Bridging the Gap: Are Business Leaders and Security Teams Aligned on Cyber Strategy?

By Joshua Walsh, Information Security Practitioner, part of the cyber, data and information law specialist team at rradar

A recent report by Darktrace on the State of AI Cybersecurity found that security practitioners working on the front lines are less confident in their organisation’s ability to combat threats than mid-level managers. Moreover, senior security professionals were more confident than the practitioners battling threats on the ground (62% vs. 49%). This can lead to real problems for corporate security.

When there is a mismatch between executive business leaders and security practitioners, it can lead to a reactive rather than proactive approach to risk management. Overconfident or misinformed business leaders could prioritise investing in the wrong technologies, leaving the business open to new and preventable threats. For instance, there’s a persistent myth that only big companies are in the crosshairs of cyber attackers. But in my work with SMEs, I’ve seen time and again that it’s low defences, not big names, that make businesses targets.

Business leaders can no longer afford to consider IF they will suffer an attack, but WHEN. They must avoid burying their heads in the sand and work collaboratively with security practitioners to understand the unique risks they face as a business and what they need to do to mitigate them, ensuring a proactive security strategy is in place. Investing in the right tools is just one step in a defence strategy. To work effectively, companies need to build operational resilience across the organisation.

AI-driven threats bring fresh challenges in corporate security

AI has significantly lowered the difficulty bar for bad actors to cause harm through hacking and phishing, as there are freely available tools they can use to write legitimate looking emails and code. This not only makes it quicker for a cybercriminal to act, but it also makes previous guidelines and training for identifying attacks less effective (e.g., poor grammar, typos etc.)

Some companies are starting to implement Agentic AI, which has the potential to increase productivity and efficiency through automating tasks and making decisions without human input. However, this also brings massive security risks. A single prompt injection, misconfiguration, or tampered instruction can trigger a chain reaction of failures, potentially leading to data breaches, reputational harm, financial loss, and regulatory consequences.

We’re also starting to see a rise in AI-driven voice cloning and deepfake attacks, where just a few seconds of audio can be used to convincingly impersonate someone of authority. These tools are being used to bypass security checks, trick employees, and conduct high-level social engineering scams. The realism and speed at which these attacks can be deployed make traditional verification methods unreliable, forcing organisations to rethink how they authenticate identity and train staff to spot synthetic deception.

How can the gap in understanding be closed?

To close the gap in understanding, businesses need to:

1. Embed CISOs into the business strategy conversation. Security leaders need to have a seat at the table to ensure cybersecurity resilience is embedded as a core business function, not just when an incident occurs.
2. Show real examples of threat attempts. In my experience, showing examples of actual attempts made to the business is the best way to get the point across to people. Mock examples often shown in annual security training don’t carry the same weight as they are just that, mock examples. Seeing a real threat that the business has faced hits home much more.
3. Create, test, and continually update a business continuity plan and incident response plan. These are vital, as they provide a guide on how to react, who is responsible for what, and actions to take should an incident occur.
4. Train all staff and board members. Training needs to be up-to-date and in plain language that people can understand. For board level teams, security practitioners can translate the potential impacts of an attack into business impacts that resonate, e.g., downtime, regulatory fines, reputation damage
5. Don’t make the mistake of ignoring AI in the hopes that it will disappear or become someone else’s problem; it’s already reshaping the threat landscape in real, measurable ways. From deepfake scams to AI-powered phishing campaigns, these tools are being weaponised faster than most policies can keep up. Businesses that fail to engage with these changes risk being caught off guard by threats they don’t yet fully understand.

By embedding these steps, business leaders will have an improved understanding of their organisation’s risk profile and be better equipped to drive proactive cyber resilience.