Login

Promote Your Company       |     Contact

Independent Cyber News.

Boards Want Answers, Not Dashboards, Says Qualys CEO
Executive Communication | Governance & Risk | Leadership
Posted: Wednesday, May 27
  • KBI.Media
  • $
  • Boards Want Answers, Not Dashboards, Says Qualys CEO
Karissa Breen, more commonly known as KB, is crowned a LinkedIn ‘Top Voice in Technology’, and widely recognised across the global cybersecurity industry. A serial entrepreneur, she is the co-founder of the TMFE Group, a portfolio of cybersecurity-focused businesses spanning an industry-leading media platform, a specialist marketing agency, a content production studio, and the executive headhunting firm, MercSec. Now based in the United States, KB oversees US editorial operations and leads the expansion of the group’s media footprint across North America, while maintaining a strong presence in Australia, and the broader global market. She is the former Producer and Host of the streaming show 2Fa.tv, and currently sits at the helm of journalism for the group’s flagship arm, KBI.Media, the independent cybersecurity media company. As a cybersecurity investigative journalist, KB hosts her globally-renowned podcast, KBKast, where she interviews leading cybersecurity practitioners, CISOs, government officials including heads-of-state, and industry pioneers from around the world. The podcast has been downloaded in over 65 countries with more than 400,000 global downloads, influencing billions of dollars in cybersecurity budgets. KB is known for asking the hard questions and extracting real, commercially relevant insights. Her approach provides an uncoloured, strategic lens on the evolving cybersecurity landscape, demystifying complex security issues and translating them into practical intelligence for executives navigating risk, regulation, and rapid technological change.

i 3 Table of Contents

Boards Want Answers, Not Dashboards, Says Qualys CEO
From Karissa Breen

​A high number of organisations are pouring millions into cybersecurity, but according to new research from Qualys, many companies still have no real understanding of the business damage a cyberattack could cause.

The findings, released in partnership with Dark Reading, surveyed more than 100 IT and security leaders and revealed a troubling disconnect between cybersecurity spending and actual business readiness. While nearly half of organisations claim to have formal cyber risk programs, only 30% said those programs are aligned to business objectives.

For Sumedh Thakar, the issue is straight forward, in that many companies still treat cybersecurity as a technology problem instead of a business survival issue.

“Cybersecurity is a risk management exercise for the business,” Thakar said. “Every single dollar we’ve always spent in cybersecurity has been about reducing risk to the business.”

But Thakar said companies are now facing tougher questions from boards and CFOs as cybersecurity budgets continue to surge.

“People are becoming a lot more conscious about how much they’re spending in cyber and then what is the ROI to the business,” he said.

For years, many organisations focused on cybersecurity ‘best practices’ without fully understanding what they were actually protecting or what a breach would cost the business.

Thakar said the industry is now undergoing a major shift away from technical jargon toward discussions centered on operational disruption, financial loss and business continuity.

“I have a risk of being breached, which would cause me this much loss,” Thakar explained. “So is this something I should care about? How much should I care about and how much should I invest in that?”

He cautioned that organisations are still spending heavily securing infrastructure without always understanding whether the investment matches the actual business risk.

“You just spent a million dollars trying to protect $50,000,” he said, describing companies over engineering defences without assessing the true value of the assets at that are at risk.

According to Thakar. In many industries, operational outages now pose a far greater threat than bad headlines, but on-going reputational damage.

“If you have a cyber attack that causes an outage and for two days you’re not able to process transaction, that’s a lot more impacted the business,” he said.

One of the strongest findings in the report is that executives are getting more frustrated with technical reporting that fails to explain real business impact.

Thakar said boards do not care about raw vulnerability counts or how many patches have been deployed.

“What they want to know is with everything that you’re doing in terms of transferring risk, mitigating risk, accepting risk, are we at a place where the loss potential is below our risk appetite?” he said.

He also criticised what he called “dashboard tourism,” where organizations generate endless metrics but fail to prioritise remediation effectively.

“You can spend millions of dollars building visibility dashboard and taking selfies with it, but if you don’t fix it before the attacker does, nobody cares,” Thakar said.

According to the report, only 14% of organisations currently tie cyber risk directly to financial impact, while just 22% involve finance teams in cybersecurity discussions.

Thakar believes that has to change rapidly as boards scrutinise cyber spending more aggressively.

“The CFO speaks the language of money,” he said. “If I give you $350,000, you are going to reduce the possibility of losing $10 million a day by 80%. Sounds like a pretty good deal to me.”

The report also found only 6% of businesses believe cyber risk is actually decreasing, a reflection of expanding attack surfaces, cloud adoption and AI driven digital transformation.

Thakar said companies are drowning in alerts, findings and vulnerabilities while struggling to prioritise what truly matters.

“If everything is critical, nothing is critical,” he commented.

He warned that companies without a clear risk strategy are effectively fighting an endless never ending battle.

“If you don’t define your risk, by definition, you’re fighting an infinite risk,” Thakar said. “It never feels enough.”

Instead, he believes businesses need to shift gears towards what Qualys calls a ‘Risk Operations Center’ or more commonly known as a ‘ROC’, which is designed to continuously assess risk, prioritise the most dangerous exposures and automate remediation.

“If you’re in a fight with AI, you show up to that fight with your Jira ticket, you already lost,” the Executive said.

As we know, cybersecurity budgets have expanded dramatically over the past decade, but many organisations are now reaching the limits of what boards are willing to fund without measurable outcomes.

“When you’re 10 million and you want to spend another million, that’s a bigger conversation to have,” Thakar said.

At the same time, boards are weighing cybersecurity investments against AI projects and growth initiatives that promise direct revenue generation.

“When CFOs have to make a decision… if they implement AI the business can grow 3% or 5% of the top line, or do I give this to the security leader who’s saying give me a million dollars and I’ll make it better,” he said.

Thakar said companies that fail to adopt business driven cyber risk management will eventually struggle to justify cybersecurity investment altogether in the near future.

“You’re going to get a harder and harder time justifying and getting additional investment in cybersecurity,” he warned. “And you will end up just… risk whack a mole.”

Watch the full interview here: https://kbi.media/access-granted/qualys-state-of-cyber-risk/

More From This Contributor

No results found.
All Press Releases

Other Recent Articles

No results found.
Article Archives
Share This