Cybersecurity Still Misaligned with Business Risk Priorities

Qualys has released The 2025 State of Cyber Risk Assessment Report, revealing that many organisations are still approaching cyber risk as a technical rather than a business problem.

The study, commissioned by Qualys and conducted by Dark Reading, draws on insights from over 100 IT and cybersecurity leaders across industries. It finds that although nearly half (49%) of organisations have a formal cyber risk program in place, the majority still rely heavily on manual processes, siloed security metrics and vulnerability severity alone to prioritise risks – often without factoring in asset value or business context.

“The research shows that the technical foundation for cyber-risk management exists – but what’s missing is strategic alignment between security operations and business priorities. Cybersecurity can no longer operate in isolation, yet many organisations continue to spread resources thinly across their attack surface without clearly understanding which risks actually matter to the business,” said Mayuresh Ektare, Vice President, Product Management, Enterprise TruRisk Management at Qualys.

“To close this gap, cybersecurity must evolve from an IT function to a business function – one that can quantify loss, model risk scenarios, prioritise decisions, and demonstrate a measurable return on risk reduction. That evolution starts with business context, not just more data. It’s a shift from detection to direction, and from siloed operations to aligned outcomes. To mature their cyber-risk programs, security leaders must integrate asset criticality, financial impact and business context into every decision.”

The State of Cyber Risk Report Highlights

• Insight 1: Formal Risk Programs are Expanding, But Business Context is Still Missing While 49% of organisations have a formal cyber-risk management program, only 30% report that their risk management programs are prioritised based on business objectives. Moreover, 43% of those have been running for less than two years and 19% are still in the planning phase. The findings highlight a maturity gap with a lack of sustained commitment to embedding business context into how these programs identity and prioritise risks.
• Insight 2: More Investment Doesn’t Equal Less Risk While cybersecurity spending has continued to grow, the vast majority (71%) of organisations believe that their cyber risk levels are rising or holding steady, with only 6% seeing risk levels decrease.
• Insight 3: The Missing Metric: Business Relevance in Asset Intelligence Asset visibility remains one of the biggest blind spots. Despite 83% of respondents reporting regular IT asset inventories, only 13% can do this continuously and nearly half still rely on manual processes.
• Insight 4: Business Context Lacking in Risk Prioritisation The majority still prioritise vulnerabilities without adequately assessing how risk maps to their most critical assets. While 68% of respondents are using integrated risk scoring combining threat intelligence or using cyber risk quantification with forecasted loss estimates to prioritise risk mitigation actions, nearly one in five (19%) of organisations continue to rank vulnerabilities using single scoring methods like CVSS alone, and just 18% update asset risk profiles monthly.
• Insight 5: Boards Are Engaged, But Reporting Lacks Depth Security teams still struggle to translate operational data into business-aligned insights. While 90% of organisations report cyber-risk findings to the board, only 18% use integrated risk scenarios and just 14% tie risk reports to financial quantification. Business stakeholders are also only involved less than half the time (43%) and only 22% include finance teams in cyber risk discussions.
• Insight 6: Top Risks Reflect the Human Factor Phishing, ransomware, and insider threats were named as the top three risks to digital assets – underscoring the need for user education and identity-aware risk management strategies.

You can read the full report here.