Qualys State of Cyber Risk Assessment Report

Cyber-risk management is on the cusp of a new age in maturity. The security industry is still mired in trench warfare — spreading efforts far and wide but not deep. This won’t stand against modern chaotic actors and adversaries armed with AI bent on infiltrating your ranks to target your most valuable assets. While some defenders are changing strategy — focusing their limited resources on what the business stands to lose — most remain stuck in a war of inches they can’t possibly win. Cybersecurity is moving beyond the era where vulnerability remediation and asset risks are managed solely based on the criticality of the flaw. Unfortunately, many organizations still do not excel at examining risk based on business context — that is, understanding the value-at-risk in terms of one’s critical assets.

Results from the 2025 State of Cyber-risk Assessment report show that awareness is growing for business-focused cybersecurity risk management. Nearly half of organizations today have a formal program, and more are on the horizon. The majority of organizations today do some kind of periodic asset discovery. And the rate of those that use contextual factors beyond just vulnerability severity from scan results as a way to assess risk to those assets is on the rise. These results are promising, but they also show that there’s significant ground to cover in the cyberrisk management maturity journey for most organizations.

Many respondents said their risk levels are rising due to the increasing volume and sophistication of attacks, the growth in exposure from expanding asset portfolios, and the complexity of infrastructure from areas like cloud and AI/ML applications. At the same time, there’s still a high reliance on manual work. Most businesses focus on vulnerability criticality informed by threat intelligence. However, they do so without considering business context around assets. This means they’re still not prioritizing work in a way that meaningfully reduces business risk over time.

Just 18% of organizations use integrated risk scenarios that focus on business-impacting processes, showing how investments manage the likelihood and impact of risk quantitatively, including risk transfer to insurance. This is a key deficiency, as business stakeholders expect the CISO to focus on business risk.