{"id":4219,"date":"2025-08-04T07:00:00","date_gmt":"2025-08-04T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4219"},"modified":"2025-08-04T07:00:00","modified_gmt":"2025-08-04T07:00:00","slug":"6-things-keeping-cisos-up-at-night","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4219","title":{"rendered":"6 things keeping CISOs up at night"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

CISOs have a lot on their minds, from team\u2019s burn out, AI risks to the pressure of proving business value, security leaders are juggling a complex range of threats.<\/p>\n

The security profession has a stress problem<\/h2>\n

The security profession has a pervasive stress problem, one that affects practitioners from entry-level analysts to C-level executives. The pace of change, constant exposure to threats, and pressure of operating at high stakes creates an environment where there\u2019s a lack of psychological safety.<\/p>\n

\u201cWe have a stress problem and there is a lot of shame in coming forward and saying you\u2019re not dealing with what you\u2019re doing on a day-to-day basis,\u201d says Qualtrics CSO Assaf Keren.<\/p>\n

The culture of silence needs to change or the profession risks burning out talented individuals, deepening the industry\u2019s skill gap, according to Keren. \u201cYou shouldn\u2019t be up at night because of your work, and if something keeps you up at night because of work, you should seek some help.\u201d<\/p>\n

He wants seeking help to become normalized in the profession, where the personal and professional costs of mistakes or misfortune can be high. \u201cWe have the resources to make things better and we all should be doing more as a profession,\u201d he tells CSO.<\/p>\n

Keren is excited about the possibilities with AI such as handling triage or certain manual tasks to help relieve some of the burden on security practitioners and the associated stress. \u201cThe more we can take away menial day to day jobs that people are doing and have them focus on big picture thinking, the more we reduce the disruption to the flow of work.\u201d<\/p>\n

AI\u2019s potential to create a competency crisis<\/h2>\n

At mental health organization Headspace CISO Jameeka Aaron sees many potential applications for AI but she is balancing enablement with caution. However, Aaron is particularly concerned about the impact of generative AI on the hiring process.While strong developers can leverage AI to their advantage, weaker developers may appear more capable during interviews and preliminary assessments.<\/p>\n

\u201cYou have to have the skills. If you don\u2019t, AI will certainly help you answer interview questions, but when you get to the job, it\u2019s not helpful, and we know very quickly if someone\u2019s capabilities don\u2019t exactly align with how they showed up in an interview,\u201d she says.<\/p>\n

It adds another layer of difficulty for CISOs already overstretched. \u201cWith AI, it\u2019s becoming harder to understand the capabilities of potential employees,\u201d she says.<\/p>\n

AI tools can mask skill deficiencies and is something CISOs can\u2019t easily fix with a new control or tool. \u201cThere\u2019s a risk of hiring people who interview well with AI assistance but lack fundamental technical knowledge,\u201d she says. \u201cYou need to have tribal knowledge and a deep understanding of the technologies you\u2019re enabling, and if you don\u2019t, AI isn\u2019t going to help you do that.\u201d<\/p>\n

The pressure to move fast, but not break things<\/h2>\n

What keeps Fortitude Re CISO Elliott Franklin up at night isn\u2019t just the threat actors, it\u2019s the internal complexity CISOs are wrestling with every day. \u201cMost of us are managing a patchwork of tools and platforms that were never designed to work together,\u201d says Franklin.<\/p>\n

Over time, layers of solutions have accumulated to meet compliance needs, respond to incidents or satisfy audits, and CISOs are stuck trying to glue them into something coherent, but the structure is inherently fragile, according to Franklin. \u201cThe more fragile it gets, the more likely something will break. When it does, security is the one holding the bag.\u201d<\/p>\n

Third-party risk makes the situation even riskier and Franklin cites the recent McDonald\u2019s hiring bot breach, which was caused by a vendor using \u2018123456\u2019 as an admin password<\/a>, as a perfect example. \u201cThat wasn\u2019t some cutting-edge nation-state hack. It was a basic failure most orgs would catch internally \u2014 but when it\u2019s a partner, our control is limited, and our accountability isn\u2019t,\u201d he says.<\/p>\n

It also comes back to the problem of the basics being overlooked in the rush towards the shiny new tools. \u201cIt\u2019s a perfect example of how flashy tech is masking basic security failures. What keeps me up at night isn\u2019t the lack of innovation it\u2019s that we\u2019re forgetting the fundamentals,\u201d he says.<\/p>\n

At the same time, security teams are expected to enable innovation, without being a roadblock. \u201cBut when security isn\u2019t brought in early, we\u2019re forced into a reactive posture that benefits no one. I do worry about attackers. But I lose more sleep over the internal pressure to move fast on fragile infrastructure, to trust third parties without verifying them, and to chase new tech while skipping the basics,\u201d he says.<\/p>\n

AI is exacerbating these challenges and isn\u2019t going to fix the underlying problems, warned Franklin. \u201cI\u2019m a big believer in using it where it makes sense \u2014 we\u2019re leaning into AI to reduce manual work and improve speed. But we\u2019ve got to be honest with ourselves: AI isn\u2019t going to fix broken fundamentals.\u201d<\/p>\n

Organizations struggle to identify everywhere AI is being used, let alone how to secure it. \u201cIf you don\u2019t have visibility, if your access controls are weak, or if no one\u2019s reviewing your alerts, AI just adds another layer of complexity. Worse, it can give leadership the illusion that we\u2019re more secure than we actually are,\u201d Franklin says.<\/p>\n

Deepfakes are causing major security headaches<\/h2>\n

Deepfakes are emerging as another security threat enabling employee impersonation campaigns. As this AI-powered threat becomes more sophisticated, CISOs face major challenges to prevent and detect these attacks and protect their organization.<\/p>\n

Deepfake employees is when AI is used to impersonate someone during a remote interview. In Aaron\u2019s organization, they\u2019ve detected mismatches between candidates and their resumes, or where someone\u2019s name in a remote interview doesn\u2019t seem to match the person. With many organizations conducting candidate interviews remotely, they will need to pay more attention to identifying and blocking these threats.<\/p>\n

Deepfakes are something that we\u2019re going to have to pay attention to, Aaron says. While regulation is lagging the technology it\u2019s a threat that security practitioners can\u2019t fight alone. \u201cWe need deep partnerships with vendors to make sure we all understand what\u2019s possible and then we defend as much as we can against those things,\u201d she says.<\/p>\n

Phishing is harder to catch<\/h2>\n

Phishing emails have become far more realistic and increased in volume with generative AI available to cyber criminals. It\u2019s given attackers the ability to emulate the English language flawlessly. \u201cThere are no more emails written in broken English. [Cyber criminals] are gathering information and putting out very realistic looking phishing emails,\u201d says Aaron.<\/p>\n

\u201cIt isn\u2019t AI itself that keeps me up at night. It\u2019s the capabilities, like AI\u2019s ability to mimic humanity, that keeps me up at night,\u201d she says.<\/p>\n

Connecting security priorities to business outcomes<\/h2>\n

The CISO role has its own headaches and worries. Increasingly, the task of translating security initiatives into business value is one of the hardest, but most important, aspects of the role. \u201cThe ability to connect security priorities to business outcomes is a muscle that is sorely needed, and it\u2019s very hard, but it\u2019s increasingly necessary for CISOs to provide value and influence at the executive level,\u201d says Keren.<\/p>\n

Success is hard to measure when it\u2019s defined by what didn\u2019t happen \u2014 no breaches, fewer vulnerabilities or the addition of new tools. Seasoned security leaders have learnt to adapt their reference points, especially in businesses exposed to market forces. \u201cWe\u2019re a business function and we\u2019re measured by the stock price of the company,\u201d says Keren.<\/p>\n

However, without a clear path to becoming a business-oriented security leader, CISOs face uncertainty about the best way forward. \u201cIt\u2019s definitely the role of the business to bring the CISO along to understand the business and be part of the rhythm of business to enable them to be connected,\u201d he says.<\/p>\n

Keren suggests CISOs seek targeted training, education, and mentorship to help get a better grasp of how to translate security into business metrics.<\/p>\n

With a career that includes executive roles in sales and professional services, Agero CISO and CIO Bob Sullivan has developed a strong business mindset. He links metrics to what matters, the business mission, showing where security risks pose potential damage to the business, or not.<\/p>\n

For example, a list of vulnerabilities sounds bad, until he\u2019s able to explain which ones are benign, or not externally facing, and therefore pose little real-world threat. With those that are a risk to the business, Sullivan visualizes the threat path to demonstrate how an exploit could lead to PII and if that is breached and sold or exposed, would have major ramifications. \u201cIf I just say it\u2019s a configuration issue within the cloud, it\u2019s meaningless to them. But if I can visualize it, I can create that context and tie it to a business story,\u201d Sullivan tells CSO.<\/p>\n

In many ways, it\u2019s defining risk in a dollar or reputational impact because they\u2019re the fundamentals of business viability. \u201cAs a cyber professional, you have to be able to speak the language of business or no one\u2019s going to listen,\u201d he says.<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

CISOs have a lot on their minds, from team\u2019s burn out, AI risks to the pressure of proving business value, security leaders are juggling a complex range of threats. The security profession has a stress problem The security profession has a pervasive stress problem, one that affects practitioners from entry-level analysts to C-level executives. The […]<\/p>\n","protected":false},"author":0,"featured_media":4220,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4219","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4219"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4219"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4219\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4220"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4219"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4219"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4219"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}