The CISO job is tough, and it’s getting tougher: 66% of security leaders surveyed for the 2025 State of Cybersecurity report from professional association ISACA said their roles are more stressful today than they were five years ago — in the midst of a pandemic.
Dig into all they’re facing, and it’s no wonder why security leaders and their teams are stressed.
CISOs are dealing with rising risks, competing priorities, limited budgets, and more. Here, they cite the 10 issues that are top of mind today.
1. Securing AI infrastructure
Any CISO who’s been in the profession long enough will know that emerging technologies advance faster than the tools and strategies to effectively secure them.
It’s no different with artificial intelligence.
“We have an issue where cybersecurity and guardrails for the use of AI are in their infancy, but the use of AI is not,” says TCE Strategy CEO Bryce Austin, a cybersecurity expert and risk consultant.
Research bears this out. Some 60% of global CISOs believe generative AI poses a risk to their organization, up from 54% in 2024, according to the 2025 Voice of the CISO Report from security tech company Proofpoint.
Robert T. Lee, chief AI officer and chief of research at SANS, a security training and certification firm, says some security teams are treating AI like it’s a conventional technology, but it’s not — and they haven’t yet developed the knowledge and skills needed to develop the new paradigm to secure AI.
“It’s not finger-pointing; we’re all learning,” Lee says. “Business is now expected to embrace and move quickly with AI. Boards and C-level executives are saying, ‘We have to lean into this more’ and then they turn to security teams to support AI. But security doesn’t fully understand the risk. No one has this down because it’s moving so fast.”
As a result, many organizations skip security hardening in their rush to embrace AI. But CISOs are catching up. According to the findings of ISACA’s survey, 47% of security leaders said they have helped develop AI governance (up from 35% in 2024) and 40% said they’ve been involved in AI implementation (up from 29% the prior year).
2. Escalating — and accelerating — AI-enabled attacks
A 2025 survey from Boston Consulting Group found that 80% of CISOs worldwide cited AI-powered cyberattacks as their top concern, a 19-point increase from the previous year. A 2025 survey from Darktrace, a security technology firm, found that 78% of CISOs reported a significant impact from AI-driven threats, up 5% from 2024.
“One of the things that keeps me up at night and scares me is the fact that AI has driven the time to compromise down to minutes and seconds,” says Jenai Marinkovic, a virtual CTO and CISO with Tiro Security and an ISACA cybersecurity expert.
To counteract this new reality, Marinkovic is fortifying the IT environments she’s charged with securing, strengthening defenses, and preparing her security teams for AI-enabled attacks — and the speed at which they can happen. “It used to be you could do a tabletop exercise once a month and be ready; now you have to do it almost every day,” she adds.
3. Securing data in an AI world
Some 67% of security leaders surveyed for Proofpoint’s 2025 Voice of the CISO Report said they see information protection and governance as a top priority. The report also found that just two-thirds indicated that the data within their organization is adequately protected, despite nearly all CISOs reporting having data loss prevention technologies in place.
The 2025 Data Threat Report from Thales, a multinational aerospace and defense corporation specializing in electronics, found that 36% of respondents were somewhat or not at all confident in their ability to identify where their data is stored.
Moreover, Todd Moore, global vice president of data security at Thales, says CISOs are facing a torrent of AI-generated data — generally unstructured data such as chat logs — that needs to be secured.
“In some aspects, AI is becoming the new insider threat in organizations,” he says. “The reason why I say it’s a new insider threat is because there’s a lot of information that’s being put in places you never expected. CISOs need to identify and find that data and be able to see if that data is critical and then be able to protect it.”
4. An ever-expanding threat landscape
The volume, velocity and speed of attacks have been on the rise for decades, a trend that has CISOs and their teams constantly trying to keep up. AI has only accelerated that trend, says Katell Thielemann, distinguished vice president analyst at research firm Gartner.
“In the age of AI, the threat landscape has changed dramatically. The attack surface has grown rapidly, and shadow tech adoption is even more widespread,” Thielemann says. “CISOs have always had to deal with those things, but now it’s much more complicated.”
Hackers are more organized and backed by organized crime syndicates and governments. They’ve become more professional, developing supply chains of their own to enhance attack capabilities. And they’re using AI to increase their proficiency, scale, and success rates.
The environment CISOs must protect has expanded, too.
“In the age of just-in-time production and having all kinds of tech linked to each other, CISOs are trying to protect a landscape that’s larger and more interconnected than ever,” Thielemann says.
Consider the findings from PwC’s 2026 Global Digital Trust Insights report: Roughly half of those surveyed said their organization is at best only “somewhat capable” of withstanding cyberattacks targeting specific vulnerabilities and only 6% feel confident across all vulnerabilities.
And with exploits sharply rising, more CISOs are looking to rethink vulnerability management.
5. … and increasingly vicious attacks
Security experts have long warned that anyone could be a victim of a cyberattack, yet a hope that some entities were off-limits persisted. The September 2025 breach of the Kido International Preschool chain, in which hackers used pictures and names of some 8,000 children served by the company to demand ransom, was seen by many as a new low.
“We’re now getting to the stage where no one is off-limits,” says Simon Backwell, head of information security at tech company Benifex and a member of ISACA’s Emerging Trends Working Group. “Attack groups are getting bolder, and they don’t care about the consequences. They want to cause mass destruction.”
6. Budget constraints
Surveys show that a majority of organizations are spending more on security year over year, but increases aren’t keeping pace with the rising volume and viciousness of attacks. That is upping the pressure CISOs feel, says Thielemann.
“They have to stay within the cost profile at the same time the treat is increasing and the technology debt and the old stuff that’s harder to secure isn’t going away and the new attack vectors are coming in and the new tech is making this all the more difficult,” she says.
Brian L. DePersiis, Americas cybersecurity strategy leader at professional services firm EY, predicts that CISOs may face even more financial pressure in the near term, given the economic uncertainty many business leaders have been expressing.
“There is pressure on CISOs to reduce costs,” he says, noting that CISOs are automating capabilities, simplifying their security tech stack, shedding bespoke solutions, and outsourcing some functions to create efficiencies and save money.
7. Preparing employees to not fall for increasingly sophisticated scams
TCE Strategy’s Austin came across a novel phishing attack. A hacker had created what seemed to be a months-long email chain between what appeared to be the company’s CEO (with legitimate-looking logos and information) and a supplier. The hacker had forwarded the email thread to accounts payable, with the top message seeking an overdue payment.
The company’s email filtering tool had quarantined that email, flagging the server it had been sent from, but Austin says it likely would have gotten by filters that aren’t set as “aggressively” as the filter in that company. And an email like that, once in an employee’s inbox, had a good chance of duping the recipient.
There are already examples of these highly sophisticated scams working, with deepfakes and nearly perfect messaging created with AI fooling many into thinking the requests for money are legit.
That has CISOs looking for training and awareness campaigns that can counteract the new generation of phishing and fraud attempts.
Austin is one such CISO. He says he’s opting for frequent simulated phishing attacks, seeing it as “absolutely imperative to keep people’s hackles up.” He’s also implementing more significant consequences for those who fall for those simulated attacks, such as escalating concerns to their bosses or HR.
His goal is to get people “to assume negative intent” when it comes to the digital world, he says, and hopes that extra training and drills will help workers adopt a suspicious mindset so they’ll be more likely to spot even the most sophisticated scams.
8. Quantum computing
Still contending with securing the speed of AI adoption and escalating AI-enabled threats, CISOs must also be preparing their organizations for the arrival of quantum computing, says Tony Velleca, CISO of UST and CEO of CyberProof, a UST subsidiary.
According to the Thales Data Threat Report, organization leaders listed future encryption compromise, key distribution, and future decryption of today’s data, including “harvest now, decrypt later” attacks, as the major quantum computing security threats.
To prepare, Velleca says security chiefs are looking at the encryption they have in their organizations and where it’s needed, as well as prioritizing what data should be moved to quantum-safe encryption and when.
9. Setting the right priorities
Solving for these issues is itself a top concern for CISOs, says Matt Gorham, leader of PwC’s Cyber and Risk Innovation Institute.
“What’s occupying a ton of time for CISOs today is competing priorities,” he says. “The threat environment is such that they’re spending a great deal of time prioritizing all they need to do, and they’re doing it at a time when we face a significant talent shortage so they’re trying to cover the entire gamut with less help than they’d prefer. That’s the essence of what CISOs struggle with today — just prioritizing the large portfolio of issues they have.”
10. Getting risk right
To prioritize work, CISOs need to understand what matters most to the business and what risks are most consequential to the organization. Yet many still struggle with these tasks, says Chris Simpson, director of National University’s Center for Cybersecurity.
Research confirms this remains an issue for CISOs: According to the Proofpoint survey, boardroom alignment with CISOs decreased from 84% in 2024 to 64% in 2025.
“Cybersecurity is there to support the business, so CISOs have to understand the business’ risk tolerance, which will drive decisions on what to implement and risk mitigation strategies. It is something CISOs are always working on,” Simpson says.
No Responses