Only 18% of companies use integrated risk scenarios aligned with business impact, finds new Qualys–Dark Reading study
A new report from Qualys and Dark Reading reveals that while cybersecurity investments and formal risk programs are increasing across enterprises, most organizations still fail to tie cyber risks to business impact—undermining their effectiveness.
The 2025 State of Cyber-risk Assessment shows that 49% of surveyed organizations now have formal cyber risk programs, yet only 18% use integrated risk scenarios that factor in business-critical processes, financial losses, or risk transfer strategies like insurance. This misalignment is causing cybersecurity ROI to stagnate or decline.
According to the report, 71% of organizations say their cyber risk exposure is either increasing (51%) or unchanged (20%), despite rising budgets. Only 6% have seen a decrease in risk.
“Static assessments, siloed telemetry, and CVSS-based prioritization have reached their limit. Each risk management program must reflect the business it protects.”
— Mayuresh Ektare, VP, Product Management, Qualys
A major blind spot remains asset visibility—a foundational element of cyber defense. While 83% perform regular inventories, only 13% do so continuously, and nearly half still use manual processes. Incomplete asset inventories are among the top barriers to effective cyber-risk management.
Another key issue is outdated risk prioritization. Nearly one in five organizations still rely on CVSS scores alone, despite growing adoption of integrated risk scoring that includes threat intelligence and loss forecasting. Only 18% update asset risk profiles monthly.
Boards are demanding more relevant insights—but they’re not getting them. While 90% of organizations report to the board on cyber risk:
- Only 18% use integrated scenarios
- Just 14% tie reports to financial risk
- Only 22% include finance teams in the conversation
To address these challenges, Qualys advocates for a Risk Operations Center (ROC) model—an approach that combines threat intelligence, asset context, and continuous telemetry under a single operational framework.
“Cyber risk must be understood and communicated like business risk,” said Ektare. “That means moving beyond patch counts to understanding what’s at stake, what’s vulnerable, and what actions will make the greatest impact.”
The report calls for better business alignment, smarter risk prioritization, and board-level reporting in terms that matter—risk to revenue, operations, and reputation.
