Estimated reading time: 4 minutes
Lack of Visibility Leaves Leaders in the Dark
Cyber risk communication is broken. And then there’s the third-party risk and the “burnout.” Bitsight’s new “State of Cyber Risk and Exposure 2025” report reveals that only 28% of organizations say they’re “very effective” at communicating cyber risk to leadership. But a critical connection emerges: firms with strong asset visibility are 2.5 times more likely to succeed in getting the message across to their boards.
This isn’t just a hiccup. It’s a blindfold. Without accurate, comprehensive visibility into cyber risk, decision-makers remain hamstrung.
Cyber Risk Management Is Harder Than Ever
The report, based on a survey of 1,000 cybersecurity and cyber risk leaders, highlights a challenging truth: 90% say managing cyber risks is harder today than five years ago. The main culprits are clear: the explosion of AI-enabled threats (39%) and a rapidly expanding attack surface (38%).
These changes aren’t just complicating security—they’re exhausting the workforce. 47% of cybersecurity professionals report burnout. That number spikes to 63% in organizations lacking visibility tools. Conversely, where full visibility exists, burnout drops to 44%.
Stephen Boyer, Chief Innovation Officer at Bitsight, underscores the urgency. “As AI-automated threats accelerate, organizations are struggling with both the technical complexities of risk management and the critical need to align cybersecurity efforts with business priorities.”
ONE Minute Watch – The Hidden Crisis in Cybersecurity: Lack of Visibility is Costing You
Blind Spots Undermine Cyber Programs
Despite widespread adoption of security initiatives, true maturity remains elusive. Only 29% of organizations report having a formal cyber risk program aligned with business priorities. And a mere 19% rate their practices as “very mature.”
Monitoring is also a top investment area, having jumped from seventh to first in cybersecurity priorities. Yet only 17% of organizations regularly map threats across environments with multiple risk factors. This low visibility keeps many organizations in the dark, technically and strategically.
Third-Party Risks Often Go Unmonitored
While 99% of organizations assess vendor risk, only one-third continuously monitor their third-party relationships. This is concerning since 30% of breaches last year were tied to third-party vendors—a number that doubled from the previous year.
Organizations with formal, business-aligned cyber risk programs are 4.5 times more likely to monitor all third-party relationships. Still, monitoring practices vary widely, and many companies rely heavily on periodic questionnaires rather than continuous oversight.
Cloud, Infrastructure, and Misconfigurations: Top Concerns
The digital landscape is cluttered with vulnerabilities. According to the report, the biggest threats causing sleepless nights include data breaches (54%), ransomware (38%), and DDoS attacks (23%). Contributing risk factors include cloud misconfigurations (43%), third-party exposures (42%), and critical infrastructure vulnerabilities (39%).
Asset Visibility Means Business Context
Full visibility isn’t just about knowing what devices are connected. It means understanding the business context of each asset—how it relates to operations, customers, and financial outcomes.
Organizations with this level of insight can prioritize threats, align security with strategy, and speak the language of leadership. Unfortunately, most still operate with basic CVE-level vulnerability reports, lacking the frameworks to turn security data into business intelligence.
Get The Cyber Insurance News Upload Delivered
Every Sunday
Subscribe to our newsletter!
Conclusions – Boards Need Clearer Communication
The report finds that fewer than one in three organizations excel at communicating cyber risk. Poor visibility is a key barrier. Among those struggling to communicate, 32% cite poor security visibility as a major contributor. Even more concerning, 42% blame inadequate cybersecurity knowledge at the board level, while 33% say they don’t get enough executive face time.
Still, Bitsight sees a path forward. Asset discovery and contextualized monitoring help translate complex cyber issues into boardroom-ready messages.
“The data clearly show that continuous monitoring and comprehensive visibility into cyber risk intelligence are no longer optional – they are foundational for effective risk management and communication, and for combating the increasing rates of burnout within security teams,” says Boyer.
Everyday Analogy: Cybersecurity as Sailing Without a Map
Imagine captaining a ship through stormy waters without a compass, map, or weather updates. You feel the waves, but don’t know what’s coming or how close you are to the rocks. That’s how many companies are navigating cyber risk today.
Bitsight’s report shows that while captains (executives) are on deck, only a few crews (security teams) have radar (visibility). Without knowing where their assets are or what risks surround them, they’re left steering blind.
RELATED POSTS
