As part of BCS’ CIO Network family of events, Brian Runciman MBCS reports on how cybersecurity leaders are reconsidering trust, cost and culture in the face of evolving threats, AI disruption and the complex realities of Zero Trust implementation.
At a recent closed-door BCS CIO Network event, industry leaders, policymakers and cybersecurity experts convened to grapple with one of the most complex challenges of our digital era: how to stay safe in a world where digital transformation is inevitable — and increasingly risky. The discussion, shaped by lived experience and sharp foresight, circled a single theme: preparedness. At its core was Zero Trust — a model less about paranoia than practicality in the face of evolving cyber threats.
The event, held under Chatham House rules, provided a unique glimpse into the minds shaping the UK’s cybersecurity future. Their insights painted a picture of a threat landscape that’s as fast-moving as it is fragmented — where legacy systems, artificial intelligence and supply chain vulnerabilities intersect in unpredictable ways.
From buzzword to blueprint: the reality of Zero Trust
For many organisations, Zero Trust has become a North Star; a guiding light rather than a destination. Its mantra of ‘never trust, always verify’ promises tighter control over who can access what, when and how. However, leaders at the BCS event quickly grounded the conversation in reality.
‘Every time I go to the board, the first question is: how much is this going to cost?’ admitted one CIO, echoing a common frustration. Zero Trust demands a shift not just in systems, but in mindset. The complexity of implementation, lack of standardised pricing and resource demands of constant verification are all real barriers.
More importantly, speakers warned against viewing cybersecurity as a bolt-on technology issue. Instead, it must be integrated into business processes from the start. As one expert put it, ‘We need to look at cyber from the point of view of process, not just systems or data.’ That means treating security not as an IT concern but as a leadership priority directly affecting business continuity, cost and customer trust.
Leadership in the age of cyber complexity
A striking theme throughout the session was the need for leadership to step into cybersecurity conversations.
It’s about embedding resilience into an organisation's DNA from strategy to everyday operations. That includes recognising where expert resources and guidance already exist. For example, the National Cyber Security Centre (NCSC) offers extensive frameworks and best practice toolkits to help organisations navigate Zero Trust and broader cyber resilience efforts. However, using them effectively requires leadership buy-in and cross-functional alignment.
Legacy: the elephant in the server room
One of the more surprising points of agreement? Legacy systems may not be the ticking time bombs they’re often made out to be.
Several experts at the event challenged the common notion of equating modernisation with security. Older systems, particularly in sectors like government and defence, are usually siloed, obscure and difficult to penetrate. Sometimes their very age becomes an unintentional insulation. ‘Our legacy self-protects through obfuscation’, noted one attendee. ‘It’s not highly interconnected, and the skills to attack these systems are increasingly rare.’
But complacency is dangerous. The risk lies in how these systems interact with modern technologies; as organisations stitch together old and new, the seams become critical fault lines. Strategic decisions must be made about what to retire, what to reinforce, and what to monitor more closely.
The human factor: impacts on people and process
Perhaps the most overlooked dimension of cybersecurity transformation is its impact on users. Implementing Zero Trust or AI-driven identity systems often brings unwelcome changes employees' day-to-day experience.
For you
Be part of something bigger, join BCS, The Chartered Institute for IT.
New rules, frequent authentication and restricted access can all frustrate users and slow down workflows. That’s why a shift in cybersecurity posture must be accompanied by clear communication, training and process re-engineering. One panelist emphasised, ‘Business as usual doesn't have to break — but it does need to adapt.’
Proper security isn’t seamless, but it can be sustainable if the people it affects are brought into the fold early. That means transparency around why controls are changing, how they protect the organisation and what support is available to help staff adjust is vital.
Beyond the firewall: securing the supply chain
In an interconnected world, even the most robust internal defences can be undermined by third-party vulnerabilities. ‘I know my [own] systems’, one CIO said. ‘But I don’t know my suppliers’ vulnerabilities — even though we have cyber clauses in the contract.’
This blind spot is becoming increasingly untenable. Speakers called for a shift from reassurance to assurance — from vague vendor promises to concrete, measurable security practices. Tools like Software Bills of Materials (SBOMs) were flagged as promising — however, progress is slow without standardised frameworks and cultural change.
AI: a new weapon in the arsenal, or a trojan horse?
AI emerged as both hero and hazard. While AI can strengthen defences by automating threat detection and refining identity management, it also supercharges attackers by allowing them to automate phishing, hunt for zero-days and even craft convincing deepfakes. That’s why a cautious, governance-led approach is critical. Experts were clear: AI should augment human oversight, not replace it. The goal is enhanced decision making, not blind automation.
Measuring what matters
If there was a rallying cry from the session, it was this: what you measure shapes what you manage. Many cybersecurity metrics remain superficial — number of alerts, threats blocked — but the conversation must shift toward more meaningful indicators like how quickly threats are detected and contained, and how effectively staff can operate within secure environments. Th requires leadership engagement, cross-team collaboration and a shared understanding of what ‘secure enough’ looks like in context.
Preparedness is everything
Ultimately, the event underscored that cybersecurity is not a static goal but an evolving discipline: the threats are dynamic, the technologies are complex and the human factor is ever-present. Success isn’t about perfection. It’s about readiness.
One participant said, ‘Digital transformation done properly is secure by design. If we don’t embed security into our processes now, we’re just building tomorrow’s legacy vulnerabilities today.’
The future of cybersecurity won’t be secured by tech alone. It will be shaped by leaders willing to prepare, question and lead from a place of clarity — not fear.
What is the CIO Network?
Vibrant, animated and practical, the CIO Network aims to provide leaders with a space to shape tomorrow’s technology agenda. Find out how you can join the next event by contacting developmyteam@bcs.uk. Please note the CIO Network is non-commercial.
Want more?
BCS has released a companion podcast featuring CISO Heather Lowrie and Ian McCormack, Deputy CTO at the National Cyber Security Centre, diving deeper into these themes. Tune in for real-world insights and practical guidance from those on the cybersecurity frontlines.
