The role of the CISO has never been easy, and as cyber threats continue to rise, year-over-year budget increases still fail to keep pace. A recent report shows that while the average budget growth has risen from 6% in 2023 to 8% this year, these figures pale in comparison to the growth rates of 16% in 2021 and 17% in 2022.
Tight budgets, insufficient resources, and the evolving threat landscape are no longer just obstacles — they're fueling “cyber-anxiety” for CISOs and their teams.
While the narrative of constrained resources isn’t new, the pressure to safeguard organizations amidst increasing complexities is poised to reach a breaking point. CISOs are now grappling with not only the technical demands of their roles but also the mental and emotional toll of protecting businesses that are more reliant on digital systems than ever — yet reluctant to invest adequately in robust security strategies.
Heading into 2025, the most pressing challenge for CISOs remains resource constraints: insufficient staff, limited budgets, and outdated or inadequate technology to support their security programs or meet compliance requirements.
Keeping up with compliance
Compliance has been around for decades, depending on location and industry, and some industries are more mature in their compliance efforts than others. For other sectors, like finance, compliance has been a standard operating procedure for decades. Pick an acronym from the alphabet soup of standards, and security leaders will see the framework has been in place for quite some time.
The challenge, however, is the pace at which compliance regulations can evolve — especially in highly-regulated industries. Organizations must be proactive in monitoring these regulations and adapting to them or they could be at risk of losing funding.
Recently, government standards, like the Department of Defense's Cybersecurity Maturity Model Certification, have gained traction. We'll see if our fractured political system can agree that the supply chain needs protection and can vote this standard into practice.
If an industry is just now adopting regulations, it’s not alone. The good news is that there’s been a blueprint for years. At its core, compliance requirements often boil down to having specific solutions in place. Commonly required tools include:
- Vulnerability management
- Log management
- Firewalls or perimeter security solutions
- Antivirus or modern EDR solutions
- Identity and access management
- Multi-factor authentication
Many of these solutions are now bundled into packages from vendors like Microsoft as part of standard subscriptions. Using a single vendor like Microsoft for security solutions simplifies procurement.
The downside? Ease of acquisition doesn't always equate to ease of implementation. Proper deployment, management, and monitoring are still required, which can be resource intensive. Additionally, these bundled solutions might not be cutting-edge compared to standalone, specialized tools, and they may not be right for a business. While they provide a base level of security, organizations will need expertise to leverage their full value and maintain their security posture.
Vendor consolidation and cloud adoption
The demand for single-vendor solutions has driven consolidation in the cybersecurity space. Leading vendors, like Palo Alto Networks and CrowdStrike, are acquiring smaller companies to expand their platforms. This aligns with the rise of cloud-based platforms such as Wiz or Prisma by Palo Alto, which aim to provide holistic security visibility and management.
Organizations migrating to the cloud often adopt these solutions to reobtain security visibility and control lost during the transition from on-premises systems. However, this has become challenging for CISOs to find talent specialized in cloud security platforms.
Unfilled roles amidst a talent shortage
Specialized talent in security is increasingly in demand, but it's also harder to find. Critical industries like government and healthcare face the most significant workforce gaps due to strict regulations. Generalists who can handle a wide range of issues are rare, and finding individuals with deep expertise is even more challenging.
To make matters more challenging, CISOs report difficulty increasing their headcount even as budgets increase. Despite organizational needs, hiring more staff remains a struggle. As a result, teams are required to do more with fewer resources, placing greater pressure on both CISOs and their teams.
Because this industry is now characterized by specialization, CISOs should consider providing training and mentorship programs for their staff, including vendor-specific training on technologies.
Challenges in cybersecurity leadership
Let’s be honest. The role of the CISO is not a 40-hour-a-week job in today’s corporate environment. It's a high-pressure political position that often suffers from a lack of budget, staff, and organizational support. More often than not, CISOs lack the authority to enforce meaningful change, and without adequate funding, implementing effective strategies becomes difficult. This, coupled with the demands of the role frequently exceeding a 40-hour workweek, leads to high turnover.
A lack of cybersecurity maturity is also challenging for CISOs to navigate, and in some cases, the organization may not yet be prepared to support the role effectively. If an organization lacks basic cybersecurity practices, it may struggle to evaluate and support the CISO’s recommendations. To address these gaps, organizations can leverage MSSPs or virtual CISO services to help build their security foundation until they reach the maturity needed to fully benefit from a dedicated CISO.
Despite these obstacles, the CISO's ability to align security initiatives with business objectives and demonstrate clear ROI can drive organizational success. A well-supported CISO can influence security culture and strategy, but without proper resources, their impact will remain limited.