A few years back, we kicked off our own internal lightning talks—our way of having a good old geek-out over cybersecurity topics that get our Governance, Risk, Assurance, and Compliance brains buzzing. Think of it as a slightly more structured version of those deep and meaningful yarns we used to have around the office coffee machine… before COVID did its thing and made us all experts in online meetings awkwardness instead.
These blogposts are not written by one team member. The content is provided to you by the whole Axenic Team – or whomever attended on the day.
These sessions are open to the whole team—anyone can throw a topic into the ring. We start with a brief, sometimes spicy, statement on the subject, then let everyone have a crack at sharing their two cents in 2-3 minutes. No passengers here—whether you’re a guru or just rolling in with your best “I reckon,” you’ve gotta contribute. And just to keep things fair, our in-house experts hold their horses until the end so they don’t sway the discussion too early.
Over the years, we’ve tackled all sorts of cybersecurity conundrums, but then we thought—why keep all the fun to ourselves? Why not share these gems with the wider industry and see what the rest of you reckon?
So here we are! We’ll be posting our discussions (old and new), and we’d love to hear your take. Drop your thoughts in the comments—whether we agree or not, we’ll publish them (as long as you keep it respectful, of course). Let’s get debating!
Last week, we discussed what drives businesses to invest (or spend, if you like) in cybersecurity. We started by asking:
-
- What do you think are the key drivers for businesses to make cybersecurity investments?
- Why?
- How do businesses make these decisions (risk assessments, including quantifications of expected loss vs opportunities, percentage of their budget, how loud the cybersecurity team screams, etc)?
- How can we influence businesses to make the right cybersecurity investment decisions (would the right decision ever be not to invest?), including resourcing (people and budgets)?
Here is a summary of the opinions from our team members.
Why Do Businesses Invest in Cybersecurity? (Or Not?)
Cybersecurity investment—what really drives it? Is it proactive planning, a regulatory kick up the backside, or just a classic case of FOMO? Our latest lightning talk session got stuck into this very question, and as expected, the answers were as diverse as the risks themselves.
The Key Drivers (Or Lack Thereof)
For some businesses, cybersecurity is like buying the latest iPhone—you do it because everyone else is. Whether it’s industry trends, competitors’ moves, or government regulations, the “bandwagon effect” cannot be overlooked. If the big players are doing it, surely it must be important, right?
Then there’s the classic Kiwi attitude: “She’ll be right.” Why fix what ain’t broke? Many organisations only truly take cybersecurity seriously once they’ve been stung. Unfortunately, complacency is more common than it should be and when it comes to security risks, learning the hard way can be very, very expensive.
What does get people listening? Real-life, close-to-home incidents. If a business down the road or in the same industry gets hit, suddenly, security is on the boardroom agenda. Without tangible, relatable threats, risks remain hypothetical—just another line item on a risk register that people assume is already “handled.”
So, what really pushes businesses to invest? The top answers:
-
- Customer and regulatory requirements – Nothing like a compliance mandate to get things moving.
- Preventing incidents from happening again – Once bitten, twice shy.
- Management belief – The rarest but best reason: leadership genuinely values security.
- Security awareness – When people understand the risks, they’re more likely to act.
How Can We Influence Change?
We know businesses should invest in security, but how do we convince them to want to? The team shared their approaches:
-
- Use real-world examples – Government sector breaches, industry-specific incidents, and even personal scam stories hit closer to home than vague “what ifs.”
- Make it about business survival – For small businesses, the question isn’t if they’ll be hacked but how long they could survive without their systems or customer trust.
- Flip the competitive edge – Being security-mature isn’t just about reducing risk; it’s about winning deals. Government and big corporates demand strong security—meet their expectations, and you expand your customer base.
- Sell the benefits, not the effort – No one likes extra work. Instead of highlighting how hard it is to get secure, focus on the business wins it brings.
- It’s not about outrunning the bear – You don’t need to be invincible, just more secure than the next guy. Attackers often go for the lowest-hanging fruit.
Another reality check? Insurance isn’t a silver bullet. Some businesses think cyber insurance is a get-out-of-jail-free card, but it’s just another cost—and it won’t magically restore customer trust or reputation after a breach.
And then there’s the big one: Do businesses even realise the value of the information they hold? Many don’t. But whether it’s sensitive customer data, trade secrets, or just the ability to operate, every organisation has something worth protecting. Even if they aren’t the main target, they could be collateral damage or a stepping stone for attackers to reach bigger fish.
The Hard Truths
Of course, not everyone is going to buy into security, no matter how persuasive we are. Some businesses:
-
- Operate largely offline and see no need for cybersecurity.
- Don’t have the budget (or claim they don’t).
- Have the budget but just don’t see it as a priority.
- Only comply if they have to—how many organisation would bother to go through certification and accreditation or PCI compliance if it weren’t required?
- At the end of the day, selling cybersecurity is highly context-dependent. The approach that works for a financial services CEO won’t fly with a small business owner. A government agency will have different priorities than a retail store. Understanding who you’re talking to and what matters to them is key.
A Picture is Worth a Thousand Words
Side conversations included a throwback to Kiwicon III 2009’s legendary poster: “Hackers don’t give a shit.” Others laughed (or sighed) at the common struggle of explaining risk to “The Business.” Because sometimes, no matter how well you present the argument, you’re still met with blank stares and a polite, “Yeah, we’ll think about it.” 🙃
But hey, that’s why we keep having these conversations. Because whether businesses like it or not, cybersecurity isn’t going away. And sooner or later, they’ll realise—it’s better to be prepared than to be the next cautionary tale.