Business Context Missing In Most Cyber Risk Programs: Qualys
Nearly half of organizations (49%) surveyed for Qualys' 2025 State of Cyber-risk Assessment report, today have a formal business-focused cybersecurity risk management program. However, just 18% of organizations use integrated risk scenarios that focus on business-impacting processes, showing how investments manage the likelihood and impact of risk quantitatively, including risk transfer to insurance. This is a key deficiency, as business stakeholders expect the CISO to focus on business risk.
Key findings from the research include:
Formal Risk Programs are Expanding, But Business Context is Still Missing
49% of surveyed organizations report having a formal cyber risk program in place which looks like a promising statistic on the surface. But dig deeper, and the data shows otherwise: Business Alignment Gaps: Only 30% report that their risk management programs are prioritized based on business objectives
Recent Implementations: 43% of existing programs have been in place for less than two years, indicating a nascent stage of maturity
Future Plans: An additional 19% are still in the planning phase
More Investment ≠ Less Risk: Why the Cyber ROI isn't Adding Up
Cybersecurity spending has continued to grow. Yet one of the most revealing insights from the study is that a vast majority (71%) of organizations believe that their cyber risk levels are rising or holding steady. 51% say their overall cyber risk exposure is increasing
20% say it remains unchanged
Only 6% have seen risk levels decrease
The Missing Metric: Business Relevance in Asset Intelligence
Visibility in cyber risk management is about a principle that hasn't changed in 20 years: you can't protect what you can't see. Yet even in 2025, asset visibility remains one of the biggest blind spots: 83% of organizations perform regular asset inventories, but only 13% can do so continuously
47% still rely on manual processes
41% say incomplete asset inventories are among their top barriers to managing cyber risk
Risk Prioritization Needs to be a Business Conversation, Not a Technical One
Another illusion that persists is the idea that all risks can and should be patched. The longstanding practice of prioritizing vulnerabilities based solely on severity is no longer sufficient. The industry looks to be grasping the fact that risk prioritization needs to go beyond single scoring methods like CVSS alone, with 68% of respondents using integrated risk scoring combining threat intelligence or using cyber risk quantification with forecasted loss estimates to prioritize risk mitigation actions. However, these next data points show that the industry still has some way to go: Nearly one in five (19%) of organizations continue to rank vulnerabilities using a single score like CVSS alone
Just 18% update asset risk profiles monthly
Reporting Risk in Business Terms, Not Security Jargon
Executives do not want to hear how many vulnerabilities have been patched. They want to understand what the organization stands to lose, and what's being done to protect it. Yet the study finds that while 90% of organizations report cyber-risk findings to the board: Only 18% use integrated risk scenarios
Just 14% tie risk reports to financial quantification
Business stakeholders are only involved less than half the time (43%)
And only 22% include finance teams in cyber risk discussions
'The key takeaway from the research isn't just that cyber risk is rising. It's that current methods are not effectively reducing that risk by prioritizing the actions that would make the greatest impact to risk reduction, tailored to the business. Every business is unique; hence, each risk profile and risk management program should also look unique to the organization. Static assessments, siloed telemetry, and CVSS-based prioritization have reached their limit,' commented Mayuresh Ektare, Vice President, Product Management, Enterprise TruRisk Management, Qualys.
'To address this, forward-leaning teams are adopting a Risk Operations Center (ROC) model: a technical framework that continuously correlates vulnerability data, asset context, and threat exposure under a single operational view. The ROC model provides a proven path forward for organizations ready to manage cyber risk the way the business understands it and expects it to be managed,' Ektare continued.
Below are some recommendations to help businesses better align cybersecurity risk with business priorities: Business risk is all about context. In order to have a good understanding of organizational risk, a business first needs to understand what their business-critical assets are, then understand their risk factors or threats as it relates to those crown jewel assets. Without this context, vulnerabilities or threats are just information.
If everything is critical, nothing is. Prioritizing risks is paramount as organizations do not have unlimited resources. In order to be capitally efficient, companies need to spend as little as possible to avoid the largest possible amount of risk. Whatever is not mitigated through technology represents risk that needs to be accepted, or transferred to cyber insurance.
To get a good read of the cyber-risks across the enterprise, organizations need a diverse telemetry of risk signals. Organizations can't rely on just one — such as scanning for vulnerabilities — instead, companies need visibility into their application security, identity security stack, and more, every part of the enterprise that is exposing your attack surface.
Instead of focusing on reactive incident response — for example with a SIEM or a SOC — organizations need a better system that proactively looks to predict risks and works to reduce the likelihood of an event happening by implementing a Risk Operations Center (ROC). This approach to risk management helps leaders make better, more informed decisions based on their unique business context.
Organizations need to overhaul the way they are communicating cyber-risk to the board. Integrated risk scenarios that focus on business-impacting processes, such as how investments and insurance impact risk, will be the future of 'business-oriented' risk reporting, and much more effective at the purpose of communicating to board members.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
TECHx
05-08-2025
- TECHx
Qualys Unveil Agentic AI for Real-Time Cyber Risk Management
Home » Tech Value Chain » Global Brands » Qualys Unveils Agentic AI for Real-Time Cyber Risk Management Qualys, Inc. (NASDAQ: QLYS), a provider of cloud-based IT, security, and compliance solutions, has announced new Agentic AI capabilities on the Qualys platform. The new AI fabric powers a marketplace of Cyber Risk AI Agents. These agents deliver real-time insights across all attack surfaces, prioritized by business impact. They also help reduce risk and operational costs through autonomous remediation at speed and scale. This enables a more efficient and intelligent Risk Operations Center (ROC). As cyber threats grow in volume and complexity, security teams face millions of exposures with little context. Manual processes lead to delays and unaddressed vulnerabilities. To solve this, Qualys introduced Agentic AI to eliminate repetitive tasks and enable risk-focused workflows. According to Tyler Shields, principal analyst at Enterprise Strategy Group (ESG), 'Integrating Agentic AI into the Qualys platform marks a major leap from reactive response to real-time risk reduction.' He added that this innovation supports faster remediation and greater accuracy. By embedding Agentic AI into Enterprise TruRisk Management (ETM), Qualys enhances risk-centric automation. ETM already aggregates exposures to align cyber risk with business value. With the new AI fabric, Qualys now offers pre-built AI agents for threat prioritization and remediation tailored to each organization. The Cyber Risk Assistant is also introduced. This prompt-driven tool helps teams navigate risks, translate exposures, and deliver context-aware insights through autonomous operations. The Qualys Marketplace now features: Continuous risk insights from fragmented exposures, using pre-built AI agents. from fragmented exposures, using pre-built AI agents. Adaptive remediation via AI agents like the Microsoft Patch Tuesday Lifecycle Agent. via AI agents like the Microsoft Patch Tuesday Lifecycle Agent. Custom AI agents through a no-code interface, enabling reusable, automated workflows. 'Qualys Agentic AI, embedded into Enterprise TruRisk Management, is transforming how organizations manage cyber risk,' said Sumedh Thakar, President and CEO of Qualys. He emphasized that CISOs can now augment their teams with intelligent AI agents for faster, strategic risk reduction. This launch represents a step forward in autonomous cybersecurity and smarter operations powered by AI.
Channel Post MEA
05-08-2025
- Channel Post MEA
Qualys Unveils Agentic AI-Powered Risk Operations Center
Qualys has unveiled several new Agentic AI capabilities on the Qualys platform. The new AI fabric introduces a marketplace of Cyber Risk AI Agents delivering real-time risk insights across all attack surfaces, prioritized by business impact. Additionally, it reduces risk and operational costs by autonomously remediating with speed, scale, and accuracy, all while powering a smarter, more efficient Risk Operations Center (ROC). Amid a surge in the volume and sophistication of cyber threats, amplified by the growing complexity of an ever-evolving attack surface, teams are grappling with millions of exposures while lacking the context to map them against business priorities. Without self-orchestrating AI agents to turn data into insights, and prioritize and remediate risks in real time, security teams face manual bottlenecks and lingering exposures. Qualys addresses this with Agentic AI—eliminating repetitive tasks and enabling autonomous, risk-focused workflows that empower teams and accelerate protection. 'Cybersecurity has never been able to keep pace with the volume of enterprise exposures due to human-scale prioritization and remediation,' said Tyler Shields, principal analyst at Enterprise Strategy Group (ESG). 'Integrating Agentic AI into the Qualys platform marks a major leap—from reactive response to real-time risk reduction. With autonomous remediation and intelligent prioritization, this type of innovation enables faster risk reduction, more efficient resource usage, and greater accuracy in recommended actions. This evolution shifts security teams from tactical responders to strategic agentic AI orchestrators, bringing us closer to a future of self-healing cybersecurity.' By embedding Agentic AI into Enterprise TruRisk Management (ETM), Qualys enhances its risk-centric automation capabilities—delivering faster, more intelligent decision-making. Already a leading cornerstone of the ROC, ETM aggregates exposures to measure, communicate, and eliminate cyber risk aligned to business value. Now, with the new AI fabric, Qualys delivers pre-built AI agents that automate threat prioritization and drive remediation strategies tailored to each organization's risk appetite and environment. It also introduces the Cyber Risk Assistant—a prompt-driven interface that helps teams navigate the risk journey, translate millions of exposures, and deliver context-aware risk insights with autonomous operations. The Qualys Marketplace of ready-to-use AI agents delivers: Continuous Risk Insights and Prioritization from Fragmented Exposures – Pre-built AI agents autonomously and adaptively drive every step of the cyber risk journey from continuously discovering your external attack surface with a hacker's-eye view, to proactively assessing risk against trending industry threats, and prioritizing those risks based on the context of your unique assets and environment. Thus, helping organizations reduce the cost and complexity of risk operations. Adaptive Remediation for the Highest Security Posture – With attackers exploiting vulnerabilities in under 18 days, cybersecurity and IT teams are focused on reducing mean time to remediation (MTTR). Adaptive Risk Remediation AI Agents like the Microsoft Patch Tuesday Lifecycle Agent continuously triangulate prioritized vulnerabilities, correlated remediation techniques, and asset context to drive faster, more transparent risk remediation. This reduces cost and time to close vulnerabilities. Build Your Own AI Agent – Security teams can create custom, no-code, pretrained AI agents tailored to their specific business needs. These agents can be trained to perform specialized tasks autonomously and reused as needed—enabling scalable, repeatable automation for risk management workflows unique to each organization. 'Qualys Agentic AI, embedded into Enterprise TruRisk Management is transforming how organizations manage cyber risk and powering a smarter, more agile Risk Operations Center,' said Sumedh Thakar, president and CEO of Qualys. 'It's ushering in a new era where CISOs can augment their security teams with intelligent AI agents that perform autonomous analysis and take decisive, high-impact actions to reduce risk faster, more strategically, and with greater efficiency.'
Channel Post MEA
28-07-2025
- Channel Post MEA
Tenable Unveils AI-driven Enhancements To VPR
Tenable has announced the next evolution of its industry-leading Tenable Vulnerability Priority Rating (VPR) to sharpen precision and focus on risks that pose the greatest threat. Powered by generative AI, enriched threat intelligence and context-aware scoring, Tenable VPR enables organizations to quickly understand vulnerability impact, weaponization and precise remediation actions. While static Common Vulnerability Scoring System ( CVSS ) broadly flags 60% of vulnerabilities as high or critical, Tenable VPR narrowed this to a focused 3% at its launch in 2019. With these latest AI-driven enhancements, Tenable VPR delivers twice the clarity and precision by leveraging real-time data to pinpoint the critical 1.6% of vulnerabilities that represent actual business risk. These efficiency gains, combined with enhanced explainability and contextualization, translate to faster mean-time-to-remediation, optimized resources, and strategically aligned security efforts with organizational priorities. 'Our biggest problem was noise. We had thousands of vulnerabilities, and no clear way to know which ones posed a genuine threat,' said Jorge Orchilles, senior director, Readiness and Proactive Security, Verizon. 'Tenable VPR changed that by showing us what attackers are actually exploiting right now. It lets us focus our resources on the handful of issues that truly matter, which has made a real, measurable difference in how quickly we can get critical patches out.' 'We're taking our game-changing Tenable VPR to the next level with these AI-powered enhancements,' said Eric Doerr, chief product officer, Tenable. 'Tenable VPR brings an unmatched precision and depth of threat intelligence, context and explainability to cyber operations. With these critical insights at their fingertips, organizations can clearly visualize why an exposure matters, where they are vulnerable and how to close their priority risks.' In addition to hyper-focused risk prioritization, key enhancements to Tenable VPR include: AI-powered insights and explainability: VPR insights provide instant clarity, helping users quickly grasp why an exposure matters, how it's been weaponized by threat actors, and receive clear, actionable mitigation guidance. AI-generated threat summaries and remediation insights help users quickly understand real-world risks and next steps. VPR insights provide instant clarity, helping users quickly grasp why an exposure matters, how it's been weaponized by threat actors, and receive clear, actionable mitigation guidance. AI-generated threat summaries and remediation insights help users quickly understand real-world risks and next steps. Prioritization with industry and regional context: Enhanced filtering, querying and metadata help organizations understand and prioritize vulnerabilities based on real-world threats to their specific industry and region, ensuring critical exposures relevant to the business are addressed first.
