties find common ground when assessing cloud and SaaS risk is in the thorny issue of misconfigurations, one of the top concerns for both cloud (24%) and SaaS (33%). The level of concern, however, appears to fall well short of the scope of the actual misconfiguration problem in the wild. Situational blindness: Few enterprises engage in ongoing or continuous assessment of their cloud and SaaS environments. The rest do security assessments at intervals that range largely from once a quarter (18% for cloud, 11% for SaaS) to once a year (25% cloud, 26% SaaS), and in some cases not at all. Few enterprises engage in ongoing or continuous assessment of their cloud and SaaS environments. The rest do security assessments at intervals that range largely from once a quarter (18% for cloud, 11% for SaaS) to once a year (25% cloud, 26% SaaS), and in some cases not at all. Difficulty patching: Enterprises are also concerned about adversaries exploiting unpatched vulnerabilities in web applications (39%) and cloud environments (23%). Almost 1 in 5 say they have difficulty applying security updates and patches, creating a situation where organisations are exposed to attack as a result of exploitable vulnerabilities. Enterprises are also concerned about adversaries exploiting unpatched vulnerabilities in web applications (39%) and cloud environments (23%). Almost 1 in 5 say they have difficulty applying security updates and patches, creating a situation where organisations are exposed to attack as a result of exploitable vulnerabilities. Sluggish response: Topping the list of IR concerns are a lack of skilled workers (49%), limited visibility into cloud and hosted environments (46%), and the inherent complexity of cloud-centric incidents (46%). 'The data shows in stark relief the real-world challenges defenders face when it comes to shoehorning traditional security practices and methods — things like managing configs and vulnerabilities, controlling access, and corralling siloed security tools — into the defences of dynamic multi-cloud and multi-SaaS environments', commented Shilpa Gite, Senior Manager, Cloud Security Compliance, Qualys. 'The research underscores the importance of a comprehensive, unified, strategic approach to cloud and SaaS security that brings together continuous scanning and vulnerability assessment, automated remediation efforts, AI-powered threat detection and response capabilities, and cross-platform risk prioritisation features'. To enhance security posture, organisations should consider: Implementing continuous monitoring and assessment: Enterprises should move away from periodic assessments and adopt continuous security monitoring to identify and mitigate threats in real time. Continuous assessment helps in promptly detecting vulnerabilities that emerge due to constant updates and configuration changes in cloud and SaaS environments. Enterprises should move away from periodic assessments and adopt continuous security monitoring to identify and mitigate threats in real time. Continuous assessment helps in promptly detecting vulnerabilities that emerge due to constant updates and configuration changes in cloud and SaaS environments. Adopting a unified security platform: Using a single, integrated security platform to manage all aspects of security across on-premises, cloud, and SaaS environments is crucial. A unified platform provides comprehensive visibility, streamlined security operations, and consistent policy enforcement, hence reducing the risk of security gaps and inefficiencies wherever they occur. Using a single, integrated security platform to manage all aspects of security across on-premises, cloud, and SaaS environments is crucial. A unified platform provides comprehensive visibility, streamlined security operations, and consistent policy enforcement, hence reducing the risk of security gaps and inefficiencies wherever they occur. Enhancing identity and access management (IAM): Proper IAM practices are essential for securing access to sensitive data and systems, especially in cloud and hosted systems. Enterprises need robust IAM solutions that include multi-factor authentication, least privilege access, and regular access reviews to prevent unauthorised access and minimise insider threats. Proper IAM practices are essential for securing access to sensitive data and systems, especially in cloud and hosted systems. Enterprises need robust IAM solutions that include multi-factor authentication, least privilege access, and regular access reviews to prevent unauthorised access and minimise insider threats. Leveraging automation for security processes: Automating security processes such as vulnerability scanning, patch management, configuration and change management, and incident response, significantly improves operational efficiency and reduces risk of human error. Automation especially empowers under-resourced security teams — that means most of them — to quickly address threats and maintain a mature, proactive security posture. Automating security processes such as vulnerability scanning, patch management, configuration and change management, and incident response, significantly improves operational efficiency and reduces risk of human error. Automation especially empowers under-resourced security teams — that means most of them — to quickly address threats and maintain a mature, proactive security posture. Investing in advanced threat detection and response capabilities: To combat sophisticated threats such as advanced persistent threats (APTs), ransomware, and nextgen malware, enterprises should invest in AI-powered threat detection and response solutions. These advanced capabilities enable organisations to detect and respond to threats swiftly, minimising potential damage. 0 0
