Why Cyber Risk Management Still Lacks Business Maturity Despite Rising Investments

News

1. Why Cyber Risk Management Still Lacks Business Maturity Despite Rising Investments

2. Only 2% of Global Organizations Ready to Scale AI Securely, New Report Reveals

3. Here’s How TCS and MIT SMR Aim to Redefine the Future of Enterprise AI

4. How UAE Leaders Are Redefining AI’s Role Across Business and Society

5. Ultra-High-Capacity Storage Is Becoming the Backbone of AI Ambitions in the GCC

6. Private Sector to Outpace Governments in $20 Billion Earth Intelligence Market

As digital transformation accelerates across the Middle East, organizations are investing heavily in cybersecurity. Yet, new research from Qualys, in collaboration with Dark Reading, reveals that spending alone is not enough to reduce cyber risk — or align it meaningfully with business objectives.

The 2025 State of Cyber-Risk Assessment report shows that while 49% of organizations now have formal cybersecurity risk programs, only 18% use integrated risk scenarios that reflect the actual business impact of cyber threats. Most programs still lack the maturity, context, and executive engagement needed to truly influence enterprise decision-making.

“Cyber risk is rising, but current methods are not effectively reducing that risk by prioritizing the actions that would make the greatest impact,” said Mayuresh Ektare, Vice President of Product Management at Qualys. He warned that traditional models such as siloed telemetry and severity-based scoring systems have reached their limits. “Every business is unique; hence, each risk profile and risk management program should also look unique to the organization.”

Despite higher investment, 71% of organizations say their cyber risk exposure is either increasing (51%) or holding steady (20%). Only 6% report any decrease. Many cyber risk programs remain in early development: 43% have existed for less than two years, and 19% are still being planned. Only 30% align cybersecurity priorities directly with business goals.

Visibility into what needs protection is also lagging. While 83% of organizations conduct asset inventories, only 13% can do so continuously. Nearly half still rely on manual processes, and 41% cite incomplete inventories as a top barrier to managing cyber risk.

The problem extends to risk prioritization and reporting. While 68% of companies are starting to adopt integrated risk scoring methods such as cyber risk quantification and threat intelligence — 19% still rely solely on CVSS-based scoring. Just 18% of organizations update asset risk profiles monthly.

Forward-thinking organizations are shifting toward a more proactive model. “Forward-leaning teams are adopting a Risk Operations Center (ROC) model — a technical framework that continuously correlates vulnerability data, asset context, and threat exposure under a single operational view,” Ektare noted. This model enables risk to be communicated and managed in business-relevant terms.

However, that communication gap remains a challenge. Although 90% of companies report cyber-risk findings to their boards, only 14% tie those findings to financial exposure. Business stakeholders are involved in fewer than half of these conversations, and finance teams in just 22%.

To close these gaps, the report recommends a business-centric approach to cyber risk:

• Focus on protecting business-critical assets, not just vulnerabilities.
• Prioritize risks based on financial impact and resource efficiency.
• Build telemetry from across the enterprise — not just security scans.
• Adopt proactive models like the ROC to forecast and mitigate risk.
• Translate cyber risk into financial terms for board-level reporting.

As cyber threats grow more complex, organizations must evolve beyond compliance and controls. Strategic risk management requires context, clarity, and executive engagement, or investments will fail to deliver meaningful returns.