
Most organizations miss business context when assessing cyber risk, finds new research from Qualys
Nearly half of organizations (49%) surveyed for Qualys' 2025 State of Cyber-risk Assessment report, today have a formal business-focused cybersecurity risk management program. However, just 18% of organizations use integrated risk scenarios that focus on business-impacting processes, showing how investments manage the likelihood and impact of risk quantitatively, including risk transfer to insurance. This is a key deficiency, as business stakeholders expect the CISO to focus on business risk.
Key findings from the research include:
Formal Risk Programs are Expanding, But Business Context is Still Missing
49% of surveyed organizations report having a formal cyber risk program in place which looks like a promising statistic on the surface. But dig deeper, and the data shows otherwise:
Business Alignment Gaps: Only 30% report that their risk management programs are prioritized based on business objectives
Recent Implementations: 43% of existing programs have been in place for less than two years, indicating a nascent stage of maturity
Future Plans: An additional 19% are still in the planning phase
More Investment ≠ Less Risk: Why the Cyber ROI isn't Adding Up
Cybersecurity spending has continued to grow. Yet one of the most revealing insights from the study is that a vast majority (71%) of organizations believe that their cyber risk levels are rising or holding steady.
51% say their overall cyber risk exposure is increasing
20% say it remains unchanged
Only 6% have seen risk levels decrease
The Missing Metric: Business Relevance in Asset Intelligence
Visibility in cyber risk management is about a principle that hasn't changed in 20 years: you can't protect what you can't see. Yet even in 2025, asset visibility remains one of the biggest blind spots:
83% of organizations perform regular asset inventories, but only 13% can do so continuously
47% still rely on manual processes
41% say incomplete asset inventories are among their top barriers to managing cyber risk
Risk Prioritization Needs to be a Business Conversation, Not a Technical One
Another illusion that persists is the idea that all risks can and should be patched. The longstanding practice of prioritizing vulnerabilities based solely on severity is no longer sufficient. The industry looks to be grasping the fact that risk prioritization needs to go beyond single scoring methods like CVSS alone, with 68% of respondents using integrated risk scoring combining threat intelligence or using cyber risk quantification with forecasted loss estimates to prioritize risk mitigation actions. However, these next data points show that the industry still has some way to go:
Nearly one in five (19%) of organizations continue to rank vulnerabilities using a single score like CVSS alone
Just 18% update asset risk profiles monthly
Reporting Risk in Business Terms, Not Security Jargon
Executives do not want to hear how many vulnerabilities have been patched. They want to understand what the organization stands to lose, and what's being done to protect it. Yet the study finds that while 90% of organizations report cyber-risk findings to the board:
Only 18% use integrated risk scenarios
Just 14% tie risk reports to financial quantification
Business stakeholders are only involved less than half the time (43%)
And only 22% include finance teams in cyber risk discussions
'The key takeaway from the research isn't just that cyber risk is rising. It's that current methods are not effectively reducing that risk by prioritizing the actions that would make the greatest impact to risk reduction, tailored to the business. Every business is unique; hence, each risk profile and risk management program should also look unique to the organization. Static assessments, siloed telemetry, and CVSS-based prioritization have reached their limit,' commented Mayuresh Ektare, Vice President, Product Management, Enterprise TruRisk Management, Qualys.
'To address this, forward-leaning teams are adopting a Risk Operations Center (ROC) model: a technical framework that continuously correlates vulnerability data, asset context, and threat exposure under a single operational view. The ROC model provides a proven path forward for organizations ready to manage cyber risk the way the business understands it and expects it to be managed,' Ektare continued.
Below are some recommendations to help businesses better align cybersecurity risk with business priorities:
Business risk is all about context. In order to have a good understanding of organizational risk, a business first needs to understand what their business-critical assets are, then understand their risk factors or threats as it relates to those crown jewel assets. Without this context, vulnerabilities or threats are just information.
If everything is critical, nothing is. Prioritizing risks is paramount as organizations do not have unlimited resources. In order to be capitally efficient, companies need to spend as little as possible to avoid the largest possible amount of risk. Whatever is not mitigated through technology represents risk that needs to be accepted, or transferred to cyber insurance.
To get a good read of the cyber-risks across the enterprise, organizations need a diverse telemetry of risk signals. Organizations can't rely on just one — such as scanning for vulnerabilities — instead, companies need visibility into their application security, identity security stack, and more, every part of the enterprise that is exposing your attack surface.
Instead of focusing on reactive incident response — for example with a SIEM or a SOC — organizations need a better system that proactively looks to predict risks and works to reduce the likelihood of an event happening by implementing a Risk Operations Center (ROC). This approach to risk management helps leaders make better, more informed decisions based on their unique business context.
Organizations need to overhaul the way they are communicating cyber-risk to the board. Integrated risk scenarios that focus on business-impacting processes, such as how investments and insurance impact risk, will be the future of 'business-oriented' risk reporting, and much more effective at the purpose of communicating to board members.
Hashtags

Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles


Tahawul Tech
10 minutes ago
- Tahawul Tech
Microsoft CEO addresses the recent wave of layoffs
Satya Nadella, Microsoft CEO, has reportedly expressed sadness over the mass layoffs the company made earlier this year, but told staff it needs to reimagine its mission for a new era. CNBC reported Nadella made the comments in a memo to staff. The news outlet explained Microsoft culled 15,000 jobs this year, with the latest round of 9,000 occurring earlier this month. After the layoffs, CNBC reported the company's stock closed above $500 for the first time on 9 July. Nadella stated the layoff decisions 'are among the most difficult we have to make'. He noted while the company is thriving, job cuts 'affect people we've worked alongside, learned from and shared countless moments with, our colleagues, teammates and friends'. Nadella called on employees to go through a process of 'unlearning' and 'learning' to meet customers' changing needs. 'We must reimagine our mission for a new era.' 'What does empowerment look like in the era of AI? It's not just about building tools for specific roles or tasks. It's about building tools that empower everyone to create their own tools. That's the shift we are driving, from a software factory to an intelligence engine empowering every person and organisation to build whatever they need to achieve.' Microsoft is making massive investments in AI. In April, it invested $1.5 billion in a minority stake in United Arab Emirates-based AI company G42, a deal giving Microsoft a seat on the board. Source: Mobile World Live: Image Credit: Microsoft


Tahawul Tech
10 minutes ago
- Tahawul Tech
Trump Administration threatens a U.S. TikTok ban
As part of its plan to see TikTok's algorithm transferred to new owners, US Secretary of Commerce Howard Lutnick reportedly stated the platform would go dark in the US if China does not agree to US ownership. Lutnick told a CNBC cable show the administration of President Donald Trump decided ByteDance-owned TikTok must 'come out of Chinese control'. 'You can't have Chinese control and have something on 100 million American phones,' he explained. 'That's just not okay.' Last month President Trump extended the deadline for the sale of TiKTok to a US entity for the third time. Lutnick said ByteDance could still have a minority stake in TikTok, but 'basically Americans will have control' over the technology and algorithm. Several entities have expressed interest in buying TikTok. TikTok's US prospects have been up in the air since legislation passed in 2024 to ban the service unless a domestic buyer was found. Former President Joe Biden and members of both political parties expressed concern it posed a national security risk. The US Supreme Court upheld the law banning the app unless it is sold to a US owner. President Trump unsuccessfully tried to ban TikTok during his first term, but did an about turn when running for his second term. He joined the platform in 2024 and credits the social media's youthful users for helping him win the presidential election in November 2024. Source: Mobile World Live Image Credit: TikTok


The National
an hour ago
- The National
Tesla signs $16.5bn chip deal with Samsung as Musk targets next-gen AI chips
Tesla has signed a $16.5 billion agreement with Samsung Electronics to source chips in a move expected to boost the South Korean tech giant's loss-making contract manufacturing business, according to reports. The electric vehicle maker's chief executive Elon Musk confirmed a deal, saying that 'the strategic importance of this is hard to overstate'. The chips will be manufactured at Samsung's upcoming fabrication plant in Taylor, Texas, with the facility likely dedicated to producing the electric vehicle maker's next-generation AI6 chip, reported Reuters. Mr Musk added that Tesla would assist Samsung in improving manufacturing efficiency and plans to 'walk the line personally' to accelerate progress at the fab, located near his Texas residence. Samsung had previously announced the deal without naming the client, citing confidentiality. However, three sources confirmed to Reuters that Tesla is the customer. The deal will run through the end of 2033. Samsung shares jumped more than 4 per cent after the news broke, amid hopes the partnership could revive its foundry division, which Reuters reports has posted losses of more than $3.63 billion in the first half of this year. Analysts say Samsung has struggled to keep pace with rivals like TSMC and SK Hynix in producing advanced AI chips, and the Tesla deal could help restore credibility and competitiveness to its semiconductor operations. The agreement also signals a shift in global chip dynamics, as the US works to reduce its reliance on Taiwan and China by investing in domestic semiconductor production. For consumers, the tie-up could accelerate the rollout of smarter, AI-powered Tesla vehicles, potentially with greater onboard computing and autonomy. Economically, the deal strengthens both Tesla's supply chain resilience and Samsung's role in the race to power next-generation AI infrastructure. Wider supply chains For Gulf countries that are investing heavily in semiconductors and artificial intelligence, the move underscores the importance of establishing strategic partnerships within the global chip supply chain. In May, the UAE and US launched the AI Acceleration Partnership, which includes plans for a 5-gigawatt AI campus in Abu Dhabi, known as Stargate UAE. The agreement enables the UAE to obtain advanced CPUs and GPUs from US companies, which are essential for building up domestic AI infrastructure. UAE officials said the deal as part of a trusted strategic partnership. 'The UAE welcomes President Trump's AI Action Plan and is ready to fast-track our strategic AI partnership with the US,' Yousef Al Otaiba, UAE Minister of State and ambassador to the US, said last Wednesday. He added that the UAE is 'working closely with leading US companies to adopt and scale American technology in the UAE and beyond.'