Cybersecurity continues to be a strategic priority for organizations, but efforts do not always translate into an effective risk decrease. This is highlighted by the latest report prepared by Qualys in collaboration with the publication Dark Readingwhich includes the opinion of more than a hundred and security responsible in companies around the world. Under the title “The State of Cyber Risk 2025”The study reveals a worrying fact: 71% of organizations admit that their risk exposure has been maintained or even increased, despite having increased the budget for protection.

Most companies have started some type of formal strategy to address risk management, but many of them have recently done so. Almost half (49%) have established programs, although 43% of them have less than two years of life. This indicates an incipient, insufficient degree of maturation to stop an increasingly sophisticated and constant threat.

The evolution of the programs has not yet managed to reverse the trend. More than half of the respondents (51%) claim that their level of exposure continues to increase, compared to a scarce 6% that claims to have reduced it.

For Sumedh Thakar, CEO of Qualys, “The Boards of Directors no longer want Dashboards: they want clear answers about how much risk is being reduced and where they must focus their efforts.” In his opinion, the key is to understand what assets are critical and what vulnerabilities directly impact the business: “If that is not understood, investments will still not offer return.”

A new study of Qualys alerts about a worrying lack of alignment between cybersecurity policies and business objectives

The report insists that the greatest challenge does not reside in the lack of technological solutions, but in the difficulty of connecting cybersecurity policies with business objectives. One of its clearest recommendations is to move towards integrated models that allow expressing the risk in financial terms, thus facilitating decision -making at the executive level.

Bading assets, misinterpreted metrics

Assets management remains a key piece, and also a bottleneck. Although 83% of organizations claim to make periodic inventories, only 13% do them continuously. In addition, 47% continues to depend on manual processes, which not only slows the operation, but also makes it difficult to have a precise vision of the technological environment. In fact, 40% of respondents recognize that incomplete inventories are one of the main brakes for effective risk management.

As for the metrics, although 68% of organizations already integrate variables such as threat intelligence or impact analysis, almost 20% continue to classify vulnerabilities only depending on their technical score (CVSS), which prevents establishing realistic priorities from the point of view of the business.

Communicate the risk: a subject still pending

The study also highlights the importance of translating technical language into business language. Although 97% of companies say it informs senior management on the state of the risk, only 35% includes estimates of the economic impact. The most common reports collect the general risk level (56%), the cybersecurity plan (54%) or the critical threats detected (48%), but fail to quantify how these risks could financially affect the organization.

Alex Chen
Alex Chen

Alex Chen serves as the chief editor of Asia Tech Journal, bringing over a decade of experience in technology journalism. Previously writing for several globally renowned publications, Alex is celebrated for his insightful analyses and in-depth reporting on tech trends across Asia. Passionate about innovation, Alex specializes in the dynamic technology ecosystem of China and its global impacts.