Cyber Is One of Many Business Risks

Key Takeaways

• Cyber Is Business Risk: Cyber risk should not be treated in isolation—it must be assessed as part of the broader business risk landscape and linked directly to business objectives.
• Resource Allocation Requires Context: Decisions on cyber investment must be weighed against competing priorities like marketing, product development, compliance, and safety.
• Communication Gaps Persist: While most organizations report cyber issues to the board, very few quantify the risk financially or involve finance leaders in the discussion.
• Formal Programs Lack Business Integration: Nearly half of organizations have formal risk programs, but only a fraction align cyber risk with business outcomes or use integrated risk scenarios.
• Effective Risk Decisions Need Comparability: Business leaders require comparable, financially quantified risk data across all domains to make sound, strategic decisions.

Deep Dive

In Norman Marks’ latest piece, he dives into the persistent misconception that cyber risk stands apart from broader business concerns. Drawing on timeless advice from former Protiviti executive Ed Hill and tying in new findings from Qualys’ 2025 cyber risk report, Marks makes the case for breaking down silos and treating cyber as just one of many risks competing for limited resources and executive attention.

The Problem With Isolating Cyber Risk

Many years ago, my friend Ed Hill, a Managing Director with Protiviti at the time, coined the expression: “There is no such thing as IT risk. There is only business risk.”

Yet people still talk about quantifying cyber risk in a silo. They talk about “risk to information assets” instead of risk to the achievement of business objectives. Cyber is just another business risk. It needs to be quantified in a way that:

• Enables leaders to decide whether to make further investments in cyber at the expense of investing in marketing or new product development.
• Helps people consider cyber as one of several risks relevant to their business decision.

Remember, money doesn’t grow on trees. An investment in one area means those resources cannot be used in another, and decisions have to consider several sources of risk, not just one. Deciding what to do about each risk separately, in a silo, is not the best way to run a business.

A recent post in Intelligent CISO makes some good points before failing. Despite increasing investment in cybersecurity, a new 2025 Qualys report reveals that most organizations still struggle to link cyber risk to real business impact—leaving boardrooms with a blind spot in decision-making.

According to the State of Cyber Risk Assessment 2025 report by Qualys in partnership with Dark Reading, while nearly half of organizations now have a formal risk management program, a staggering number still lack the ability to translate technical vulnerabilities into meaningful business decisions.

The report reveals a persistent disconnect between cybersecurity operations and business outcomes. While 49% of respondents reported having formal risk programs, only 30% link them directly to business objectives. Even fewer (18%) use integrated risk scenarios that consider both business processes and financial exposure.

“Every business is unique; hence, each risk management program must be tailored to reflect that reality,” Ektare noted. “The old one-size-fits-all, CVSS-driven approach doesn’t work anymore.”

Adding to the concern is how cyber risks are being communicated at the executive level. While 90% of organizations report cyber findings to the board, just 14% quantify those risks financially, and only 22% involve finance teams in discussions. The gap between technical risk and strategic consequence remains stark.

The report’s key message is clear: current cybersecurity efforts, though well-intentioned, often fall short where it matters most—business value. Risk data needs to be translated into stories that resonate with CFOs, CEOs, and boards. Otherwise, cyber will remain a technical silo, detached from enterprise priorities.

But then the report drifts back into a cyber silo. It’s simply not enough to say there is a potential for this or that level of financial loss and present that to the board as justification for further investment. The board has the total business to consider. It has to decide where and how much to invest among competing demands for resources.

For example, the CFO says that the company has a $25 million capital expenditure budget, but:

• The CISO explains that his team have used the FAIR framework, which is recognized as one of—if not the—best in the industry, to measure the level of cyber risk. It is rising. It has increased 10% over the last year as hackers are using AI to find and exploit vulnerabilities. There is now at least a 10% likelihood of a financial loss of $20 million over the next twelve months, and a 5% likelihood of a loss that exceeds $50 million. $10 million is needed to reduce the likelihood and impact to acceptable levels, halving the level of risk.
• The CCO reports that a further investment of $10 million is needed to address the risk that the company will be in violation of US import tax and tariff regulations. A violation could cost the company not only financial penalties but significantly affect revenues.
• The CMO says that they need to increase marketing spend by at least $10 million to match heightened spending by competitors. Without it, revenues could drop by $50 million.
• The VP of Strategy asks for $10 million to acquire a small company that has technology that fits well with and will enhance their own products. The first-year ROI calculated for that spend is 27%.
• The Head of Safety wants $10 million to upgrade processes and technology to keep employees safe. He says you cannot put a value on human life or the loss of a limb. The likelihood of a serious incident is rising because insufficient investment has been made in the past.
• The CIO proposes $10 million to deploy AI across the organization, which will cut operating costs by $5 million and increase revenues by $15 million in the first year. Those figures should double in the next year.

Deciding whether to invest $10 million in cyber without considering the context of other business needs is not good business. An intelligent business decision needs to take all of the above into account—and more. That requires each business risk to be assessed in comparable ways.

Are you making decisions about treating risk while sitting in a silo?

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.