Most organizations miss business context when assessing cyber risk, finds new research from Qualys
Nearly half of organizations (49%) surveyed for Qualys' 2025 State of Cyber-risk Assessment report, today have a formal business-focused cybersecurity risk management program. However, just 18% of organizations use integrated risk scenarios that focus on business-impacting processes, showing how investments manage the likelihood and impact of risk quantitatively, including risk transfer to insurance. This is a key deficiency, as business stakeholders expect the CISO to focus on business risk.
Key findings from the research include:
Formal Risk Programs are Expanding, But Business Context is Still Missing
49% of surveyed organizations report having a formal cyber risk program in place which looks like a promising statistic on the surface. But dig deeper, and the data shows otherwise:
Business Alignment Gaps: Only 30% report that their risk management programs are prioritized based on business objectives
Recent Implementations: 43% of existing programs have been in place for less than two years, indicating a nascent stage of maturity
Future Plans: An additional 19% are still in the planning phase
More Investment ≠ Less Risk: Why the Cyber ROI isn't Adding Up
Cybersecurity spending has continued to grow. Yet one of the most revealing insights from the study is that a vast majority (71%) of organizations believe that their cyber risk levels are rising or holding steady.
51% say their overall cyber risk exposure is increasing
20% say it remains unchanged
Only 6% have seen risk levels decrease
The Missing Metric: Business Relevance in Asset Intelligence
Visibility in cyber risk management is about a principle that hasn't changed in 20 years: you can't protect what you can't see. Yet even in 2025, asset visibility remains one of the biggest blind spots:
83% of organizations perform regular asset inventories, but only 13% can do so continuously
47% still rely on manual processes
41% say incomplete asset inventories are among their top barriers to managing cyber risk
Risk Prioritization Needs to be a Business Conversation, Not a Technical One
Another illusion that persists is the idea that all risks can and should be patched. The longstanding practice of prioritizing vulnerabilities based solely on severity is no longer sufficient. The industry looks to be grasping the fact that risk prioritization needs to go beyond single scoring methods like CVSS alone, with 68% of respondents using integrated risk scoring combining threat intelligence or using cyber risk quantification with forecasted loss estimates to prioritize risk mitigation actions. However, these next data points show that the industry still has some way to go:
Nearly one in five (19%) of organizations continue to rank vulnerabilities using a single score like CVSS alone
Just 18% update asset risk profiles monthly
Reporting Risk in Business Terms, Not Security Jargon
Executives do not want to hear how many vulnerabilities have been patched. They want to understand what the organization stands to lose, and what's being done to protect it. Yet the study finds that while 90% of organizations report cyber-risk findings to the board:
Only 18% use integrated risk scenarios
Just 14% tie risk reports to financial quantification
Business stakeholders are only involved less than half the time (43%)
And only 22% include finance teams in cyber risk discussions
'The key takeaway from the research isn't just that cyber risk is rising. It's that current methods are not effectively reducing that risk by prioritizing the actions that would make the greatest impact to risk reduction, tailored to the business. Every business is unique; hence, each risk profile and risk management program should also look unique to the organization. Static assessments, siloed telemetry, and CVSS-based prioritization have reached their limit,' commented Mayuresh Ektare, Vice President, Product Management, Enterprise TruRisk Management, Qualys.
'To address this, forward-leaning teams are adopting a Risk Operations Center (ROC) model: a technical framework that continuously correlates vulnerability data, asset context, and threat exposure under a single operational view. The ROC model provides a proven path forward for organizations ready to manage cyber risk the way the business understands it and expects it to be managed,' Ektare continued.
Below are some recommendations to help businesses better align cybersecurity risk with business priorities:
Business risk is all about context. In order to have a good understanding of organizational risk, a business first needs to understand what their business-critical assets are, then understand their risk factors or threats as it relates to those crown jewel assets. Without this context, vulnerabilities or threats are just information.
If everything is critical, nothing is. Prioritizing risks is paramount as organizations do not have unlimited resources. In order to be capitally efficient, companies need to spend as little as possible to avoid the largest possible amount of risk. Whatever is not mitigated through technology represents risk that needs to be accepted, or transferred to cyber insurance.
To get a good read of the cyber-risks across the enterprise, organizations need a diverse telemetry of risk signals. Organizations can't rely on just one — such as scanning for vulnerabilities — instead, companies need visibility into their application security, identity security stack, and more, every part of the enterprise that is exposing your attack surface.
Instead of focusing on reactive incident response — for example with a SIEM or a SOC — organizations need a better system that proactively looks to predict risks and works to reduce the likelihood of an event happening by implementing a Risk Operations Center (ROC). This approach to risk management helps leaders make better, more informed decisions based on their unique business context.
Organizations need to overhaul the way they are communicating cyber-risk to the board. Integrated risk scenarios that focus on business-impacting processes, such as how investments and insurance impact risk, will be the future of 'business-oriented' risk reporting, and much more effective at the purpose of communicating to board members.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Khaleej Times
6 hours ago
- Khaleej Times
Trump, EU chief seek deal in transatlantic tariffs standoff
US President Donald Trump and EU chief Ursula von der Leyen prepared to meet Sunday in Scotland in a push to resolve a months-long transatlantic trade standoff that is going down to the wire. Trump has said he sees a 50-50 chance of reaching a deal with the European Union, having vowed to hit dozens of countries with punitive tariffs unless they hammer out a pact with Washington by August 1. The EU is currently facing the threat of an across-the-board levy of 30 percent from that date. Von der Leyen's European Commission, negotiating on behalf of the EU's member countries, has been pushing hard for a deal to salvage a trading relationship worth an annual $1.9 trillion in goods and services. Any deal with the United States will need approval by all 27 member states. EU ambassadors, on a visit to Greenland, were to meet Sunday morning to discuss the latest negotiations -- and again after any accord. Sunday's sit-down between Trump and the EU chief was to take place at 4:30 pm (1530 GMT) in Turnberry, on Scotland's southwestern coast, where Trump owns a luxury golf resort. The 79-year-old American leader said Friday he hoped to strike "the biggest deal of them all" with the EU. "I think we have a good 50-50 chance" of a deal, the president said, citing sticking points on "maybe 20 different things". He praised von der Leyen as "a highly respected woman" -- a far cry from his erstwhile hostility in accusing the EU of existing to "screw" the United States. But late-night EU talks with US Commerce Secretary Howard Lutnick on Saturday to hammer out the final details were "combative at times," The Financial Times reported. As of Saturday evening, there were "still quite a few open questions" -- notably on pharmaceutical sector tariffs, said one EU diplomat. Tariff levels on the auto sector were also crucial for the Europeans -- notably France and Germany -- and the EU has been pushing for a compromise on steel that could allow a certain quota into the United States before tariffs would apply. Baseline 15% According to European diplomats, the deal on the table involves a baseline levy of around 15 percent on EU exports to the United States -- the level secured by Japan -- with carve-outs for critical sectors including aircraft, lumber and spirits excluding wine. The EU would commit to ramp up purchases of US liquefied natural gas, along with a series of investment pledges. Hit by multiple waves of tariffs since Trump reclaimed the White House, the EU is currently subject to a 25-percent levy on cars, 50 percent on steel and aluminium, and an across-the-board tariff of 10 percent, which Washington threatens to hike to 30 percent in a no-deal scenario. The EU has focused on getting a deal with Washington to avoid sweeping tariffs that would further harm its sluggish economy, with retaliation as a last resort. While 15 percent would be much higher than pre-existing US tariffs on European goods -- at 4.8 percent -- it would mirror the status quo, with companies already facing an additional flat rate of 10 percent. Should talks fail, EU states have greenlit counter tariffs on $109 billion (93 billion euros) of US goods including aircraft and cars to take effect in stages from August 7. Brussels is also drawing up a list of US services to potentially target. Beyond that, countries like France say Brussels should not be afraid to deploy a so-called trade "bazooka" -- EU legislation designed to counter coercion through trade measures which involves restricting access to its market and public contracts. But such a step would mark a major escalation with Washington. Ratings dropping Trump has embarked since returning to power on a campaign to reshape US trade with the world. But polls suggest the American public is unconvinced, with a recent Gallup survey showing his approval rating at 37 percent -- down 10 points from January. Having promised "90 deals in 90 days," Trump's administration has so far unveiled five, including with Britain, Japan and the Philippines. Early Sunday, ahead of his meeting with Von der Leyen, Trump was out again on the golf course, having spent most of Saturday playing at Turnberry amid tight security. The trip to Scotland has put physical distance between Trump and the scandal around Jeffrey Epstein, the wealthy financier accused of sex trafficking who died in prison in 2019 before facing trial. In his heyday, Epstein was friends with Trump and others in the New York jet-set, but the president is facing backlash from his own MAGA supporters demanding access to the Epstein case files. With the uproar refusing to die down, a headline agreement with the EU -- in addition to bolstering Trump's dealmaker credentials -- could bring a welcome distraction.
Khaleej Times
7 hours ago
- Khaleej Times
Battling tariffs is no trivial pursuit for US games retailer
At a strip mall in Maryland, a miniature landscape extends across a table between Dash Krempel and his friend as a war game unfolds. But their hobby is becoming more expensive as US tariffs take a toll. Krempel, 29, told AFP the cost of models for tabletop games have surged from inflation, and continued rising since US President Donald Trump imposed sweeping tariffs on trading partners this year. UK-made figurines that cost $60 around three years ago now go for $94.50, he said. "Prices have gotten bigger," he added. "It's a very expensive hobby to begin with, so it's maybe pricing a lot of people out." Instead of buying more products, he now tries to support retailer Game Kastle College Park by renting tables to play in-store. For the shop's owner, Boyd Stephenson, stocking new board games, paints and hobby supplies has only become more challenging. To avoid the harshest of Trump's tariffs, some suppliers had to delay shipments or postpone new releases. As they raised their suggested retail prices, so has Stephenson at Game Kastle. About a fifth of his store's products have seen cost hikes, with increases ranging from 5 percent to 20 percent. "If we see higher prices or higher tariffs, I'm going to see higher wholesale prices, and then I have to raise my prices accordingly," he said. Asked what percentage of his store relies on imports, Stephenson replied: "Almost all of it." No capacity Stephenson estimates some 7,000 board games were released last year from 5,000 different companies. "You're really looking at 5,000 different approaches (to tariffs)," he said. "Some producers are saying, 'We're going to eat the cost.' Some producers are saying, 'We're passing the cost through all the way.' And other producers are doing some sort of mix of that." Like other US retailers, Stephenson could face more cost pressures come August 1, when steeper tariffs are set to hit dozens of economies like the European Union and India. The elevated rates mark an increase from the 10 per cent levy Trump imposed on goods from most economies in April. While China -- a crucial manufacturing hub for games -- is temporarily spared, Trump has separately imposed fresh 30 percent tariffs on products from the world's second biggest economy this year. US tariffs on Chinese products could return to higher levels from August 12 if officials fail to extend their truce. Yet, there is no quick fix to return manufacturing to the United States. "US manufacturers just don't have the capacity to do that anymore," said Stephenson, showing an intricate board game figurine. "Really, the people that are good at that, that's China," he said. "The best modeling paints come from Spain." "So if you see tariffs get put up on the EU, then all of a sudden I'm going to have to pay higher prices on modeling paint when I bring it into the country," he added. Trump has threatened the bloc with a 30 percent tariff. 'Universally bad' Stephenson tries to absorb some cost hikes, but said: "I have to be able to pay the staff, pay the electric company, pay the landlord." Trump's on-again, off-again approach to duties has also made suppliers' price changes more unpredictable. "What is always universally bad for business is uncertainty," Stephenson said. He usually stocks up on inventory ahead of the year-end holiday season, but expects to be more strategic with purchases this year to avoid unwelcome surprises. Many companies are delaying merchandise imports as they lack certainty, said Jonathan Gold, vice president of supply chain and customs policy at the National Retail Federation. "When the product is brought into the country and entered into commerce, you have 15 days to pay your tariff bill," he said. This causes problems when tariff rates change and businesses lack funds to pay for orders. Some businesses, and industry group the Game Manufacturers Association, have mounted legal challenges against Trump's blanket tariffs hitting various countries, noting nearly 80 percent of tabletop games sold in the US are made abroad. But such complaints are an uphill battle. "The damage, especially for small retailers, has been significant," Gold said.
Khaleej Times
7 hours ago
- Khaleej Times
Japan says $550 billion package in trade deal could finance Taiwanese chipmaker in US
Japan's $550 billion investment package agreed in this week's U.S. tariff deal could help finance a Taiwanese firm building semiconductor plants in the U.S., Japan's top trade negotiator Ryosei Akazawa said on Saturday. Japan agreed to the sweeping U.S.-bound investment initiative, which includes equity, loans and guarantees, in exchange for lower tariffs on its exports to the U.S. However, the structure of the scheme remains unclear. "Japan, the United States, and like-minded countries are working together to build supply chains in sectors critical to economic security," Akazawa told public broadcaster NHK. To that end, he said projects eligible for financing under the package are not limited to U.S. or Japanese firms. "For example, if a Taiwanese chipmaker builds a plant in the U.S. and uses Japanese components or tailors its products to meet Japanese needs, that's fine too," he said, without specifying companies. The U.S. is significantly reliant on Taiwan's TSMC for advanced chip manufacturing, raising economic security concerns due to geographic proximity to China. TSMC announced plans for a $100 billion U.S. investment with U.S. President Donald Trump at the White House in March, on top of $65 billion pledged for three plants in the state of Arizona, one of which is up and running. Japan will use state-owned Japan Bank for International Cooperation (JBIC) and Nippon Export and Investment Insurance (NEXI) for the investments. A recent law revision has enabled JBIC to finance foreign companies deemed critical to Japan's supply chains. Akazawa told NHK that equity investment would account for just about 1-2% of the $550 billion, suggesting that the bulk will come in the form of loans and guarantees. When asked about the White House statement that the U.S. would retain 90% of the profits from the package, he clarified that the figure refers only to returns on equity investment, which would represent a small fraction of the total. While Japan initially hoped to secure half of the returns, a loss from the concession on the profit-sharing would be marginal compared to the roughly 10 trillion yen ($67.72 billion) in tariff costs that could be avoided under the deal, he said. He added that Japan aims to deploy the $550 billion investments during Trump's current term.
