“What’s occupying a ton of time for CISOs today is competing priorities,” he says. “The threat environment is such that they’re spending a great deal of time prioritizing all they need to do, and they’re doing it at a time when we face a significant talent shortage so they’re trying to cover the entire gamut with less help than they’d prefer. That’s the essence of what CISOs struggle with today — just prioritizing the large portfolio of issues they have.”
10. Getting risk right
To prioritize work, CISOs need to understand what matters most to the business and what risks are most consequential to the organization. Yet many still struggle with these tasks, says Chris Simpson, director of National University’s Center for Cybersecurity.
Research confirms this remains an issue for CISOs: According to the Proofpoint survey, boardroom alignment with CISOs decreased from 84% in 2024 to 64% in 2025.
“Cybersecurity is there to support the business, so CISOs have to understand the business’ risk tolerance, which will drive decisions on what to implement and risk mitigation strategies. It is something CISOs are always working on,” Simpson says.
