Future Cyber Threat Landscape in 2025: Importance of Business Understanding
In a recent research study, interviews were conducted with over 100 IT and cybersecurity leaders across various industries, shedding light on the current state of cyber risk management. The findings reveal a mixed picture, with some progress being made, but also areas that require significant improvement.
A key finding is that many organizations are still treating cyber risk as a technical problem rather than a business one. This approach can lead to ineffective risk management strategies and inadequate protection against potential threats.
To address this issue, the ROC (Risk Operations Center) model offers a promising path forward. This model is designed to manage cyber risk in a manner that aligns with how businesses understand and expect it to be managed. The ROC model continuously tracks cyber risk, scores vulnerabilities based on their impact on the business, guides investments by quantifying outcomes, and ties security KPIs to business risk reduction.
The ROC model also allows teams to drill into risk by environment, business function, or asset type. It prioritizes action based on potential financial or operational exposure and tracks progress against defined thresholds of acceptable risk.
However, despite organizations' best efforts, many security investments are failing to yield significant results. This is often due to a lack of unified visibility and prioritization strategy. To overcome this challenge, the ROC model provides a centralized view of enterprise risk in the context of what matters to the business.
Another crucial aspect of effective cyber risk management is understanding the business role of the assets being inventoried. Unfortunately, security teams still struggle to translate operational data into business-aligned insights.
The report also highlights the importance of involving business stakeholders more in cyber risk discussions. Currently, business stakeholders are only involved less than half the time (43%) in these discussions. To improve this, leading organizations are replacing severity-first models with integrated, contextual scoring that considers exploitability, asset importance, and downstream business effect.
Moreover, risk prioritization needs to go beyond single scoring methods like CVSS alone. Roughly 68% of respondents use integrated risk scoring or cyber risk quantification with forecasted loss estimates to prioritize risk mitigation actions.
The report also points out that only 18% of organizations use integrated risk scenarios in their cyber-risk findings reporting to the board. This is a concern, as such scenarios can provide valuable insights into potential risks and their impact on the business.
Asset visibility remains one of the biggest blind spots, with only 13% of organizations able to perform continuous asset inventories. This lack of visibility can lead to unidentified vulnerabilities and increased risk.
The report also notes that nearly half (49%) of organizations have a formal cyber risk program, but only 30% prioritize these programs based on business objectives. This indicates a need for a more business-centric approach to cyber risk management.
As of 2025, there is no comprehensive public listing of specific organizations that have yet to establish mature cyber risk management programs considering business context. However, it is clear that many shipping companies, public authorities, and businesses are under increasing pressure to integrate such programs due to evolving regulations like the EU Cyber Resilience Act and national laws. Some sectors may still be developing these capabilities.
In conclusion, while progress has been made in cyber risk management, there is still a long way to go. The ROC model offers a promising path forward, but organizations must also focus on involving business stakeholders, improving asset visibility, and adopting integrated risk scoring to effectively manage cyber risk in the modern business environment.
