Latest news with #MayureshEktare
TECHx
6 days ago
- Business
- TECHx
Qualys Report Reveals Gaps in Cyber Risk Management
Home » Top stories » Qualys Report Reveals Gaps in Cyber Risk Management Qualys has revealed key findings from its 2025 State of Cyber-risk Assessment report, highlighting major gaps in cybersecurity risk management despite rising investments. The research, conducted by Dark Reading and commissioned by Qualys, shows that most organizations still struggle with aligning cyber risk programs to business priorities. While 49% of surveyed organizations report having a formal cyber risk management program, only 18% use integrated risk scenarios that quantify business impact, including insurance risk transfer. The report notes that 30% align risk programs with business objectives, while 43% of programs are less than two years old. An additional 19% are still in the planning stage. Cybersecurity investments are growing, but 71% of organizations believe cyber risk levels are either increasing or unchanged: 51% report increasing cyber risk exposure 20% say risk remains steady Only 6% have seen a decrease Asset visibility remains a key challenge. Although 83% perform regular inventories, only 13% do so continuously. Furthermore, 47% rely on manual processes, and 41% cite incomplete inventories as a top barrier. Risk prioritization also lacks maturity. Only 68% use integrated risk scoring methods, while 19% still rely solely on CVSS scores. Just 18% update asset risk profiles monthly. While 90% report cyber-risk findings to the board, only 14% include financial quantification, and just 22% involve finance teams. Business stakeholders are included less than half the time. Mayuresh Ektare, Vice President of Product Management at Qualys, stated that current approaches fail to reduce cyber risk effectively. He emphasized adopting a Risk Operations Center (ROC) model that integrates vulnerability, asset, and threat data for a unified view. The report recommends organizations: Understand and prioritize risks based on business-critical assets Use diverse risk signals beyond vulnerability scans Transition from reactive incident response to proactive risk reduction Ektare added that integrating business-impacting risk scenarios will lead to more effective board-level communication and better-informed decision-making.
Techday NZ
20-07-2025
- Business
- Techday NZ
Business context still missing in most cyber risk programmes
New research from Qualys reveals that many organisations are still treating cyber risk primarily as a technical issue despite growing pressures to align cybersecurity with overarching business priorities. The 2025 State of Cyber Risk Assessment Report, conducted by Dark Reading and commissioned by Qualys, surveyed more than 100 IT and cybersecurity leaders across a range of industries. The findings indicate that although almost half of organisations (49%) have implemented a formal cyber risk programme, most still depend on manual processes and isolated metrics, often prioritising vulnerabilities solely by severity without considering the associated asset value or wider business context. Mayuresh Ektare, Vice President, Product Management, Enterprise TruRisk Management at Qualys, commented on the report's findings: The research shows that the technical foundation for cyber-risk management exists - but what's missing is strategic alignment between security operations and business priorities. Cybersecurity can no longer operate in isolation, yet many organisations continue to spread resources thinly across their attack surface without clearly understanding which risks actually matter to the business. He continued by outlining how this disconnect might be addressed: To close this gap, cybersecurity must evolve from an IT function to a business function - one that can quantify loss, model risk scenarios, prioritise decisions, and demonstrate a measurable return on risk reduction. That evolution starts with business context, not just more data. It's a shift from detection to direction, and from siloed operations to aligned outcomes. To mature their cyber-risk programs, security leaders must integrate asset criticality, financial impact and business context into every decision. Risk programme maturity The report reveals that, among organisations with formal risk management efforts, only 30% say their programmes are guided by business objectives. Additionally, 43% have only established these initiatives in the last two years and 19% are still in the planning stages. The findings suggest there remains a significant maturity gap, as sustained commitment to embedding business context into risk management is still developing. Spending and risk Despite increasing levels of cybersecurity spending, 71% of organisations believe their cyber risk exposure is either mounting or unchanged, and only 6% report that risk levels are falling. This raises questions about the effectiveness of increased investment where programmes may not fully address business-relevant risks. Asset intelligence Another challenge identified in the research is the ongoing struggle with asset visibility. While 83% of those surveyed claim to conduct periodic IT asset inventories, just 13% are able to perform this continuously, and nearly half continue to rely on manual inventory methods. The report points to persistent difficulties in establishing up-to-date, comprehensive asset intelligence. Risk prioritisation practices When it comes to prioritising risks, most organisations do not sufficiently assess how vulnerability maps to critical business assets. While 68% use integrated risk scoring techniques that combine threat intelligence or leverage cyber risk quantification, 19% still use single-score metrics such as the Common Vulnerability Scoring System (CVSS) alone. In addition, only 18% review and update asset risk profiles on a monthly basis. Board engagement Cyber risk is being reported to executive leadership in most organisations, with 90% providing updates to the board. However, the substance of reporting is often lacking in business relevance - only 18% use integrated risk scenarios, and just 14% tie these reports to financial quantification. Business stakeholders outside security are included in these discussions less than half the time (43%), and finance teams are involved in only one in five cases (22%). Top cyber threats The survey also identified the human factor as a key dimension of risk. Phishing, ransomware, and insider threats are cited as the top three concerns for digital assets. This highlights the importance of user education and the incorporation of identity-aware risk management strategies to mitigate potential threats driven by end-user behaviour. The report suggests that despite significant efforts and investments, many organisations have yet to fully integrate business context into their cyber risk assessment and mitigation activities, pointing to a continuing evolution of cyber risk management practices in the years ahead.
