According to new research commissioned by Qualys and conducted by Dark Reading, despite rising investments, evolving frameworks, and more vocal boardroom interest, most organizations remain immature in their risk management programs.
Nearly half of organizations (49%) surveyed for Qualys’ 2025 State of Cyber-risk Assessment report, today have a formal business-focused cybersecurity risk management program. However, just 18% of organizations use integrated risk scenarios that focus on business-impacting processes, showing how investments manage the likelihood and impact of risk quantitatively, including risk transfer to insurance. This is a key deficiency, as business stakeholders expect the CISO to focus on business risk.
Key findings from the research include:
Formal Risk Programs are Expanding, But Business Context is Still Missing 49% of surveyed organizations report having a formal cyber risk program in place which looks like a promising statistic on the surface. But dig deeper, and the data shows otherwise:
- Business Alignment Gaps: Only 30% report that their risk management programs are prioritized based on business objectives
- Recent Implementations: 43% of existing programs have been in place for less than two years, indicating a nascent stage of maturity
- Future Plans: An additional 19% are still in the planning phase
More Investment ≠ Less Risk: Why the Cyber ROI isn’t Adding Up
Cybersecurity spending has continued to grow. Yet one of the most revealing insights from the study is that a vast majority (71%) of organizations believe that their cyber risk levels are rising or holding steady.
- 51% say their overall cyber risk exposure is increasing
- 20% say it remains unchanged
- Only 6% have seen risk levels decrease
The Missing Metric: Business Relevance in Asset Intelligence
Visibility in cyber risk management is about a principle that hasn’t changed in 20 years: you can’t protect what you can’t see.
Yet even in 2025, asset visibility remains one of the biggest blind spots:
- 83% of organizations perform regular asset inventories, but only 13% can do so continuously
- 47% still rely on manual processes
- 41% say incomplete asset inventories are among their top barriers to managing cyber risk
Risk Prioritization Needs to be a Business Conversation, Not a Technical One
Another illusion that persists is the idea that all risks can and should be patched. The longstanding practice of prioritizing vulnerabilities based solely on severity is no longer sufficient. The industry looks to be grasping the fact that risk prioritization needs to go beyond single scoring methods like CVSS alone, with 68% of respondents using integrated risk scoring combining threat intelligence or using cyber risk quantification with forecasted loss estimates to prioritize risk mitigation actions.
However, these next data points show that the industry still has some way to go:
- Nearly one in five (19%) of organizations continue to rank vulnerabilities using a single score like CVSS alone
- Just 18% update asset risk profiles monthly
Reporting Risk in Business Terms, Not Security Jargon
Executives do not want to hear how many vulnerabilities have been patched. They want to understand what the organization stands to lose, and what’s being done to protect it. Yet the study finds that while 90% of organizations report cyber-risk findings to the board:
- Only 18% use integrated risk scenarios
- Just 14% tie risk reports to financial quantification
- Business stakeholders are only involved less than half the time (43%)
- And only 22% include finance teams in cyber risk discussions
“The key takeaway from the research isn’t just that cyber risk is rising. It’s that current methods are not effectively reducing that risk by prioritizing the actions that would make the greatest impact to risk reduction, tailored to the business. Every business is unique; hence, each risk profile and risk management program should also look unique to the organization. Static assessments, siloed telemetry, and CVSS-based prioritization have reached their limit,” said, Mayuresh Ektare, Vice President, Product Management, Enterprise TruRisk Management, Qualys.
“To address this, forward-leaning teams are adopting a Risk Operations Center (ROC) model: a technical framework that continuously correlates vulnerability data, asset context, and threat exposure under a single operational view. The ROC model provides a proven path forward for organizations ready to manage cyber risk the way the business understands it and expects it to be managed,” Ektare continued.
Below are some recommendations to help businesses better align cybersecurity risk with business priorities:
- Business risk is all about context. In order to have a good understanding of organizational risk, a business first needs to understand what their business-critical assets are, then understand their risk factors or threats as it relates to those crown jewel assets. Without this context, vulnerabilities or threats are just information.
- If everything is critical, nothing is. Prioritizing risks is paramount as organizations do not have unlimited resources. In order to be capitally efficient, companies need to spend as little as possible to avoid the largest possible amount of risk. Whatever is not mitigated through technology represents risk that needs to be accepted, or transferred to cyber insurance.
- To get a good read of the cyber-risks across the enterprise, organizations need a diverse telemetry of risk signals. Organizations can’t rely on just one — such as scanning for vulnerabilities — instead, companies need visibility into their application security, identity security stack, and more, every part of the enterprise that is exposing your attack surface.
- Instead of focusing on reactive incident response — for example with a SIEM or a SOC — organizations need a better system that proactively looks to predict risks and works to reduce the likelihood of an event happening by implementing a Risk Operations Center (ROC). This approach to risk management helps leaders make better, more informed decisions based on their unique business context.
- Organizations need to overhaul the way they are communicating cyber-risk to the board. Integrated risk scenarios that focus on business-impacting processes, such as how investments and insurance impact risk, will be the future of “business-oriented” risk reporting, and much more effective at the purpose of communicating to board members.
