Get Executives on board with managing Cyber Risk
Cybersecurity has been climbing the corporate ladder over the last several years, making its way into board-level conversations about overall risk management. That’s because organizations depend more than ever on technology to run their everyday operations, making technical and business risk inseparable.
So what do enterprises need to manage those risks? We put that question to more than 3,000 cybersecurity professionals and captured their responses in our Trend Micro Defenders Survey Report 2025. This blog features some of the highlights of our findings, helping paint a clearer picture of how security teams are looking to work with executive leaders to manage cyber risk.
Which threats matter most?
On a daily basis, cybersecurity teams are facing more threats than ever before. Those threats have never been more adaptive, and the environments they target have become increasingly complex to manage. As a result, organizations that are serious about their commitment to manage cyber risk need some way of prioritizing what really matters.
We asked this year’s survey respondents what would most improve their ability to prioritize cyber risks such as vulnerabilities, misconfigurations, exposures, and compliance lapses. By far, the top answer (25%) was enhanced visibility into which assets are most critical and which threats are most relevant in the context of the business.
Other capabilities that respondents said would make a difference for them were more efficient ways of assessing and triaging risk events (16%), access to real-time risk data (15%), and better insight into exploit patterns (15%).
The findings also reveal gaps in coverage. A little over 10% of respondents said they could do with more comprehensive asset inventories, and another 10% said they still needed a unified view (10%) of risk data collected by their cybersecurity tools.
To manage cyber risk, talk the same talk
Once risks are prioritized, they need to be shared up and made part of the organization’s understanding at a strategic level. To a large degree, this requires ‘translation’: expressing the risks in business terms instead of technical ones. For that, security professionals say they need different kinds of data points, including real-time cyber risk scoring and metrics, and a greater ability to quantify the potential financial impacts of cyber risks. For executives in charge of financial performance, there’s often nothing like a dollar figure to provoke a sense of urgency.
Throughout the survey, the need for automation was a recurring theme—one that extended, interestingly, to this need for better ways of communicating risk. Nineteen percent (19%) said automated compliance tracking and reporting would be of benefit.
Finally, granularity and specificity also seem to be important. Just over 10% of respondents said they’d like to have risk dashboards and reports specific to individual business units. The same proportion said it would help them manage cyber risk if they could put their business into a wider context through comparisons with peer and industry benchmarks.
Keeping stakeholders informed
A significant part of the business risk stemming from cyber threats is reputational. Not only with customers but also with supply chain partners, vendors, investors, and anyone else who depends on the organization to manage cyber risk effectively for their own safety and security. Surprisingly—or maybe not—this is one of the biggest areas for improvement identified in our survey results this year.
Just under a third (30%) of respondents said their organization follows a structured, ongoing model of communicating about security events with stakeholders. Nearly a quarter (23%) said they communicate only after an incident or based on compliance needs, a reactive approach that can create lags or gaps when a serious issue occurs. Another 20% said they tend to share updates only minimally or on an ad hoc basis, which raises the risk of weakening stakeholder trust.
Maybe most concerning is that 5% said they didn’t actually know their organization’s approach to communicating about security events.
It takes a village to manage cyber risk
As cyber risk continues to become more integrated into overall enterprise risk management, the need for clear communication and collaboration up and down hierarchies and across business units will become greater. Beyond the capabilities outlined above, that ‘all hands’ approach also extends to activities such as training, compliance procedures, and even determining when and why security partners need to be brought in.
For the full story, download your copy of the Trend Micro Defenders Survey Report 2025 today.
Next steps
Learn more about ways to manage cloud risk from these additional resources:
About Author
