4 Executive Summaries to Help Security Leaders Justify Cybersecurity Investments

Justify cybersecurity investments Actionable insights for VPN security, DORA, passkeys, and NIS2 compliance

Obtaining budget approval for cybersecurity initiatives is a challenge that many CISOs and enterprise architects face. Decision-makers need clear, practical justifications that explain the value of these investments in terms of reducing risks, ensuring compliance, and future-proofing the organization. Below, we outline four actionable executive summaries that security leaders can use to support budget requests for key cybersecurity goals: enhancing VPN security, ensuring compliance with DORA, implementing passkeys for critical applications, and meeting NIS2 requirements.

1. How to justify investments in VPN security

Why are VPNs a target for attackers?

Virtual Private Networks (VPNs) are a critical component of remote work and secure access, but they are increasingly being exploited. Vulnerabilities in widely used systems like Fortinet and Ivanti highlight risks such as stolen credentials, weak encryption, and exposed login portals. These risks put sensitive data and business operations at stake.

What steps can improve VPN security?

Organizations can enhance VPN security by:

  • Upgrading to stronger authentication: Implement multi-factor authentication (MFA) methods such as biometrics or FIDO2 passwordless technology to prevent unauthorized access, even if credentials are compromised.
  • Hiding VPN login points: Deploy Full Site Protection (FSP) to shield VPN login pages from external threats and block access attempts by unauthorized users.
  • Adopting secure standards: Transition to modern protocols like FIDO2 and SAML for more robust and flexible authentication.

What actions should be prioritized?

  • Allocate funding to implement stronger authentication and deploy Full Site Protection.
  • Collaborate with vendors to ensure new security measures integrate seamlessly with existing VPN infrastructure.
  • Future-proof the organization’s VPN defenses by adopting modern security technologies.
Executive Summary: Enhancing VPN Security

2. How to build a case for DORA compliance

Why does DORA compliance matter?

The Digital Operational Resilience Act (DORA) establishes mandatory requirements for ICT risk management, incident response, and oversight of third-party risks for financial entities operating in the EU. Organizations that fail to comply by the January 2025 deadline face penalties and increased exposure to security vulnerabilities.

How can organizations meet DORA requirements?

Key measures include:

  • Strengthening ICT risk management: Regular risk assessments, enhanced data protection, and security updates ensure operational resilience.
  • Improving incident response and testing: Establish incident response plans and conduct operational resilience testing to address vulnerabilities effectively.
  • Auditing third-party risks: Assess vendors and enforce contractual safeguards to ensure they meet DORA compliance requirements.

What should security leaders do now?

  • Conduct a gap analysis to evaluate current ICT governance and identify areas requiring improvement.
  • Develop and implement enhanced incident response protocols and testing procedures.
  • Audit third-party agreements to confirm compliance with DORA standards.

Preparing now will ensure the organization meets the compliance deadline and reduces risk exposure.

Executive Summary: Ensuring Compliance with DORA

3. How to justify adopting passkeys for critical applications

Why are passwords a weak point?

Passwords remain one of the most exploited security vulnerabilities, with phishing, brute force attacks, and credential theft leading to unauthorized access and data breaches. Critical business applications are particularly vulnerable, as they hold sensitive data and often lack sufficient protection against modern threats.

How can passkeys solve this problem?

Passkeys provide a highly secure, passwordless alternative to traditional authentication. Organizations can:

  • Adopt FIDO2-based passkeys: Cryptographic keys tied to user devices, combined with biometric authentication, eliminate the risks associated with passwords.
  • Simplify deployment: Use solutions like Secfense’s User Access Security Broker to implement passkeys across applications without requiring changes to existing infrastructure.
  • Improve compliance: Address regulatory requirements, including GDPR, DORA, and NIS2, by eliminating password-related vulnerabilities.

What are the next steps?

  • Perform a risk assessment of current authentication practices and identify gaps.
  • Secure funding to deploy passkey technology organization-wide.
  • Partner with experienced vendors to facilitate rapid and efficient implementation.
  • Train employees to ensure they are comfortable with new authentication methods.
3. How to justify adopting passkeys for critical applications

4. How to secure funding for NIS2 compliance

What risks does non-compliance with NIS2 present?

The NIS2 Directive applies to essential and important entities in the EU, mandating higher cybersecurity standards. Failure to comply by the October 2024 deadline can result in significant fines and heightened vulnerability to cyberattacks.

What measures ensure compliance with NIS2?

Organizations must prioritize the following:

  • Comprehensive risk assessments: Identify and mitigate threats with updated security policies.
  • Effective incident response and reporting: Create response plans and ensure timely reporting to authorities in compliance with NIS2 requirements.
  • Supply chain security: Reduce vulnerabilities by ensuring third-party providers adhere to strong cybersecurity practices.
  • Employee training: Regular training helps build awareness and accountability across the organization.

What should security leaders focus on?

  • Allocate resources to implement the necessary cybersecurity measures and compliance initiatives.
  • Engage cybersecurity experts to assess current systems and create a compliance roadmap.
  • Begin implementation with a focus on critical areas to meet the compliance deadline.
  • Establish monitoring and updating mechanisms to maintain compliance as threats evolve.
Executive Summary: Implementing Solutions to Meet NIS2 Requirements

Why cybersecurity investments should be a top priority

Security leaders have a responsibility to safeguard their organizations against growing threats and ensure compliance with evolving regulations. Each of the executive summaries above provides actionable strategies to justify investments in VPN security, DORA compliance, passwordless authentication, and NIS2 compliance.

By acting now, organizations can mitigate risks, strengthen defenses, and avoid penalties tied to regulatory non-compliance.

How Secfense can support your goals

Secfense helps organizations modernize their authentication infrastructure by introducing FIDO2 passkeys and passwordless solutions. Our solutions integrate seamlessly into existing systems, enabling organizations to reduce risks, meet compliance requirements, and transition to stronger, future-ready authentication methods.

Take the next step

  • Contact Secfense: Talk to an expert about how our authentication solutions can help secure your organization. Get in touch.
  • Watch our webinar: Learn how passkeys eliminate password-related vulnerabilities and help meet compliance requirements. Access the webinar here.

Antoni takes care of all the marketing content that comes from Secfense. Read More

Featured Articles

Keep In Touch

Read More

4 Executive Summaries to Help Security Leaders Justify Cybersecurity Investments

Obtaining budget approval for cybersecurity initiatives is a challenge that many CISOs and enterprise architects face. Decision-makers need clear, practical justifications that explain the value…
Avatar of Antoni Sikora Antoni Sikora

READ TIME 4 MIN

CISA recommends Signal and FIDO authentication after attacks on U.S. telecoms

The Cybersecurity and Infrastructure Security Agency (CISA) has called on senior officials and public figures to transition to secure, encrypted messaging applications like Signal. This…
Avatar of Antoni Sikora Antoni Sikora

READ TIME 2 MIN

Your account may be attacked up to 700 times a second: Microsoft’s move to passkeys

Microsoft recently announced a major shift in its approach to account security: a move away from passwords and toward passkeys. This decision comes as the…
Avatar of Antoni Sikora Antoni Sikora

READ TIME 4 MIN

Testimonials

We are faced with new challenges every day. We must always be one step ahead of the attackers and know what they are going to do before they do it. We are convinced that the User Access Security Broker will bring security to a new level, both for those working at the office and from home. For us, working with Secfense is an opportunity to exchange experience with developers who put great value on out-of-the-box thinking.

Krzysztof Słotwiński

Business Continuity and Computer Security Officer

BNP Paribas Bank Poland

As part of the pre-implementation analysis, we verified that users utilize a wide range of client platforms: desktop computers, laptops, tablets, smartphones, and traditional mobile phones. Each of these devices differs in technological advancement, features, and level of security. Because of this, and also due to the recommendation of the Polish Financial Supervision Authority (UKNF), we decided to introduce additional protection in the form of multi-factor authentication mechanisms based on FIDO. As a result, users of our applications can log in safely, avoiding common cyber threats such as phishing, account takeover, and theft of their own and their clients’ data.

Marcin Bobruk

CEO

Sandis

We are excited to partner with Secfense to enhance our user access security for our web apps. By integrating their User Access Security Broker, we ensure seamless and secure protection for our applications and systems, delivering superior security and convenience to our customers.

Charm Abeywardana

IT & Infrastructure

Visium Networks

Before investing in Secfense, we had the opportunity to talk to its existing clients. Their reactions were unanimous: wow, it’s so easy to use. We were particularly impressed by the fact that implementing their solution does not require the involvement of IT developers. It gives Secfense a huge advantage over the competition, and at the same time opens the door to potential customers who so far were afraid of changes related to the implementation of multi-factor authentication solutions.

Mateusz Bodio

Managing Director

RKKVC

Even when the network and infrastructure are secured enough, social engineering and passwords can be used to gain control of the system by attackers. Multifactor authentication is the current trend. Secfense addresses this and allows you to build zero trust security and upgrade your current systems to passwordless applications within minutes, solving this problem right away,” said Eduard Kučera, Partner at Presto Ventures and cybersecurity expert – former Director in hugely successful Czech multinational cyber security firm Avast.

Eduard Kučera

Partner

Presto Ventures

One of the biggest challenges the world is facing today is securing our identity online. That’s why we were so keen to have Secfense in our portfolio. They make it possible to introduce strong authentication in an automated way. Until now, organizations had to selectively protect applications because the deployment of new technology was very hard, or even impossible. With Secfense, the implementation of multi-factor authentication is no longer a problem, and all organizations can use the highest standards of authentication security.

Stanislav Ivanov

Founding Partner

Tera Ventures

Two-factor authentication is known to be one of the best ways to protect against phishing; however, its implementation has always been difficult. Secfense helped us solve that problem. With their security broker, we were able to introduce various 2FA methods on our web applications at once.

Dariusz Pitala

Head of IT

MPEC S.A.