How organizations are bridging the cyber-risk management gap