SecurityWeek’s Cyber Insights 2025 examines expert opinions on the expected evolution of more than a dozen areas of cybersecurity interest over the next 12 months. We spoke to hundreds of individual experts to gain their expert opinions. Here we discuss the CISO Outlook for 2025.

The CISO is the figurehead, and often the scapegoat, for cybersecurity, and business continuity, and regulatory compliance, and data science, and artificial intelligence, and… and so it goes on. But quo vadis? And can you stay the course?

There has never been a single job description for the CISO – the role depends upon each company, its maturity, its size and resources, and the risk tolerance of individual boards. Nevertheless, the primary function of the CISO has continuously expanded from the original technical defense of IT systems to the wider purpose of managing business risk and ensuring business profitability in the face of cyberattacks.

The CISO is no longer just a technical expert but a jack of all trades who must also understand business management, business finance, the legal implications of regulations, the concept of personal privacy, the psychology of company employees, the impact of geopolitics, the potential of artificial intelligence… and the list keeps growing.

Sometimes, the CISO has actual responsibility – for example, for privacy and regulations, and increasingly for artificial intelligence – but always now with a consultative responsibility championing security to other company leaders. So, in addition to this expanding role, the CISO must be an expert communicator able to speak business to other leaders and tech to the security and IT teams. Nevertheless, the CISO often has responsibility without authority, but with liability.

In 2025, only the details are likely to change.

The big three, but not the only, CISO stressors likely to increase during 2025, are the increasing and increasingly chaotic regulatory minefield; the unpredictable growth and use of artificial intelligence; and an expected surge in social engineering supercharged by multimodal gen-AI. Each of these topics is discussed at depth in its own Cyber Insights 2025 feature.

Regulations

Regulations have become more problematic. The CISO is not merely responsible for ensuring company compliance with security related regulations but is also increasingly the target of specific role-based regulations. In particular, the SEC began to hold CISOs personally and criminally liable for failure to uphold SEC regulations (regulations that are effectively agency interpretations of the law).

However, on June 28, 2024, the High Court ruled that companies could challenge agency rulings in the judicial system; weakening the whole concept of agency-led regulatory enforcement.

Mandy Andress, CISO at Elastic

The effect is still in process – we simply do not yet know how it will play out – further complicated by a new conservative small government administration. Opinions vary. Mandy Andress, CISO at Elastic, simply believes it will lead to increased challenges against agency enforcement. “I expect more companies will feel empowered to scrutinize and challenge future agency regulation,” she suggests. 

Reuven Aronashvili, Founder and CEO at CYE thinks the effect on incident reporting might spread. “CIRCIA, which requires prompt reporting of cyber incidents, could come under increased scrutiny and legal disputes,” he says. “We can expect to see CISOs working much closer with their colleagues from the legal department.”

In general, however, as the dust begins to settle, belief that it won’t change much (beyond the courts having the final say) is growing. “This may not affect CISOs much in the coming year, but over the long term, we expect to see much more cyber regulation, such as the SEC Cybersecurity Rules introduced at the end of 2023, and it will be broadly enforceable,” suggests Gaurav Kapoor, co-CEO at MetricStream.

Sharon Klein, a partner at Blank Rome law firm, adds, “While we certainly do expect that this may allow more leeway in areas such as discrimination, we do not expect that regulatory rulings in cybersecurity will be eroded by courts or the plaintiffs’ bar.”

What is less clear is whether the agencies’ intention to hold CISOs personally liable for reporting failures will continue, and what effect that might have on the CISO role going forward. Will it persuade organizations to increase their support of CISOs, or will the scapegoat element of being a CISO increase?

(See Cyber Insights 2025: Regulations for a more detailed discussion.)

AI now pervades every aspect of business, and CISOs are increasingly required to understand how to use it safely internally, and how to protect against its adversarial use against the organization. 

Lenny Zeltser, SANS Institute Fellow and CISO at Axonius

Internally, “Organizations in 2025 will continue to experiment with AI to understand where it offers value,” says Lenny Zeltser, SANS Institute Fellow and CISO at Axonius. “Security and IT leaders should be ready to help evaluate and onboard a diverse set of immature AI products. We’ll need to comprehend a range of AI technologies and understand the expectations of diverse internal stakeholders so we can contribute toward making informed risk versus reward decisions. Given how rapidly the technology is changing, we should be ready to experiment and determine how to measure project outcomes to decide which approaches work best.” 

In short, CISOs will need to become AI experts, rapidly. “CISOs must become fluent in both the potential benefits and risks these technologies pose, and be equipped to lead discussions on their implications for security,” warns Mike Britton, CIO at Abnormal Security.

The requirement isn’t simply to ensure AI successes within the company, but also to prevent AI fails. “CISOs must also be able to identify channels through which sensitive information can be leaked through the use of business productivity-based AI solutions (that is, sensitive information used to train AI models) so appropriate controls can be implemented,” adds Klein.

This cannot be achieved from a siloed cybersecurity position. It will require deep collaboration with all departments within the company, from those wishing to use their own AI tools to IT, HR, Finance and Legal for the wider ramifications. Ironically, the arrival of AI designed to automate human actions will require increased communication and soft skills from the CISO across the entire breadth of the organization.

(See Cyber Insights 2025: Artificial Intelligence for a more detailed discussion.)

Social engineering

Externally, AI is increasingly used by malicious actors to simplify their effort and increase the effect of their attacks. The quality and quantity of AI models able to generate malware (see WhiteRabbitNeo for an existing example) will increase. The scale and sophistication of social engineering attacks will grow enormously. CISOs will increasingly use AI-based tools to detect AI-based attacks.

But there is a problem with this scenario. We’re just using new technology to counter new technology. The underlying nature of asynchronous, many-to-one, warfare between attackers and defenders is unchanged; and, for now at least, there is little change to the attacks (just more and better). 

Fundamentally, CISOs will need to use AI to upscale their defense against upscaled attacks. This will add strain on both CISOs’ budgets and CISOs’ workloads; but the real winners will be the new industry providing AI-assisted defense controls.

We have never yet reduced the severity of social engineering attacks. These are the building blocks for most attacks – and there is little sign that new technology will change things. 

(See Cyber Insights 2025: Social Engineering for a more detailed discussion.)

There is little doubt that the CISO role is continuing to expand. A big question is whether the CISO’s authority will keep pace with the CISO’s responsibility. One approach could be to elevate the position to board level. Failing this, the board could increase the security budget in recognition of security’s growing importance.

Seat on the board

“We absolutely should see more CISOs actively involved in board conversations,” says Mike McNerney, SVP of Security at Resilience. “That said, to be seriously considered for a board role, CISOs need to be more than just technical experts but rather bring a wider array of important business skills.” 

Mike McNerney, SVP of Security at Resilience

Frankly, a successful CISO today is already doing that – so why not co-opt more CISOs straight to the board? McNerney does see the advantages: “More active and emboldened CISOs in the boardroom would ensure that these considerations [risk-centric business outcomes] are not an afterthought but a core part of strategic planning.”

Klein is succinct but blames the reactionary nature of business over the value of the move. “Yes, more CISOs should be on company boards, but it’s unlikely to occur because of the long-held belief that security is a necessary evil rather than smart business.”

Andress recognizes the value, but also believes progress will be slow: “There’s still a knowledge gap when it comes to the value a CISO brings to a board, and so there remains work to be done on bridging this gap before we see a meaningful increase in security representation on the board.”

David Ferbrache, managing director at Beyond Blue and former head of cyber at UK MoD, also doubts a mass promotion to the board. “We are still unlikely to see CISOs join corporate boards, but they will be required to brief boards regularly on cyber resilience. Most boards will turn to external advisors to enhance their understanding of cyber risks and provide an independent challenge and viewpoint. Non-executive directors will also bring perspectives from other (potentially more highly regulated) sectors.”

But there are already some signs and more supporters for CISOs being elevated to the board. “We believe we will definitely see more CISOs on boards as they continue to be recognized as business leaders, and in some cases report to the CEO,” comments Kapoor. “They lead teams that are on the front lines and have the most knowledge of where risk lies for their organization.”

Chris Borkenhagen, chief digital officer and CISO at AuthenticID , adds, “We should see more CISOs taking board seats. Cybersecurity is no longer just an IT concern; it’s a fundamental business issue that impacts everything from operations to reputation… CISOs on the board mean a more informed, proactive approach to managing organizational risk, making this a trend we should see continue in 2025.”

However, it is worth noting that not all CISOs want to become board members. “CISOs already have full plates, and therefore their willingness to accept an invitation to a board may be slim,” comments Daniel Schwalbe, CISO at DomainTools.

Whether CISOs should sit at the table is still an open question. It is happening with some companies, and the incidence is likely to increase during 2025. However, there will be no sudden mass migration. The importance for CISOs is to be heard at the table rather than necessarily seated at that table.

Increased budgets?

Whatever a CISO may say about the company security budget openly, few would reject an increase. Attacks are increasing, the attack surface is growing, regulations are more onerous, and AI is complicating everything. The question, however, is will they get one.

Aronashvili believes budgets will increase in 2025 because the threat is increasing. “We’re seeing a surge in ransomware, supply chain breaches, and insider threats, and with hybrid work, IoT, and multi-cloud environments expanding our attack surface, we can’t afford to stand still.”

Andress thinks budgets will remain static, effectively making life more difficult. “For CISOs, this will mean making use of automation and finding efficiencies to provide the same level of program effectiveness within the same budget, in the face of a threat landscape that continues to quickly evolve.”

Michael Fanning, CISO at Splunk, also thinks budgets will grow, possibly driven by new demands from AI. “With these larger budgets, CISOs can adopt cutting-edge tools like AI for better threat detection, automated incident response systems for quicker reactions and security orchestration platforms to streamline their operations. These upgrades can help businesses stay ahead of increasingly sophisticated attacks, making it easier to spot threats and respond faster.”

Ferbrache believes the overall security budget will grow but will be divided among different departments rather than handed directly to the CISO. “This redistribution of security budgets will signal a shift towards federated security responsibility as well as a ‘shift left’ to embed security and resilience by design. Security will no longer be confined to a single department; instead, it will become embedded within all enterprise units.”

Kapoor expects an increase, but only where the CISO is willing and able to demonstrate effective RoI. “Techniques like risk quantification can show the impact of investments in monetary terms. Budgets have been increasing for several years now and we cannot expect this to increase without proof that programs are having a positive effect.”

McNerney says simply, it’s not the size that matters, it’s how you use it. “I expect security budgets will increase in 2025 but I’m more concerned about spending those dollars in the right way than simply having more of them.”

In short, it’s a mixed bag. Budgets may see a slight increase in 2025, but not as much as CISOs would like, and not enough to match the increase in security complexity. At the same time, any increase will require stronger justification from the CISO.

There is a discernible shift towards ‘resilience’ as the aim of security. This makes sense. A growing acceptance that controls may deter attacks but cannot guarantee security against breaches means that surviving a breach is the ultimate goal. Resilience is not a replacement for security, but an addition to security.

“Regarding incidents, ‘it’s not a matter of if, but when’. Having robust resilience capabilities are an absolute must for any organization,” says Gary Brickhouse, CISO at GuidePoint Security. “CISOs must prioritize and ensure resilience programs are in place, aligned with business strategy, and regularly tested. While this may be less of a priority for those CISOs in more mature organizations that already have robust plans in place, it will remain on the priority list due to the ever-expanding threat landscape.”

Gary Brickhouse, CISO at GuidePoint Security

McNerney, whose own company is called ‘Resilence’, explains, “We define resilience as the ability to not only withstand attacks but to recover quickly and minimize business disruption. It’s similar in concept to how being healthy requires more than just avoiding disease but being able to bounce back too.”

In a sense, resilience is an increased focus on an aspect of response which is an aspect of security. “As the CISO role evolves, it will also become a priority to secure operational continuity in the face of cyber incidents,” says Britton. “Quick recovery involves building robust incident response frameworks and fostering cross-functional collaboration.”

This will, in turn, likely require additional investment and place further demand on the security budget. “CISOs will prioritize efforts and funding on business continuity and disaster recovery initiatives, including investments in recovery technologies,” comments Klein. The king of business continuity, IT mirroring, can be effective, but is expensive.

However, not everyone believes that ‘resiliency’ is anything more than hype. “The concept relates to being prepared for inevitable attacks through proper backups, ransomware readiness, and response processes,” explains Brandyn Fisher, senior manager of cybersecurity at Centric Consulting. “While it’s being presented as new, it’s really a rebranding of existing security fundamentals.”

Even if the purpose is not new, there is a growing recognition and focus on this aspect of security. “In 2025, CISOs will lean into this concept of resilience, embedding it into every aspect of the security strategy – from continuous monitoring and AI-driven detection to regularly assessing and strengthening system vulnerabilities,” says Borkenhagen. “The aim will be to make resilience an intrinsic part of the organization’s DNA,” he adds.

“CISO’s responsibilities will increasingly touch on recovery and resilience planning,” says Ferbrache. “Particularly in industries like finance, where downtime carries significant costs, CISOs will play a key role in ensuring that organizations can rapidly recover from digital disruptions to minimize financial losses and safeguard business continuity.”

Kris Lovejoy, global security & resiliency leader at Kyndryl, is all in on the concept. “There is a growing call in the security field to shift focus from cybersecurity to cyber resilience with the proposed evolution of the CISO role into a ‘Cyber Resilience Officer’, whose remit is to manage all cyber risks, including – but not limited to – cybersecurity,” he claims. “This shift is driven by the evolving digital landscape: IoT expansion, hybrid cloud usage, generative AI and heightened interconnectivity, which leaves organizations more susceptible to cyber threats and disruptions.”

Kai Roer, CEO and founder at Praxis Security Labs, puts the concept in context. “The discussion about resilience is a strategic one, starting by asking, why are we investing in security, and when we reach the answer, to ensure we can be around another day so that we can do business tomorrow too, risk management dictates that we need to manage the risk, which is much more than just building higher walls and deeper moats. In a modern risk landscape, with a focus on living another day, your approach must be pragmatic and long-term.”

There is no adequate job description for the CISO beyond ‘do whatever is necessary to mitigate business risk and maximize business profitability as inexpensively as possible’. Whether and how this can be achieved will vary depending on the company concerned, its senior management’s risk tolerance, the sector in which it operates, and the resources granted to the CISO.

One thing is clear: malicious attacks are increasing in volume, sophistication, and intent. Global geopolitics is removing the gloves from attackers, both nation state and pure criminals. Disruption and destruction, especially in the critical industry sector, are additional malicious drivers going beyond simple financial gain.

At the same time, internal demands on the CISO are increasing. We are already seeing CISOs subsuming the role of the CIO (the increasing use of cloud infrastructure is reducing the local demand on the IT department while the importance of security keeps growing). Similarly, the growing importance of AI within the company is leading some companies to redefine the title as chief information security and AI (or data science) officer.

The name may change, but the primary purpose will remain. And although we may say this every year, this year it is especially true: next year will be more difficult with more demands placed on the CISO.

Learn More at SecurityWeek’s CISO Forum

Related: CISO Conversations: a series of conversations with security leaders

Related: CISO Forum Virtual Summit: Full Session List On Demand

Related: CISO Salary Surge: Fewer Job Changes, Bigger Paychecks for Experienced Cybersecurity Leaders

Related: How Exceptional CISOs Are Igniting the Security Fire in Their Development Team