(1 votes, average: 5.00 out of 5, rated)

Loading...

• Facebook
• Twitter
• LinkedIn
• Mail

April 29, 2025 0

CISO Survival Guide: 8 Cyber Security Challenges & How to Navigate Them

in Beyond Hashed Out, Hashing Out Cyber Security

We’ve asked 8 experts how they recommend maneuvering through a tumultuous cyber security threat landscape — here are their solutions

Portnox’s survey data shows that 77% of Chief Information Security Officers (CISOs) are “very” or “extremely” worried about their jobs. (Who can blame them?) The cyber security threat landscape is continually shifting. CISOs are left scrambling for solid ground after many industry changes have come down the pike over the past several years:

• Stagnant or modestly growing budgets
• Continually evolving threats and seemingly new security and privacy protection requirements (data privacy, breach reporting, etc.)
• Inundating (and sometimes contradictory) frameworks and guidelines
• Changing technologies and concerns about future technologies (think cryptographically relevant quantum computers [CRQCs])
• Increasing personal liability when things go wrong

It’s no wonder that CISOs are leaving roles significantly sooner than in previous years, serving an average of just 23 months. BlackFog Research reports that nearly three in four CISOs are either actively looking for alternative employment opportunities or want to leave their roles due to the stressors and increasing personal liability.

So, what’s a CISO to do when trying to navigate an increasingly difficult terrain? We asked CISOs and other cybersecurity experts how to tackle today’s top cybersecurity challenges — here’s what they said.

Let’s hash it out.

8 Top Cyber Security Challenges and How to Deal with This Shifting Terrain

Cyber Security Challenge #1: CISOs Often Feel Isolated and Lacking Support

BlackFog’s previously cited report reveals that 93% of CISOs and IT security decision makers are dealing with “overwhelming stress” in their roles. They feel stretched thin, working more hours and having fewer resources at their disposal, with some (45%) reporting they’ve turned to unhealthy coping mechanisms (drugs and alcohol).

When cybersecurity leaders feel they lack the support of other company executives and have to go at it alone, it’s a rough and lonely existence. Their organization’s cybersecurity initiatives will likely suffer as a result. (Hence why we made this #1 on our list of cyber security challenges.)

So, what can companies do to aid CISOs and simultaneously strengthen their organizations’ cybersecurity postures?

Solution #1: Encourage Top-Down Support and Collaboration from Leadership

Seth Geftic, Vice President of Product Marketing at Huntress, says that effective cybersecurity requires a collaborative effort to safeguard companies from threats and ensure ongoing performance.

“Every department will surely have their own priorities, but the challenges facing CISOs in 2024 are real and serious. If other company leaders are genuine about helping, they need to take the time to understand the present-day risks and how their teams can empower an organization’s cybersecurity posture. By encouraging the ideal processes and procedures, various leaders can remove some of the burden from the CISO.”

Rob Stevenson, founder of BackupVault, emphasizes the importance of organizational leaders championing cybersecurity as a core business strategy element rather than a standalone responsibility:

“[…] promoting a security-focused culture across departments, where employees understand their role in protecting data and systems, can reduce vulnerabilities from human errors. Regular engagement with CISOs to review security practices and needs ensures that cybersecurity remains a priority in the organization’s planning.”

Solution #2: Make Cybersecurity a Core Strategic Priority

Business leaders need to put cybersecurity risks in perspective through their business objectives. But simply “talking the talk” isn’t enough to instigate a positive change — leaders need to “walk the walk” as well by prioritizing and securing budgets for these prioritized security initiatives.

Multiple experts emphasized the need for making cybersecurity among organizations’ top priorities.

Jacob Kalvo, Co-Founder and cybersecurity expert at Live Proxies:

“[…] CEOs and boards may further empower the CISOs by making cybersecurity prominent in strategic discussions and decisions underlined that it must be at the core of business resilience and success. Such commitment from the top empowers CISOs to lead at a time when cybersecurity is among the most important items on a company’s agenda.”    

Rafay Baloch, CEO and founder of REDSECLABS, argues that by supporting CISOs, company execs foster a security-focused atmosphere that promotes cyber resilience:

“Collaborating with company leaders is also beneficial for CISOs. When they have relationships with executives from other departments within the organization, it enables them to secure the necessary resources and backing required to implement effective security measures.”

It’s these strategic investments that Cache Merrill, CEO and founder of Zibtek says will better arm CISOs:

“Business leaders need to make security investments fundamental to the business strategy support and cross-departmental trainings and allow sufficient resources for CISO to anticipate and mitigate the changing threats.”

Cyber Security Challenge #2: Companies Often Don’t Prioritize Security

It’s not enough for cybersecurity professionals to understand the tactics, mindset, and goals of cybercriminals; as a CISO, you also must be intimately aware of your organization’s strengths and weaknesses. This requires looking inward and critically evaluating your organization’s practices, processes, approaches, culture, and technologies to see what’s working (or not).

But figuring out your shortcomings typically isn’t as pleasant an experience as recognizing your strengths. Quite frankly, recognizing your deficiencies sucks, but it’s a great growth and security improvement opportunity that will better help you face future cyber security challenges.

Solution #1: Develop and Promote a Security-First Culture

One of the best ways to make such improvements is through the environment you foster within your organization.

Baloch says that one of the best ways to make organizations more secure and prioritize cybersecurity is to create an organizational culture that values and enforces it. This approach helps safeguard against risks by embracing security tools and processes that help mitigate risks before they escalate into serious issues.

Merrill says that one way to approach this is to focus on threat intelligence partnerships and adopt a layered security approach that’s not resource extensive. This can include using open source tools and adopting adaptive frameworks, such as zero trust, that help increase resiliency without incurring major costs. 

But as Stevenson says, achieving a cyber-secure culture goes beyond the tools and requires a multi-faceted approach:

“Cybersecurity is not just about technology; it’s about creating a secure culture. Social engineering attacks, for example, highlight the importance of human awareness in security practices. Regular, engaging security training for all employees can drastically reduce the success rate of phishing and other targeted attacks.

Also, as generative AI becomes more popular, it’s wise for organizations to set clear policies to prevent sensitive data from being input into these platforms, which could inadvertently lead to data leakage.”

Solution #2: Give CISOs a Seat at the Table

Put yourself in the CISO’s shoes: How can you make the big grown-up decisions required to do your job as a CISO if you’re relegated to the “kiddy table” most of the time?

Data from PwC’s 2025 Global Digital Trust Insights report shows that this is still an area in which many companies struggle. The survey of 4,042 business and tech execs in 77 countries shows that less than 50% of CISOs play a role in key business initiatives. We’re talking about them not being included in everything from strategy and board reports to technology deployments.

Baloch emphasizes that organizations’ executives need to recognize their roles in enhancing cybersecurity resilience and safety measures:

“Company executives have a part in supporting the Chief Information Security Officer (CISO) and fostering a security focused atmosphere throughout the company as a whole to enhance resilience and safety measures effectively.”

Cyber Security Challenge #3: Stagnating Security Spending and Budgets

Although we’ve seen a shift where C-suite executives are slowly starting to bring CISOs into the fold of organizations’ overarching decisions, they’re often still left out in the cold when it comes to high-level budgetary decisions. This is particularly unnerving when you consider that CISOs are increasingly being held personally liable when things go wrong.

Having a say in how much an organization should invest in its security initiatives is crucial. Cybersecurity teams often find themselves doing more with less, stretching their already stretched resources and staff. This is among the most difficult of the cyber security challenges leaders face.

Solution #1: Track and Report the Results of Budgetary Decisions (Good and Bad)

In an article for securitymagazine.com, Amanda Fitzsimmons, Head of Legal at Salt Security, offers a great recommendation for CISOs who find themselves being overruled or left out of their organizations’ budgetary decision-making processes:

“[…] CISOs should document in real time the decisions that may later on prove to be the root cause of a cybersecurity incident or regulatory failure. CISOs who can show that their requests for resources, personnel and/or tools were denied are far less likely to be held accountable for the consequences of those decisions.”                      

Cybersecurity leaders who can demonstrate that they advocated for cybersecurity improvements through funding and staffing resources will likely be in a more favorable position compared to those who don’t take those CYA measures.

But there’s another financial consideration that makes CISOs’ jobs much harder…

Cyber Security Challenge #4: Justifying Spending to Prevent “What Ifs”

Even though their obvious goal is to prevent and mitigate future (potential) threats, CISOs are under immense scrutiny and pressure to justify their budget requests and spending. C-suites, boards, and shareholders prioritize investments in things that are going to have a direct impact on their bottom line (i.e., generate sales, increase revenue, reduce costs, etc.).

Of course, maintaining strong cyber defenses can indirectly impact those things. But cyber security is essentially invisible; it ultimately boils down to fending off would-be attackers and preventing things like data breaches and other negatives from happening. Quantifying the direct value of absent risks is incredibly hard to demonstrate, which makes signing off on these investments even harder pills to swallow for executives who are used to measuring things using more visible objectives.

Solution: Show How Cybersecurity Initiatives Align with and Support Execs’ Priorities

Mohabeer said it simply: “Translate the importance of your initiatives into terms that other execs within your organization will understand.”

• Direct and indirect financial benefits compared to investment costs
• Service and operational uptime
• Nurturing customer relationships by protecting their data
• Protecting your brand’s reputation
• Compliance audits and reporting considerations

This approach helps you gain buy-in from other organizational leaders who can advocate on your behalf. Having the CFO, CTO, or CEO in your corner makes a stronger case for your funding requests. And the good news is that there’s a ton of industry data out there that can support your talking points.

Cyber Security Challenge #5: Changing & Advancing Technologies Enhance Threats

Over the past several years, companies have increasingly embraced everything from cloud and remote environments to machine learning (ML) and other artificial intelligence (AI) technologies.

While taking a head-first dive into digital waters offers many advantages, it also brings with it a slew of new cyber security challenges and concerns that don’t exist in traditional, on-prem environments. There are more technologies to keep up with and things that can go wrong, requiring organizations to adopt new security frameworks, processes, and technologies that may be difficult to implement. 

Solution #1: Stay Abreast of the Latest AI Advancements

It’s also no secret that AI and generative AI (gen AI) offer new opportunities — for good and bad guys alike. AI offers the promise of positive technological advancements and the sickening realization that cybercriminals may use these tools for nefarious purposes.

Related: 5 Ways to Avoid Your Company Falling for Deepfake Scams

Huntress’s Geftic identifies the emergence of such new technologies as the driving force behind many sophisticated threats.

“At the forefront of this are AI and automation, which are leading to a host of attacks, from ransomware to zero-day vulnerabilities. As the threat landscape increases, this challenge means CISOs are struggling to adapt their strategies to prevent a successful attack.”

Solution #2: Embrace Automation in Ways That Aid Security and Efficiency

However, as pointed out by Chris Dukich (a cybersecurity expert and founder of the SaaS company Display Now), not all automation is bad. In fact, many businesses could benefit by embracing it as part of their overarching offensive and defensive strategies.

“The more investments the CISOs could make in automation tools will help take repetitive tasks from the table for the teams involved and focus on more abstract threat analysis and proactive measures.”

Stevenson says that one of the best ways to stand in the face of these cyber security challenges is to be increasingly agile and responsive in your approach to cybersecurity.

“[…] the rise of nation-state threats and advanced hacking groups has introduced a level of sophistication in attacks that requires constant vigilance and quick adaptation. These groups have advanced resources, making it difficult for CISOs to stay ahead, especially when some attackers are backed by powerful nation-states.”

Solution #3: Whenever Possible, Make Decisions Based on Good Data

Kalvo emphasizes the importance of having timely and accurate information to base decisions on:

“I firmly believe that such challenges need the CISO to develop a resilient and adaptive security framework based on threat intelligence and real-time monitoring. Keeping updated on threat intelligence will help in understanding and neutralizing the attacks before they actually take place.”

Solution #4: Prioritize Identity-Related Security Across the Entire Organization

Digital identities are like digital passports for your organization, employees, apps, and other technologies. When done right, the use of verifiable digital identities enables clients and users to remotely and securely authenticate when they connect, which is crucial in an increasingly digital work environment. When done wrong, it’ll land organizations in hot water.

This is why Jared Atkinson, Chief Strategist at SpecterOps, points to identity security as both an urgent technical issue facing CISOs and a vital solution. But how does he suggest CISOs (and other organizational leaders) support digital identity security-related initiatives?

“Securing identities requires other IT teams to work with the security team, and sometimes involves removing privileges for normal users or adding additional security measures like MFA. Other leaders can encourage their teams to collaborate with the security team, and can work with the CISO to weigh the benefits and drawbacks of extra security measures.”

Adopting certificate-based digital identities is another way to make your organization more secure. However, you must be sure to follow industry best practices and standards when it comes to securely managing and storing your certificates and keys.

Cyber Security Challenge #6: Finding and Keeping the Right People

It’s no secret that talent acquisition and retention are ongoing issues. There’s a high demand for skilled, knowledgeable talent but a limited supply.

Of course, you should provide a competitive salary and benefits and invest in your employees’ professional development. But that isn’t always enough. It’s going to take more in a highly competitive field to land (and retain) strong talent.

Solution: Look Beyond Their Years of Experience When Evaluating Candidates

Don’t be afraid to look for the diamond in the rough and keep an open mind. Sometimes, those with less experience on paper are more driven and have a greater desire to learn, grow, and improve than those who have been doing the same job for years.

Jowel Mohabeer, IT admin here at TheSSLstore.com, emphasizes the importance (in most cases) of not drawing a hard line in the sand about candidates’ years of experience. Mohabeer shared his own experience as a burgeoning cybersecurity professional about 13 years ago:

“When I first got started in the field, it was difficult getting a job with little experience. In some ways, I get it. But I had the drive and was extremely motivated. I knew all the answers to their interview questions but was considered ‘too green’ to be taken seriously. But how does one get the requisite experience working within an enterprise industry if never given the opportunity?”

It’s the catch-22 that many professionals across virtually all industries are intimately familiar with.

Solution: Support, Shape, and Grow the Skills Within Your Existing Workforce

But hiring outside talent isn’t always the right answer, either. Thankfully, this is one of the cyber security challenges that there’s a solution for that can make some of your existing employees happy.

Merrill’s suggestion to address this issue is to look inward by helping your existing personnel grow their knowledge and increase their skills:

“This [challenge] can be countered by the CISOs investing in upskilling internal talent and developing a security-conscious culture across departments. Training existing team members builds loyalty and enhances internal security awareness while alleviating some hiring pressures.”

Cyber Security Challenge #7: Navigating the Uphill Battle of Employee Cyber Awareness

It’s not always the deft hacker that you have to worry about. In some cases, your employees hold the door of your cyber defenses wide open to them. Proofpoint’s 2024 State of the Phish survey of more than 8,500 IT pros and other working adults shows that

• Seven in 10 users admitted to engaging in risky behaviors.
• 96% of those respondents indicated “they knew they were doing something risky” but did it anyway.

But what can you do about these types of cyber security challenges?

Solution: Take a Multi-Faceted Approach to Make Cyber Awareness Training Meaningful

Stevenson says that achieving the ideal cyber-secure culture goes beyond the tools and requires a multi-faceted approach:

“Cybersecurity is not just about technology; it’s about creating a secure culture. Social engineering attacks, for example, highlight the importance of human awareness in security practices. Regular, engaging security training for all employees can drastically reduce the success rate of phishing and other targeted attacks.”

Emphasize the potential negative outcomes of not proactively reporting issues:

• Share current relevant industry data about cyber attack, data breaches, and ransomware-related costs
• Call out loss of customer relationships and trust that impact business opportunities
• Point to instances where companies suffered other long-term damage or had to close up after suffering a data breach

Solution: Balance Support and Accountability with Progressive Discipline

Employees need to feel encouraged to report cybersecurity-related concerns. (After all, if they accidentally click on a phishing email or are worried that they may have installed malware, you’d want them to report it immediately, right?)

But employees won’t want to do that if they’re afraid that they’ll be fired after making a mistake. This is why businesses should strike a balance between supporting employees and holding them accountable for their actions using a progressive approach to discipline. This way, they’ll want to reach out to you or your team when something goes wrong and not try to sweep it under the rug for fear of losing their job after just one strike.  

Here’s an example of an email I received after reporting a suspected phishing email (in this case, a false positive). The email is reassuring and encourages employees to submit other suspicious messages in the future:

Cyber Security Challenge #8: Keeping Up with Changing Laws & Frameworks

Cybersecurity leaders find themselves facing new legal requirements and frameworks that are often contradictory. And no matter how hard they try, no CISO can know or stay abreast of every change or industry development. It’s one of the cyber security challenges that’s always going to be an issue.

According to Kalvo:

“New and strict data privacy laws, such as the GDPR and CCPA, plus industry-specific regulations, are pushing CISOs to build compliance in at every point within cybersecurity, often on limited budgets and resources.”

So, how can CISOs deal with this continually changing situation?

Solution: Build Cross-Departmental Relationships Across the Organization

Lean on the insights and expertise of others within your organization to fill in the gaps. Merrill suggests greater collaboration between cybersecurity leaders and companies’ legal and compliance teams. For example:

“CISOs should collaborate with legal teams to stay up to date on the regulatory changes and have compliance measures as part of the continuous security practices. Building solid incident response plans and reporting procedures might minimize liability risks and follow the legal standards.”

Related Resources

• The Ultimate Guide to 13 U.S. Data Privacy Laws (And What They Mean to Your Business)
• 10 Data Privacy and Encryption Laws Every Business Needs to Know

Meet the Experts (Listed Alphabetically by Last Name)

Jared Atkinson is Chief Strategist at SpecterOps, a cybersecurity consulting and training company. As a security researcher, Atkinson specializes in Digital Forensics and Incident Response; he spends much of his time developing and leading private sector Hunt Operations capabilities. Atkinson previously led incident response missions for the U.S. Air Force Hunt Team, where he detected and addressed Advanced Persistent Threats on Air Force and DoD networks.

Rafay Baloch, CEO and Founder of REDSECLABS, is a globally recognized cybersecurity expert and white-hat hacker who specializes in identifying critical zero-day vulnerabilities in web applications, products, and browsers. Baloch has presented research at major cybersecurity conferences like Black Hat, Hack In Paris, and HEXCON and was named one of the “Top 5 Ethical Hackers of 2014” by Checkmarx and one of the “Top 25 Threat Seekers” by SC Magazine.

Chris Dukich is a cybersecurity expert and Founder of the SaaS company Display Now. The company specializes in securing digital marketing solutions. In his role, Dukich works with CISOs and their cybersecurity teams, particularly regarding secure engagement and data protection issues. He also provides business and IT management consulting services.

Seth Geftic, Vice President of Product Marketing at Huntress. Geftic has been working for the past 20 years across endpoint, MDR, phishing, and identity for cybersecurity vendors. Prior to his role at Huntress, he built up the product marketing function as the Vice President of Product Marketing at Red Canary and contributed significantly as a Director at Sophos, specializing in endpoint security and MDR.

Jacob Kalvo is the CEO and Co-Founder of Live Proxies, an advanced proxy solutions provider for B2B and B2C customers.

Cache Merrill is the founder of Zibtek and a cybersecurity expert with more than 7 years’ experience navigating and leading through the digital security landscape. From developing secure infrastructures to advising on tech integrations for startups and established businesses alike, he’s seen firsthand the evolving challenges CISOs face and the strategies that can fortify their position.

Jowel Mohabeer is IT administrator at TheSSLstore.com. Mohabeer has been working in the cybersecurity field since 2012.

Rob Stevenson is the founder of the U.K.-based cloud backup and data protection company BackupVault. Stevenson has spent years working in cybersecurity, helping businesses stay secure and resilient against data loss and cyber threats.

Final Takeaways from Our Group of Experts

We’ll wrap things up with some final thoughts from our group of experts regarding the cyber security challenges CISOs face. For Baloch, the most important thing CISOs can do is learn how to be comfortable with being uncomfortable.

“Today’s [CISOs] face a cybersecurity environment that is constantly evolving and intricate in nature. They encounter a variety of obstacles including cyber threats, regulatory changes, financial constraints and difficulties in finding professionals. The responsibilities associated with addressing these challenges can lead to stress and potential personal accountability issues for CISOs. Based upon my observations and involvement in this field it is crucial for CISOs to maintain a flexible approach in order to successfully navigate these challenges.”

Cybersecurity threats aren’t going away; in fact, they’re only increasing as time goes on. CISOs and other organizational leaders need to be aware of this fact and proactively take steps to adapt to the changing tide.

“At the end of the day, the technology landscape is like any other,” said Geftic. “You will face challenges, and you need to figure out ways you combat them, and if you don’t, you risk being left behind.”

• #CISO
• #cyber security
• #Cyber Security Challenges