{"id":6713,"date":"2026-01-27T07:00:00","date_gmt":"2026-01-27T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=6713"},"modified":"2026-01-27T07:00:00","modified_gmt":"2026-01-27T07:00:00","slug":"4-issues-holding-back-cisos-security-agendas","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=6713","title":{"rendered":"4 issues holding back CISOs\u2019 security agendas"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Many security leaders believe a cyberbreach is inevitable, with the timing being the only uncertainty. It\u2019s a belief encapsulated in the common refrain that a breach is \u201cnot if, but when.\u201d<\/p>\n

But a growing number of CISOs now expect an incident sooner than later: Some 76% said they feel at risk of experiencing a material cyberattack in the next 12 months, according to the Voice of the CISO Report<\/a> released by security tech company Proofpoint in August 2025. That\u2019s up from 70% the prior year.<\/p>\n

The report also found that 58% of CISOs believe their organization is unprepared to respond.<\/p>\n

Besides the overall feeling of near inevitability of attack, security chiefs acknowledge that various challenges keep them from boosting their overall security posture and feeling more confident in their ability to block or respond to attacks.<\/p>\n

Here, security leaders share four issues that hold back the enterprise security agenda.<\/p>\n

1. Failure to train and empower team members to act on priorities<\/h2>\n

CISOs readily admit their security teams have more work to do than can be done. That leads to a lot of stress<\/a>: Some 80% of CISOs report being under high or extreme pressure today, according to the 2025 CISO Pressure Index<\/a> from tech maker Nagomi Security, and 87% said that pressure has increased over the past 12 months<\/a>. Additionally, 67% report being burned out weekly or daily.<\/p>\n

\u201cEvery CISO feels very overwhelmed,\u201d says Omar Khawaja<\/a>, who leads Databricks\u2019 field security practice, teaches at Carnegie Mellon University\u2019s CISO program, and sits on the boards of HITRUST and FAIR Institute.<\/p>\n

To cope, CISOs have become skilled at prioritizing, with tasks that reduce the most significant risks to the organization topping their lists<\/a>.<\/p>\n

Too often, however, CISOs don\u2019t train their team members so they can competently make decisions and take actions that align with those priorities, says Khawaja, a former CISO at Highmark Health.<\/p>\n

That keeps executives making all the priority calls, which ties them up and slows the whole team down.<\/p>\n

CISOs should aim to have team members know when and how to make prioritization calls for their own areas of work, \u201cso that every single team is focusing on the most important stuff,\u201d Khawaja says.<\/p>\n

\u201cTo do that, you need to create clear mechanisms and instructions for how you do decision-support,\u201d he explains. \u201cThere should be criteria or factors that says it\u2019s high, medium, low priority for anything delivered by the security team, because then any team member can look at any request that comes to them and they can confidently and effectively prioritize it.\u201d<\/p>\n

2. Inability to keep pace with AI innovation and adoption<\/strong><\/h2>\n

Executives and employees alike have been rushing to adopt artificial intelligence, enticed by expectations that AI will transform workflows and save time, money, and effort.<\/p>\n

But CISOs for the most part have not kept pace with their business colleagues\u2019 rate of AI adoption.<\/p>\n

According to a survey of 921 IT and cybersecurity professionals conducted for Cyera\u2019s 2025 State of AI Data Security Report<\/a>, 83% of organizations use AI but only 13% have strong visibility into how those systems access or handle sensitive data; only 16% treat AI as a distinct identity; only 11% of organizations can automatically block risky AI activity; and only 7% have a dedicated AI governance team.<\/p>\n

\u201cMost CISOs are wrestling with how to secure AI,\u201d says Robert T. Lee<\/a>, chief AI officer and chief of research at SANS, a security training and certification firm.<\/p>\n

According to Lee, a good number of CISOs still either prohibit proposed AI use cases because of security concerns \u2014 what he terms the \u201cSecurity Framework of No<\/a>\u201d \u2014 or slow adoption while they evaluate the AI\u2019s security.<\/p>\n

\u201cThere is a general lack of knowledge on how to approach AI,\u201d Lee says.<\/p>\n

In fairness to CISOs, the business doesn\u2019t always help matters here, Lee notes. \u201cAt many organizations their AI strategy is changing quickly; a new AI version comes out and so their agenda changes, and then a month later something else new comes out and it changes again. There is this moving target of what the security team is being asked to secure,\u201d he says.<\/p>\n

Regardless, Lee says it\u2019s clear that the security team\u2019s inability to keep pace with AI innovation and the enterprise\u2019s desire to quickly adopt is problematic. It stymies the organization\u2019s agenda by slowing transformation. It also hinders the security department\u2019s success, because the business often bypasses security altogether<\/a> rather than have to slow or stop its AI journey.<\/p>\n

As a result, CISOs and their organizations end up with shadow AI<\/a>, unmanaged agents, and opaque data flows that create a poorly secured expanded attack, Lee adds.<\/p>\n

Of course, there is still a need to adequately evaluate and secure AI deployments<\/a>, Lee says, adding that organizations should not simply accept vendor assurances that their AI components are secure.<\/p>\n

According to Lee, the CISOs who keep pace with their organization\u2019s AI strategy take a holistic approach, rather than work deployment to deployment. They establish a risk profile for specific data, so security doesn\u2019t spend much time evaluating AI deployments that use low-risk data and can prioritize work on AI use cases that need medium- or high-risk data. They also assign security staffers to individual departments to stay on top of AI needs, and they train security teams on the skills needed to evaluate and secure AI initiatives.<\/p>\n

3. Limited adoption of AI for security operations<\/h2>\n

Like their business colleagues, some CISOs are embracing AI to transform their operations<\/a> \u2014 but they appear far from being a majority, despite the benefits the technology brings to cybersecurity.<\/p>\n

The 2025 ISC2 Cybersecurity Workforce Study<\/a> found that only 28% of the 16,000 enterprise leaders surveyed had integrated AI tools into their security operations. The study found 19% testing them and 22% in the early evaluation phase.<\/p>\n

\u201cCISOs are playing a bit of catch-up\u201d in terms of deploying AI at the same speed as the business, says Jon France<\/a>, CISO of ISC2, a cybersecurity training and certification organization.<\/p>\n

That slow pace exists even though use of AI in security operations is proving beneficial<\/a>, France adds, noting that 63% of those who are using AI security tools reported a significant boost to their productivity.<\/p>\n

According to the ISC2 study, \u201cIn terms of where AI is expected to have the most impact on cybersecurity operations in the shortest amount of time, 40% pointed toward network monitoring for the highest positive impact, followed by security operations and security testing (both at 30%), vulnerability management (29%), threat modeling and endpoint protection (both at 28%).\u201d<\/p>\n

4. The lack of needed talent and required skills<\/h2>\n

Although CISOs have long cited challenges in hiring enough qualified security workers, they\u2019re increasingly citing it as a roadblock to advancing their security agendas.<\/p>\n

The 2025 State of Cybersecurity Resilience<\/a> from professional services firm Accenture found that 83% of IT executives identified their cyber talent shortage \u201cas a major obstacle to achieving a strong security posture.\u201d<\/p>\n

The ISC2 study highlighted a two-headed problem.<\/p>\n

First is the talent shortage, with 63% reporting in 2025 that they have a slight or significant cybersecurity shortage, a modest improvement over the 68% who said as much in 2024.<\/p>\n

Second is the skills gap. According to the report, 59% in 2025 have critical or significant skills needs, up from 44% in 2024, and 95% have at least one or more skills needs, up 5% on the previous year. Survey respondents said AI was the most pressing skills need (41%), followed by cloud security (36%), risk assessment (29%), application security (28%), security engineering and governance, (27%) and risk and compliance (also at 27%).<\/p>\n

\u201cWe need people who are suitable to discharge the duties of security roles today,\u201d France says.<\/p>\n

Khawaja also cites the lack of \u201cthe right skills on the security team\u201d as an obstacle for CISO success.<\/p>\n

However, Khawaja sees the challenge for CISOs not being about hiring for technical skills or even soft skills, but what he called \u201cmiddle skills,\u201d such as risk management and change management. These skills he sees becoming more crucial for aligning security to the business<\/a>, getting users to adopt security protocols<\/a>, and ultimately improving the organization\u2019s security posture. \u201cIf you don\u2019t have [those middle skills], there\u2019s only so far the security team can go,\u201d he says.<\/p>\n

Although CISOs are fighting labor market forces that are well beyond their direct control and influences, Khawaja and others say there are steps CISOs can take to address their talent and skills shortages, saying a solid talent strategy that focuses on hiring for skills and competencies<\/a> can help CISOs get what they need to advance their security agendas.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Many security leaders believe a cyberbreach is inevitable, with the timing being the only uncertainty. It\u2019s a belief encapsulated in the common refrain that a breach is \u201cnot if, but when.\u201d But a growing number of CISOs now expect an incident sooner than later: Some 76% said they feel at risk of experiencing a material […]<\/p>\n","protected":false},"author":0,"featured_media":6714,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6713","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6713"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6713"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6713\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/6714"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6713"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6713"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6713"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}