Cybersecurity Strategies Lag Behind Business Risk Prioritizations
According to the recently released "The 2025 State of Cyber Risk Assessment Report" by Qualys, there are significant gaps in the alignment between cybersecurity and business priorities. The report, based on insights from over 100 IT and cybersecurity leaders across various industries, reveals a need for a more strategic approach to cyber-risk management.
Mayuresh Ektare, Vice President of Product Management, Enterprise TruRisk Management at Qualys, emphasised the need for cybersecurity to evolve from an IT function to a business function. He suggested that the shift should be from detection to direction, and from siloed operations to aligned outcomes.
The report highlights several key insights. For instance, business stakeholders are only involved less than half the time (43%) in cyber risk discussions, and finance teams are included in discussions only 22% of the time. This lack of business involvement could be a barrier to effective risk management.
Phishing, ransomware, and insider threats are identified as the top three risks to digital assets, underscoring the need for user education and identity-aware risk management strategies. However, security teams struggle to translate operational data into business-aligned insights, with only 18% using integrated risk scenarios and just 14% tying risk reports to financial quantification.
Asset visibility is a significant blind spot, with nearly half of respondents still relying on manual processes for IT asset inventories. Only 49% of organizations have a formal cyber risk program in place, and nearly one in five (19%) of organizations continue to rank vulnerabilities using single scoring methods like CVSS alone. Just 18% update asset risk profiles monthly.
The report also reveals that only 30% of organizations prioritise their risk management programs based on business objectives. The majority of organizations often prioritise risks without considering asset value or business context. This lack of business context can lead to ineffective risk management strategies.
The majority of organizations prioritise vulnerabilities without adequately assessing how risk maps to their most critical assets. This disconnect between vulnerabilities and critical assets could leave organisations vulnerable to attacks.
Despite growth in cybersecurity spending, 71% of organizations believe their cyber risk levels are rising or holding steady. This suggests that current strategies may not be effective in mitigating cyber risks.
The report suggests that the technical foundation for cyber-risk management exists, but what's missing is strategic alignment between security operations and business priorities. To mature their cyber-risk programs, security leaders must integrate asset criticality, financial impact, and business context into every decision. The evolution of cybersecurity should include the ability to quantify loss, model risk scenarios, prioritise decisions, and demonstrate a measurable return on risk reduction.
In conclusion, the 2025 State of Cyber Risk Assessment Report provides valuable insights into the current state of cybersecurity and the need for a more strategic, business-aligned approach to risk management. By integrating business context into cybersecurity decisions, organisations can better protect their digital assets and mitigate cyber risks.
