{"id":5543,"date":"2025-10-27T07:00:00","date_gmt":"2025-10-27T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5543"},"modified":"2025-10-27T07:00:00","modified_gmt":"2025-10-27T07:00:00","slug":"the-10-biggest-issues-cisos-and-cyber-teams-face-today","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5543","title":{"rendered":"The 10 biggest issues CISOs and cyber teams face today"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The CISO job is tough, and it\u2019s getting tougher: 66% of security leaders surveyed for the 2025 State of Cybersecurity report<\/a> from professional association ISACA said their roles are more stressful today than they were five years ago \u2014 in the midst of a pandemic.<\/p>\n

Dig into all they\u2019re facing, and it\u2019s no wonder why security leaders and their teams are stressed.<\/p>\n

CISOs are dealing with rising risks, competing priorities, limited budgets, and more. Here, they cite the 10 issues that are top of mind today.<\/p>\n

1. Securing AI infrastructure<\/h2>\n

Any CISO who\u2019s been in the profession long enough will know that emerging technologies advance faster than the tools and strategies to effectively secure them.<\/p>\n

It\u2019s no different with artificial intelligence.<\/p>\n

\u201cWe have an issue where cybersecurity and guardrails for the use of AI are in their infancy, but the use of AI is not,\u201d says TCE Strategy CEO Bryce Austin<\/a>, a cybersecurity expert and risk consultant.<\/p>\n

Research bears this out. Some 60% of global CISOs believe generative AI poses a risk to their organization, up from 54% in 2024, according to the 2025 Voice of the CISO Report<\/a> from security tech company Proofpoint.<\/p>\n

Robert T. Lee<\/a>, chief AI officer and chief of research at SANS, a security training and certification firm, says some security teams are treating AI like it\u2019s a conventional technology, but it\u2019s not \u2014 and they haven\u2019t yet developed the knowledge and skills needed to develop the new paradigm to secure AI.<\/p>\n

\u201cIt\u2019s not finger-pointing; we\u2019re all learning,\u201d Lee says. \u201cBusiness is now expected to embrace and move quickly with AI. Boards and C-level executives are saying, \u2018We have to lean into this more\u2019 and then they turn to security teams to support AI. But security doesn\u2019t fully understand the risk. No one has this down because it\u2019s moving so fast.\u201d<\/p>\n

As a result, many organizations skip security hardening in their rush to embrace AI<\/a>. But CISOs are catching up. According to the findings of ISACA\u2019s survey, 47% of security leaders said they have helped develop AI governance<\/a> (up from 35% in 2024) and 40% said they\u2019ve been involved in AI implementation (up from 29% the prior year).<\/p>\n

2. Escalating \u2014 and accelerating \u2014\u00a0AI-enabled attacks<\/h2>\n

A 2025 survey from Boston Consulting Group<\/a> found that 80% of CISOs worldwide cited AI-powered cyberattacks as their top concern, a 19-point increase from the previous year. A 2025 survey from Darktrace<\/a>, a security technology firm, found that 78% of CISOs reported a significant impact from AI-driven threats, up 5% from 2024.<\/p>\n

\u201cOne of the things that keeps me up at night and scares me is the fact that AI has driven the time to compromise down to minutes and seconds,\u201d says Jenai Marinkovic<\/a>, a virtual CTO and CISO with Tiro Security and an ISACA cybersecurity expert.<\/p>\n

To counteract this new reality, Marinkovic is fortifying the IT environments she\u2019s charged with securing, strengthening defenses, and preparing her security teams for AI-enabled attacks \u2014 and the speed at which they can happen<\/a>. \u201cIt used to be you could do a tabletop exercise once a month and be ready; now you have to do it almost every day<\/a>,\u201d she adds.<\/p>\n

3. Securing data in an AI world<\/h2>\n

Some 67% of security leaders surveyed for Proofpoint\u2019s 2025 Voice of the CISO Report said they see information protection and governance as a top priority. The report also found that just two-thirds indicated that the data within their organization is adequately protected, despite nearly all CISOs reporting having data loss prevention technologies in place.<\/p>\n

The 2025 Data Threat Report<\/a> from Thales, a multinational aerospace and defense corporation specializing in electronics, found that 36% of respondents were somewhat or not at all confident in their ability to identify where their data is stored.<\/p>\n

Moreover, Todd Moore<\/a>, global vice president of data security at Thales, says CISOs are facing a torrent of AI-generated data \u2014 generally unstructured data such as chat logs \u2014 that needs to be secured.<\/p>\n

\u201cIn some aspects, AI is becoming the new insider threat in organizations,\u201d he says. \u201cThe reason why I say it\u2019s a new insider threat is because there\u2019s a lot of information that\u2019s being put in places you never expected. CISOs need to identify and find that data and be able to see if that data is critical and then be able to protect it.\u201d<\/p>\n

4. An ever-expanding threat landscape<\/h2>\n

The volume, velocity and speed of attacks have been on the rise for decades, a trend that has CISOs and their teams constantly trying to keep up. AI has only accelerated that trend, says Katell Thielemann<\/a>, distinguished vice president analyst at research firm Gartner.<\/p>\n

\u201cIn the age of AI, the threat landscape has changed dramatically. The attack surface has grown rapidly, and shadow tech adoption is even more widespread,\u201d Thielemann says. \u201cCISOs have always had to deal with those things, but now it\u2019s much more complicated.\u201d<\/p>\n

Hackers are more organized and backed by organized crime syndicates and governments. They\u2019ve become more professional, developing supply chains of their own to enhance attack capabilities. And they\u2019re using AI<\/a> to increase their proficiency, scale, and success rates.<\/p>\n

The environment CISOs must protect has expanded, too.<\/p>\n

\u201cIn the age of just-in-time production and having all kinds of tech linked to each other, CISOs are trying to protect a landscape that\u2019s larger and more interconnected than ever,\u201d Thielemann says.<\/p>\n

Consider the findings from PwC\u2019s 2026 Global Digital Trust Insights report<\/a>: Roughly half of those surveyed said their organization is at best only \u201csomewhat capable\u201d of withstanding cyberattacks targeting specific vulnerabilities and only 6% feel confident across all vulnerabilities.<\/p>\n

And with exploits sharply rising, more CISOs are looking to rethink vulnerability management<\/a>.<\/p>\n

5. \u2026 and increasingly vicious attacks<\/h2>\n

Security experts have long warned that anyone could be a victim of a cyberattack, yet a hope that some entities were off-limits persisted. The September 2025 breach of the Kido International Preschool chain, in which hackers used pictures and names of some 8,000 children served by the company to demand ransom, was seen by many as a new low.<\/p>\n

\u201cWe\u2019re now getting to the stage where no one is off-limits,\u201d says Simon Backwell<\/a>, head of information security at tech company Benifex and a member of ISACA\u2019s Emerging Trends Working Group. \u201cAttack groups are getting bolder, and they don\u2019t care about the consequences. They want to cause mass destruction.\u201d<\/p>\n

6. Budget constraints<\/h2>\n

Surveys show that a majority of organizations are spending more on security year over year, but increases aren\u2019t keeping pace with the rising volume and viciousness of attacks. That is upping the pressure CISOs feel, says Thielemann.<\/p>\n

\u201cThey have to stay within the cost profile at the same time the treat is increasing and the technology debt and the old stuff that\u2019s harder to secure isn\u2019t going away and the new attack vectors are coming in and the new tech is making this all the more difficult,\u201d she says.<\/p>\n

Brian L. DePersiis<\/a>, Americas cybersecurity strategy leader at professional services firm EY, predicts that CISOs may face even more financial pressure in the near term, given the economic uncertainty many business leaders have been expressing.<\/p>\n

\u201cThere is pressure on CISOs to reduce costs,\u201d he says, noting that CISOs are automating capabilities, simplifying their security tech stack<\/a>, shedding bespoke solutions, and outsourcing some functions<\/a> to create efficiencies and save money.<\/p>\n

7. Preparing employees to not fall for increasingly sophisticated scams<\/h2>\n

TCE Strategy\u2019s Austin came across a novel phishing attack. A hacker had created what seemed to be a months-long email chain between what appeared to be the company\u2019s CEO (with legitimate-looking logos and information) and a supplier. The hacker had forwarded the email thread to accounts payable, with the top message seeking an overdue payment.<\/p>\n

The company\u2019s email filtering tool had quarantined that email, flagging the server it had been sent from, but Austin says it likely would have gotten by filters that aren\u2019t set as \u201caggressively\u201d as the filter in that company. And an email like that, once in an employee\u2019s inbox, had a good chance of duping the recipient.<\/p>\n

There are already examples of these highly sophisticated scams working<\/a>, with deepfakes<\/a> and nearly perfect messaging created with AI fooling many into thinking the requests for money are legit.<\/p>\n

That has CISOs looking for training and awareness campaigns<\/a> that can counteract the new generation of phishing and fraud attempts.<\/p>\n

Austin is one such CISO. He says he\u2019s opting for frequent simulated phishing attacks, seeing it as \u201cabsolutely imperative to keep people\u2019s hackles up.\u201d He\u2019s also implementing more significant consequences for those who fall for those simulated attacks, such as escalating concerns to their bosses or HR.<\/p>\n

His goal is to get people \u201cto assume negative intent\u201d when it comes to the digital world, he says, and hopes that extra training and drills will help workers adopt a suspicious mindset so they\u2019ll be more likely to spot even the most sophisticated scams.<\/p>\n

8. Quantum computing<\/h2>\n

Still contending with securing the speed of AI adoption and escalating AI-enabled threats, CISOs must also be preparing their organizations for the arrival of quantum computing<\/a>, says Tony Velleca<\/a>, CISO of UST and CEO of CyberProof, a UST subsidiary.<\/p>\n

According to the Thales Data Threat Report, organization leaders listed future encryption compromise, key distribution, and future decryption of today\u2019s data, including \u201charvest now, decrypt later\u201d attacks, as the major quantum computing security threats.<\/p>\n

To prepare, Velleca says security chiefs are looking at the encryption they have in their organizations<\/a> and where it\u2019s needed, as well as prioritizing what data should be moved to quantum-safe encryption and when.<\/p>\n

9. Setting the right priorities<\/h2>\n

Solving for these issues is itself a top concern for CISOs, says Matt Gorham<\/a>, leader of PwC\u2019s Cyber and Risk Innovation Institute.<\/p>\n

\u201cWhat\u2019s occupying a ton of time for CISOs today is competing priorities,\u201d he says. \u201cThe threat environment is such that they\u2019re spending a great deal of time prioritizing all they need to do, and they\u2019re doing it at a time when we face a significant talent shortage so they\u2019re trying to cover the entire gamut with less help than they\u2019d prefer. That\u2019s the essence of what CISOs struggle with today \u2014 just prioritizing the large portfolio of issues they have.\u201d<\/p>\n

10. Getting risk right<\/h2>\n

To prioritize work, CISOs need to understand what matters most to the business and what risks are most consequential to the organization. Yet many still struggle with these tasks, says Chris Simpson<\/a>, director of National University\u2019s Center for Cybersecurity.<\/p>\n

Research confirms this remains an issue for CISOs: According to the Proofpoint survey, boardroom alignment with CISOs decreased from 84% in 2024 to 64% in 2025.<\/p>\n

\u201cCybersecurity is there to support the business, so CISOs have to understand the business\u2019 risk tolerance, which will drive decisions on what to implement and risk mitigation strategies. It is something CISOs are always working on,\u201d Simpson says.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The CISO job is tough, and it\u2019s getting tougher: 66% of security leaders surveyed for the 2025 State of Cybersecurity report from professional association ISACA said their roles are more stressful today than they were five years ago \u2014 in the midst of a pandemic. Dig into all they\u2019re facing, and it\u2019s no wonder why […]<\/p>\n","protected":false},"author":0,"featured_media":5544,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5543","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5543"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5543"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5543\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5544"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5543"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5543"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5543"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}