In an era where digital transformation is integral to business success, cybersecurity has become a pivotal issue for organisations of all sizes. As cyberthreats become more sophisticated, companies are challenged to strengthen their cyber risk posture, often facing the daunting task of securing resources and investments from executive leadership.

The key to success lies in building a strong business case that aligns security efforts with business goals and demonstrates tangible returns on investment.

The recent round-table discussion, hosted by TechCentral and Arctic Wolf, brought these issues into sharp focus, exploring the most pressing cybersecurity issues facing organisations, how organisations approach them, the role of partnerships, and strategies for effectively communicating the business case for cybersecurity investment to executive leadership and the board.

Legacy systems, emerging threats and cultural resistance

Participants in the round-table discussion agreed that organisations today face a host of security challenges. Legacy systems, which are often difficult to protect, present a significant vulnerability. These systems require complex risk-based approaches, with a focus on stopping attacks within the “kill chain” and preventing lateral movement across networks. Additionally, the rapid evolution of threats, driven by emerging technologies such as artificial intelligence and the internet of things, adds further complexity. As these technologies advance, so, too, do the methods attackers use to exploit vulnerabilities.

There was also consensus among attendees that a notable challenge is the human element – employees are often the weakest link in an organisation’s cybersecurity defences. Whether due to negligence or resistance to adopting new technologies, people are a major risk factor. This highlights the need for creating a culture of security, where individuals are encouraged to report incidents and engage proactively with security policies.

Another challenge is the involvement of security teams in business processes. Participants explained that often these teams are brought in late, after critical decisions have been made. To counter this, organisations are shifting towards a “security by design” approach, where security is integrated into the core of business operations from the outset. Involving security champions across various departments and ensuring policies are enforced consistently are essential steps in this process.

Lastly, data exposure through cloud services and the governance challenges associated with AI present ongoing concerns. Organisations are increasingly focusing on building strong relationships between security teams and business units to foster collaboration and mutual understanding.

Guiding frameworks and threat modelling as key tools

Cybersecurity frameworks, such as ISO standards, continue to be valuable tools in shaping organisational strategies. However, round-table participants emphasised that it is equally important to tailor these standards to fit the specific business context. Understanding how the business operates, what its priorities are and how security integrates with those priorities is essential to creating a more aligned and effective security strategy.

Threat modelling emerged as a critical approach for prioritising security investments. By identifying the most significant threats and vulnerabilities, organisations can focus resources on areas where they are most needed, ensuring that cybersecurity efforts are both efficient and impactful.

Communicating cybersecurity needs to the board

One of the key challenges highlighted during the round table was the difficulty cybersecurity leaders face in communicating the need for investment to boards and executive leadership. While CIOs and CTOs generally understand the technical and operational risks, board members often view cybersecurity as discretionary rather than essential, failing to see it as a form of insurance that mitigates the risks of a cyber incident. The financial and operational impacts of such events are often poorly understood, with many executives unaware of how a cyber breach could disrupt operations or damage the organisation’s reputation.

To address this gap, many organisations are now using tools that simulate the financial fallout of a cyber breach, helping to translate abstract risks into concrete figures. This approach makes it easier to build a compelling case for cybersecurity investment, quantifying the potential consequences, such as brand damage, lost productivity and legal liability. By presenting these risks clearly through simulations, reporting and ongoing training, leaders can shift board perceptions and secure the necessary support. Participants agreed that building a business case for improving your cyber risk posture requires a strategic approach that aligns security initiatives with business goals.

Quantifying the ROI for cybersecurity initiatives remains challenging but is crucial for making a persuasive case. Metrics like reduced incident response times, fewer breaches and cost savings from avoided attacks can demonstrate clear ROI. Indirect benefits, such as improved employee productivity and increased customer trust, further underscore the value of a strong cybersecurity posture.

Addressing skills gaps and retaining talent

The cybersecurity talent shortage is a significant issue for many organisations and emerged as a recurring theme during the discussion. High demand and lengthy recruitment processes often result in gaps within security teams. Additionally, once employees are trained, they may leave for more lucrative opportunities elsewhere. Retaining talent requires a robust staff retention policy, including long-term development plans and programmes that keep employees engaged and aligned with the organisation’s goals.

Some organisations are partnering with vendors to augment their internal teams, but this approach comes with its own set of challenges, such as cost uncertainty and the risk of overreliance on external resources. To mitigate these risks, organisations are ensuring that internal teams are cross-functional and that any external partnerships include skills transfer programs to build internal capacity.

In-house expertise and third-party partnerships

Partnerships with external vendors can be a valuable way to enhance cybersecurity capabilities, but organisations must carefully manage these relationships. The round-table participants emphasised the importance of taking a service-based approach rather than focusing on specific products. By building a platform around security operations that augments existing toolsets and provides access to specialised expertise and global intelligence, organisations can ensure that their cybersecurity posture remains scalable and flexible.

Ultimately, accountability for security must remain in-house, even if external partners are involved. Organisations should avoid outsourcing too much control and should maintain transparency in their relationships with vendors.

TechCentral and Arctic Wolf thank all of those who participated in the round-table discussion.