SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Business office split professionals working and technical staff monitoring cyber risk
#
Ransomware
#
Phishing
#
Email Security

Business context still missing in most cyber risk programmes

Yesterday
Author image
By Melvin Hipolito, Editor

New research from Qualys reveals that many organisations are still treating cyber risk primarily as a technical issue despite growing pressures to align cybersecurity with overarching business priorities.

The 2025 State of Cyber Risk Assessment Report, conducted by Dark Reading and commissioned by Qualys, surveyed more than 100 IT and cybersecurity leaders across a range of industries. The findings indicate that although almost half of organisations (49%) have implemented a formal cyber risk programme, most still depend on manual processes and isolated metrics, often prioritising vulnerabilities solely by severity without considering the associated asset value or wider business context.

Mayuresh Ektare, Vice President, Product Management, Enterprise TruRisk Management at Qualys, commented on the report's findings:

The research shows that the technical foundation for cyber-risk management exists - but what's missing is strategic alignment between security operations and business priorities. Cybersecurity can no longer operate in isolation, yet many organisations continue to spread resources thinly across their attack surface without clearly understanding which risks actually matter to the business.

He continued by outlining how this disconnect might be addressed:

To close this gap, cybersecurity must evolve from an IT function to a business function - one that can quantify loss, model risk scenarios, prioritise decisions, and demonstrate a measurable return on risk reduction. That evolution starts with business context, not just more data. It's a shift from detection to direction, and from siloed operations to aligned outcomes. To mature their cyber-risk programs, security leaders must integrate asset criticality, financial impact and business context into every decision.

Risk programme maturity

The report reveals that, among organisations with formal risk management efforts, only 30% say their programmes are guided by business objectives. Additionally, 43% have only established these initiatives in the last two years and 19% are still in the planning stages. The findings suggest there remains a significant maturity gap, as sustained commitment to embedding business context into risk management is still developing.

Spending and risk

Despite increasing levels of cybersecurity spending, 71% of organisations believe their cyber risk exposure is either mounting or unchanged, and only 6% report that risk levels are falling. This raises questions about the effectiveness of increased investment where programmes may not fully address business-relevant risks.

Asset intelligence

Another challenge identified in the research is the ongoing struggle with asset visibility. While 83% of those surveyed claim to conduct periodic IT asset inventories, just 13% are able to perform this continuously, and nearly half continue to rely on manual inventory methods. The report points to persistent difficulties in establishing up-to-date, comprehensive asset intelligence.

Risk prioritisation practices

When it comes to prioritising risks, most organisations do not sufficiently assess how vulnerability maps to critical business assets. While 68% use integrated risk scoring techniques that combine threat intelligence or leverage cyber risk quantification, 19% still use single-score metrics such as the Common Vulnerability Scoring System (CVSS) alone. In addition, only 18% review and update asset risk profiles on a monthly basis.

Board engagement

Cyber risk is being reported to executive leadership in most organisations, with 90% providing updates to the board. However, the substance of reporting is often lacking in business relevance - only 18% use integrated risk scenarios, and just 14% tie these reports to financial quantification. Business stakeholders outside security are included in these discussions less than half the time (43%), and finance teams are involved in only one in five cases (22%).

Top cyber threats

The survey also identified the human factor as a key dimension of risk. Phishing, ransomware, and insider threats are cited as the top three concerns for digital assets. This highlights the importance of user education and the incorporation of identity-aware risk management strategies to mitigate potential threats driven by end-user behaviour.

The report suggests that despite significant efforts and investments, many organisations have yet to fully integrate business context into their cyber risk assessment and mitigation activities, pointing to a continuing evolution of cyber risk management practices in the years ahead.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Nearly half of UK firms hit by breaches from unmanaged devices
Only 6% of SSH servers ready for post-quantum encryption
Cyber attackers use AI to automate exploits & sell deepfakes
BioCatch launches Scams360 to cut £450 million UK scam losses
Cycode & HackerOne integrate to speed software vulnerability fixes

Top stories

UK eCommerce faces rising fraud risks as regulations tighten for 2025
Tenable reveals RCE flaw in Oracle Cloud editor, highlights risks
Exclusive: How Oracle integrates AI agents to boost enterprise productivity
Check Point appoints Jonathan Zanger to lead global AI strategy
Most IT teams slow to update printer firmware, raising risks