CISOs carry expanding responsibility as cybersecurity budgets rise, AI adoption spreads, and board expectations grow. Risk management now depends on faster decisions, stronger coordination, and better communication across leadership teams. This article shows how CISOs are responding to growing pressure, ongoing threats, and organizational gaps, while trying to turn rising investment into risk reduction and resilience.
CISOs are spending big and still losing ground
Budgets keep rising, cloud programs keep expanding, and AI is reshaping both threats and defenses. Still, CISOs say the fundamentals of risk reduction are not improving fast enough.Organizations continue to increase cybersecurity spending across industries. Even with that growth, respondents say their programs fall short of what the threat landscape now demands.
CISOs are questioning what a crisis framework should look like
CISOs increasingly assume the next breach is coming. What concerns them most is whether their teams will understand the incident quickly enough to limit the fallout. 84% say a successful breach is inevitable. That belief shapes budgets, staffing plans and expectations during an incident. It also increases pressure to shrink the gap between detection and investigation.
CISOs are cracking under pressure
Cybersecurity leaders are hitting their limit. Most CISOs are stretched thin, dealing with nonstop incidents, too many tools, and growing pressure from their boards. The pressures are so intense that many say they are burned out and thinking about walking away.
Cybersecurity leaders underreport cyber incidents to executives
Cyberattacks are becoming more frequent and severe, with 71% of surveyed security leaders saying attacks have grown more common in the past year and 61% reporting greater impact when incidents occur. Nearly 80% of surveyed security leaders said they are concerned about being targeted by a nation-state attack within the next year.
CISOs, stop chasing vulnerabilities and start managing human risk
Sixty-four percent of organizations confirmed a malicious social engineering attempt through encrypted or informal channels in the past 12 months. None of the surveyed CISOs reported simulating attacks over WhatsApp, Signal, or similar apps. Confidence in employees spotting threats there is also very low.
How CISOs are balancing risk, pressure and board expectations
AI has moved to the top of the CISO agenda. Three in five CISOs see generative AI as a security risk, with many worried about sensitive data leaking through public tools. At the same time, most organizations are not blocking AI outright. Instead, they are trying to put guardrails in place so employees can use these tools without exposing data.
CISOs need to think about risks before rushing into AI
Organizations are increasing investments in cloud, AI, and emerging technologies, but their infrastructure and security strategies often lag behind. Business and IT leaders are not always aligned on what needs to be in place before the next wave of technology arrives. Eighty-five percent of respondents said their cybersecurity posture is reactive, meaning they focus more on responding to incidents than preventing them.
CISOs face a complex tangle of tools, threats, and AI uncertainty
Most organizations are juggling too many tools, struggling with security blind spots, and rushing into AI adoption without governance. Unified IT architecture, zero trust security, and AI adoption are now essential to reducing complexity and risk. For CISOs, that means pushing for better alignment across teams and making strategic decisions about platforms, tools, and partnerships.
Pentesting is now central to CISO strategy
Security leaders are rethinking their approach to cybersecurity as digital supply chains expand and generative AI becomes embedded in critical systems. 68% are concerned about the risks posed by third-party software and components. While most say they are meeting regulatory requirements, 60% admit attackers are evolving too fast to maintain resilience.
AI is changing the vCISO game
Virtual CISO (vCISO) services have moved from niche to mainstream, with vCISO services adoption 2025 data showing a more than threefold increase in just one year. 67% of MSPs and MSSPs now offer vCISO services, up from just 21% in 2024. This sharp increase aligns with the previous year’s predictions, when nearly three-quarters of non-adopters stated they planned to launch these services by the end of 2025.
C-suites step up on OT cybersecurity, and it’s paying off
There has been a significant increase in the global trend of corporations planning to integrate cybersecurity under the CISO or other executives. As accountability continues to shift into executive leadership, OT security is elevated to a high-profile issue at the board level. 52% of organizations report that the CISO is responsible for OT, up from 16% in 2022.
CISOs flag gaps in GenAI strategy, skills, and infrastructure
95% of C-suite leaders say that GenAI is driving a new level of innovation in their organizations. While CEOs and business leaders are committed to GenAI adoption, CISOs and operational leaders lack the necessary guidance, clarity and resources to address security risks and infrastructure challenges associated with deployment.
CISOs brace for a surge in domain-based cyber threats
Cybersecurity threats are growing more complex, and domain-based attacks are at the center of this shift. Even with new challenges emerging, many CISOs are struggling to secure the resources they need. Only 7 percent said their cybersecurity budgets had increased significantly year over year, even as threat levels continue to rise.
Why CISOs need to understand the AI tech stack
As AI spreads, so do the risks. Security leaders are being asked to protect systems they don’t fully understand yet, and that’s a problem. Securing AI means embedding protections throughout the stack, and understanding how those layers work together. While most of the stack is technical, the governance layer focuses on policy, ethics, and oversight, and it’s the least mature. But that doesn’t mean CISOs can ignore it.
CISOs call for operational threat intelligence integration
98% of CISOs face challenges when using threat intelligence. The biggest problems are keeping up with changing threats, integration difficulties, and regulatory rules. As a result, threat intelligence defaults to a reactive function within a workstream, rather than an embedded, proactive strategy to build resilience, accelerate response, and stay ahead of threats.
CISOs need better tools to turn risk into action
Many organizations are overwhelmed by the complexity of their IT systems, making it difficult to manage cybersecurity risks. Only 40% of security professionals say their leaders are effective at communicating risk to executives. Exposure management can help here too. It gives security teams a framework they can use to explain risks and connect those risks to business outcomes, even for executives who don’t have a background in security.
How CISOs can regain ground in the AI fraud war
Criminals are using AI better than most organizations. Three in four respondents said fraudsters currently have the edge with generative AI, using it for deepfake scams, synthetic identities, and coordinated phishing. Only 12.5% of participants believe legitimate organizations benefit more than bad actors right now.
CISOs prioritize AI-driven automation to optimize cybersecurity spending
The integration of AI into cybersecurity has the potential to significantly change how organizations detect, prevent and respond to cyber threats and enhance their security posture. Many CISOs are leveraging AI to improve threat detection and response times (31%) and to build enhanced incident response capabilities (24%).
The C-suite gap that’s putting your company at risk
CISOs are more likely to think senior leaders don’t fully understand how serious cyber threats are. About 68% of CISOs said top executives underestimate the danger. Only 57% of other C-suite leaders agreed. The two groups also disagree on who’s behind past cyber incidents. More CISOs (57%) said cybercriminals were responsible, compared to 47% of other executives. CISOs were also more likely to point to insider threats—47% said they’d had an incident caused by an employee, while only 31% of the rest of the C-suite said the same. These differences could make it harder to prepare for future attacks.
Cloud providers aren’t delivering on security promises
Security concerns around cloud environments has prompted 44% of CISOs to change cloud service provider. This is being driven by the fact that 24% don’t believe their cloud environment is secure, and 43% think cloud service providers overpromised the security protection they would receive.
Most organizations change policies to reduce CISO liability risk
93% of organizations made policy changes over the preceding 12 months to address concerns about increased personal liability for CISOs. This includes two in five organizations (41%) increasing CISO participation in strategic decisions at the board level.
74% of CISOs are increasing crisis simulation budgets
Many CISOs across the UK and US are concerned about their organization’s ability to handle a cyber crisis. This is owing to several reasons – the rising volume of cyber incidents (31%), lack of incident response planning (20%), and a lack of realistic, stress-tested crisis simulations (19%). This drives CISOs to reallocate budgets towards crisis preparedness, as they seek to maintain security posture.
Nearly half of CISOs now report to CEOs, showing their rising influence
The CISO’s rise to the C-suite comes with more engagement with the boardroom, an audience with the CEO, and the power to make strategic decisions for the business. 82% of surveyed CISOs now report directly to the CEO, a significant increase from 47% in 2023. In addition, 83% of CISOs participate in board meetings somewhat often or most of the time.
Read / watch more:
Stay updated with the latest cybersecurity news. Subscribe here!