cyber risk management still lacks business context – Intelligent CIO Middle East

Despite increasing investment in cybersecurity, a new 2025 Qualys report reveals that most organisations still struggle to link cyber risk to real business impact—leaving boardrooms with a blind spot in decision-making.

According to the State of Cyber Risk Assessment 2025 report by Qualys in partnership with Dark Reading, while nearly half of organisations now have a formal risk management programme, a staggering number still lack the ability to translate technical vulnerabilities into meaningful business decisions.

“Spending has increased, frameworks have matured, and boards are asking tougher questions,” said Mayuresh Ektare, Vice President of Product Management at Qualys. “Yet 71% of organisations report that their cyber risk levels are either rising or remaining the same. That should be a wake-up call.”

Only 6% of those surveyed said their risk levels have decreased.

The business context black hole

The report reveals a persistent disconnect between cybersecurity operations and business outcomes. While 49% of respondents reported having formal risk programmes, only 30% link them directly to business objectives. Even fewer (18%) use integrated risk scenarios that consider both business processes and financial exposure.

“Every business is unique; hence, each risk management programme must be tailored to reflect that reality,” Ektare noted. “The old one-size-fits-all, CVSS-driven approach doesn’t work anymore.”

Adding to the concern is how cyber risks are being communicated at the executive level. While 90% of organisations report cyber findings to the board, just 14% quantify those risks financially, and only 22% involve finance teams in discussions. The gap between technical risk and strategic consequence remains stark.

Asset visibility: the old problem that won’t go away

Two decades on, organisations are still struggling with asset visibility, a foundational challenge that continues to undermine security efforts. Although 83% of organisations perform regular asset inventories, only 13% can do so on a continuous basis. Nearly half still rely on manual processes, and 41% admit that incomplete asset data is one of their most significant barriers to effective risk management.

The report suggests that true cyber resilience begins with knowing what’s at risk. But without visibility, organisations are essentially securing blindfolded.

Risk prioritisation needs a new vocabulary

The industry also appears to be slowly moving beyond CVSS (Common Vulnerability Scoring System) as the primary metric for prioritisation. Around 68% of organisations now blend severity scores with threat intelligence and loss forecasting to drive risk decisions. Still, nearly one in five (19%) rely solely on traditional scoring methods, missing out on the bigger picture.

“Patching everything is neither possible nor necessary,” said Ektare. “What matters is which risks affect your crown jewel assets. If everything is critical, then nothing is.”

The rise of the risk operations centre (ROC)

To address this challenge, Qualys is advocating a shift toward a “Risk Operations Center” (ROC) model – a framework that merges vulnerability data, threat intelligence, and business asset context under one roof. Unlike reactive SOC models that respond to incidents, the ROC aims to predict and prevent them by aligning cybersecurity strategy with business impact.

“ROC is the next evolution,” Ektare said. “It provides a continuous, business-aligned view of cyber risk. And that’s what stakeholders are demanding.”

The report’s key message is clear: current cybersecurity efforts, though well-intentioned, often fall short where it matters most, business value. Risk data needs to be translated into stories that resonate with CFOs, CEOs, and boards. Otherwise, cyber will remain a technical silo, detached from enterprise priorities.

For organisations looking to improve, the recommendations are simple but urgent:

  • Define crown jewel assets and tailor risk programmes to protect them.
  • Replace fragmented telemetry with enterprise-wide risk signals.
  • Prioritise risk in business—not just technical—terms.
  • Quantify risk in financial language for the board.
  • Shift from reactive SOCs to proactive ROCs.

“The illusion is that cyber risk is being managed just because tools and dashboards exist,” Ektare concluded. “But real risk reduction only happens when the business is part of the conversation.”

Continue Reading