Skip to content 
A manufacturing firm which felt that it had done all the right things. They were protected by Microsoft at the endpoints, were multi factor authenticated, quarterly audited and already had the dreaded security awareness program.
Despite the loss, they were still unable to regain control of two operations for almost 36 hours due to a ransomware attack using a third party remote access service used by the internal team that only superficially monitored its use.
Not the technical failure was what stuck with me. It was the CFO asking a question that no one else could answer without fumbling, and it was a question that no one else could think of to ask.
“What was the amount of cyber risk that we had prior to this incident occurring?”
It’s the unpleasantly truthful reality with respect to today’s Cyber Risk Management. Most companies aren’t in trouble because they don’t go to extremes to learn about cybersecurity. They’re limited by the inability to make the technical exposure to business impact connection until they are forced to have the conversation by an expensive means.
That disparity is growing and will be very difficult to make up by 2026. Boards require measurability of risk visibility. Insurers requiring insurers to step up their requirements. Documented governance is now becoming increasingly expected, rather than a “best effort” security program, by regulators.
In fact, many organisations are still dealing with cyber risk as it were in 2018.
The companies spending the most are not always the safest
One of the things I found really interesting in the enterprise world, is that the bigger the security budget, the less likely to be a lesser risk.
Sometimes it does the opposite. Makes an operating process more confusing.
I collaborated with a retail company with over 40 different security tools integrated in the cloud monitoring, identity management, email protection, vulnerability scanning and SIEM categories. Because the security team was spending a lot of time on maintaining multiple platforms, they were unable to respond to incidents as well.
It’s more prevalent than vendors will acknowledge.
Organizations that invested heavily in security AI and automation saw a radical difference in costs of a breach when compared with those that didn’t have a mature automation program. Organizations that invested heavily in security AI and automation had a significant cost savings compared to those that did not have a mature automation program, according to IBM’s Cost of a Data Breach Report. It was no just about the number of tools. It was about maturity and integration of responses.
That distinction matters.
A disjointed security environment allows for security team silos. Cloud teams take responsibility for identity teams’ problem. Identity teams take the responsibility of endpoint teams having done it. In the meantime, the attackers can move within these organisational weaknesses without many enterprises are able to detect them.
In today’s ever-changing cyber landscape, the threat is not always so easily identified. It is present in the inter-system region.
Why Cyber Risk Management became a boardroom issue
10 years ago the perspective of many boards was that cybersecurity was an IT budget item. That is a strategy that is fast becoming extinct as the impact of the financial aspects of business performance cannot be separated from the rest.
The downstream business impact was far more than operational disruption of UnitedHealth Group following the Change Healthcare cyberattack; it was a major challenge to the organization. Payment systems in the healthcare system moved at a slower pace, pharmacies saw payment delays and financial stress trickled down the chain of organizations that rely on funds from the payment system.
The modern enterprise risk is that.That’s the risk of the modern enterprise.
In many businesses, cybersecurity is no longer a silent member of infrastructure meetings, but rather it’s a key part of strategic meetings.
- operational continuity
- revenue flow
- legal exposure
- customer trust
- insurance costs
- merger activity
- vendor relationships
In many enterprises, cybersecurity is now tied directly to strategic planning discussions instead of sitting quietly inside infrastructure meetings.
I believe that is why there is a proliferation of frameworks such as NIST CSF 2.0 that took off with executives. They provide assistance to translate technical exposure and into language that is meaningful to governance language leadership teams.
Not perfectly.
However, no one outside of the SOC knows what the spreadsheets are with vulnerability counts.
Most risk scoring models still miss the business context
The one thing I continue to see that is wrong is that organizations are considering all vulnerabilities as having the same criticality.
This seems like a responsible approach on the books. In reality it doesn’t work.
A serious bug in an in-house development environment doesn’t necessarily pose a greater threat than a medium-severity identity leak that is associated with privileged access to the production environment. But there are still many security teams that are focusing on scanner severity rather than reality.
That results in efforts wasted and delay where it is needed.
One cloud migration project that comes to mind is where teams had to spend days patching lower value systems due to vulnerability dashboards prioritizing such events at the top of the list. In the same time frame, unfortunately, stale admin accounts with access to a business-critical Azure environment continued to exist, as they weren’t generating scores that were of a dramatic severity.
I’m more worried about that unmatched than the unpatched servers.
Today, Cyber Risk Management needs to be prioritized in context. To assess:
- asset criticality
- business dependency
- identity exposure
- attack path potential
- recovery complexity
- vendor connectivity
Not to overestimate the significance of each of the technical problems.
It’s here that tools such as Palo Alto Networks Cortex XSIAM and CrowdStrike Falcon Exposure Management are becoming the focus. Organizations are increasingly seeking to see the visibility of their enterprise’s alerts, and to see how those alerts affect the business.
The change, it is long overdue.
Cloud adoption quietly changed the entire risk equation
Many companies are still using perimeter era thinking when it comes to talking about cyber risk.
That’s a model that is disappearing in a hurry.
But when workloads are distributed to AWS, Azure, SaaS applications, remote endpoints, contractors, APIs and unmanaged identities, the network boundaries that are traditionally a value-added service become less significant. Risk is now spread unknowingly.
I can attest to this phenomenon in a financial services company in a region who successfully rolled out a hybrid cloud. We had a lot of issues with modernizing firewalls, but underestimated SaaS Exposure and OAuth permissions from third parties. It wasn’t network intrusion that was the biggest internal concern 6 months later. The problem was the unchecked privilege escalation on cloud applications.The issue was within the realm of privilege escalation across cloud applications, which was uncontrolled.
This is the trend that’s starting to take place.
Credential abuse and social engineering are still the leading causes of breaches, more than ever, according to Verizon’s Data Breach Investigations Report. Identities are an increasingly popular attack target as identities offer an operating hand without the visibility afforded by the malware attacks.
That’s why it’s important that identity security and cyber risk are coming together in action.
It’s no longer possible to distinguish them without mixing.
What mature Cyber Risk Management actually looks like in 2026
Experienced programs don’t fret about getting rid of all risk. It’s impossible to achieve that objective.
Business resilience is about minimising disruption to the business with increased speed of recovery, visibility and strong organisations.
It doesn’t seem like a big difference. It is not. I have seen that once the security team is mature, there are a few qualities that I’ve seen.
They map technical systems to business functions
Until one realises how many businesses out there are unable to differentiate between which applications have direct impact on revenue-critical applications.
If that is not the case, it’s a guessing game where priorities have to be estimated.
They evaluate vendors continuously
One a year third party risk reviews are becoming more and more futile.
It’s a dynamic vendor ecosystem in today’s day and age. Access to privileges is gradually increased without alerting the user. Shadow integrations (slowly over time). There is an unrecognized exposure that has been acquired with the SaaS tools.
They involve finance and operations teams early
The best time to make a decision about the strength of security programs is before incidents happen, and operational and financial stakeholders should be included in the decision.
Otherwise, the security team has to wage a years-long battle to make their case for reducing risk in abstract terms.
They measure recovery capability honestly
Backup systems often look excellent during audits.
Real recovery exercises tell a very different story.
One logistics company I worked with discovered during testing that several supposedly protected cloud workloads were excluded from automated backup policies after a migration project changed storage architecture months earlier.
Nobody noticed until the exercise exposed it. That kind of operational drift creates hidden risk everywhere.
The market still misunderstands cyber resilience
One of the most harmful ideas in enterprise security is the notion that the sole focus should be to prevent security breaches.
Prevention matters. However, these are becoming the days of resiliency that means life or death.
Even high-functioning organizations that have strong prevention efforts that fail to be effective during emergencies due to a lack of coordination in recovery planning, communication planning, and/or dependency mapping. But when companies don’t have strong defenses, they can often rebound to a surprising degree when it’s time to recover, thanks to the fact that they had a well-matured resilience plan.
That is why regulators and insurers are more interested in operational resilience metrics being used rather than merely control checklists.
The topic of the conversation switched to:
“What are we to do to prevent all attacks?”
to:
When controls can’t be expected to work, how do you keep going?
That is much more of a realistic question.
A practical Cyber Risk Management exercise worth doing this week
There is no need for another ‘theoretical framework’ discussion at most enterprises at this time.
They need visibility.
This week, choose an application that is critical to the business and trace all the dependencies associated with the application. Not just servers. Everything.
Document:
- privileged accounts
- SaaS integrations
- backup dependencies
- cloud storage connections
- third-party vendor access
- MFA enforcement status
- administrative ownership
- incident recovery responsibilities
There’s at least one unowned dependency you’ll likely find.
In nearly every completed risk assessment I have been part of, I found there to be some aspect of the environment that has some points of entry I didn’t know about, or some operating assumptions I didn’t know about.
Usually several.
This exercise is more effective for providing security awareness than another general one.
The AI factor is complicating enterprise risk faster than many leaders realize
As AI becomes more prevalent, it is creating new governance challenges for many security programs that were never anticipated.With the rise of AI, a new class of governance challenges are emerging which many security programs were not equipped to address.
Staff are inputting internal data and material that are sensitive without knowing what is being retained, being exposed to training, or what regulatory requirements apply to such material. AI-generated code can lead to unintended security flaws or licensing issues, and development teams are working to rapidly deploy products.The AI-generated code could create security vulnerabilities or licensing problems and development teams are trying to deploy products as quickly as possible.
However, phishing attackers are taking advantage of AI to create more personalized attacks, automate reconnaissance and speed up social engineering attacks.
The speed difference between the two is already apparent.
I believe many businesses aren’t grasping the speed at which AI governance will move from a discussion on innovation, to a cyber risk discussion.
In particular, in the highly regulated sector.
Why smaller organizations sometimes manage risk better than enterprises
I’m sorry to say this to an opponent, but at times, smaller businesses make quicker and wiser decisions about security, as they are less complex in relation to their organization.
Have less approval processes. Fewer disconnected tools. Less ownership conflict among the political parties.
A well-developed IDG program and a cloud architecture that is well-disciplined and not burdened by years of legacy technical debt can sometimes make a mid-sized SaaS company more secure than a large enterprise.
Scale creates capability. It will also make things complicated. But the more complex, the more likely it is to be risky, even if budgets are growing at the same rate.
Where enterprise security leaders should focus next
I don’t believe the future of cyber security is about the biggest numbers of tools that an organization can gather.
I believe it’s for organizations that have a good understanding of operational dependencies that can make quick and intelligent security decisions based on the business.
It takes security teams to approach the problem in a different way than they would normally do when dealing with vulnerabilities and alerts.
They have to learn the workings of the business.
The organizations that are doing the best in terms of improvement are taking a comprehensive approach to these solutions to reduce risk rather than addressing each as a separate topic.
Such a change is hard to make. However, it’s becoming imperative.
And, in all honesty, I believe the companies that by 2026 still consider cyber risk as just an IT issue are going to be spending the next ten years reacting to avoid an avoidable failure in their operations rather than being able to compete.
You Can Also Visit Here For More CyberSecurity Ideas For You & Your Buisness: ThreatBlock
Author Bio
Rizwan Khalid is an enterprise technology analyst and cybersecurity blogger focused on cyber risk, cloud security, identity governance, and compliance strategy. He writes about the gap between how enterprise security is marketed and how it actually performs inside complex organizational environments.
