CISOs in 2025: Balancing security, compliance, and accountability
In this Help Net Security interview, Daniel Schwalbe, CISO at DomainTools, discusses the intensifying regulatory demands that have reshaped CISO accountability and daily decision-making. He outlines the skill sets future CISOs need, their key priorities for 2025, and how increased pressure impacts the role’s attractiveness and retention.
What specific regulatory demands have heightened the CISO’s accountability, and how has this affected their daily decision-making?
A recent change in the regulatory landscape that directly affected CISOs employed by publicly traded companies and heightened their accountability was the adoption of new rules by the US Securities and Exchange Commission (SEC), covering Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies. The SEC now mandates that companies disclose material cybersecurity incidents within four business days via financial filings. It must include detailed information about the incident’s nature, timing, and impact on the company’s financial health.
Additionally the new rules require companies to include cybersecurity risk assessments and management processes in their annual financial disclosures. The new rules also introduced specific personal accountability for CISOs and other members of the C-Suite, with an emphasis on the fact that executives are expected to understand their individual responsibilities for ensuring the accuracy of their company’s financial disclosures.
Another regulatory update that affects financial institutions regulated by the New York Department of Financial Services (NYDFS), which includes any bank or brokerage doing business on Wall Street, increases the personal liability of CISOs. The rule changes require that CISOs, along with the organization’s highest-ranking executive, personally certify their organization’s compliance with the state’s Cybersecurity Regulations on an annual basis.
These changes to regulatory demands will likely affect the daily decision-making of a CISO who works for a company that is subject to the new rules in the following ways:
CISOs will be forced to be more vigilant when it comes to monitoring and managing cybersecurity risks, ensuring that all incidents are promptly and accurately reported.
There will be a greater need for collaboration between CISOs and other executives, particularly CFOs, to ensure accurate and comprehensive reporting of cybersecurity incidents.
CISOs will need to be more involved in strategic decision-making, aligning cybersecurity measures with business goals and ensuring that the board of directors is well-informed about cybersecurity risks and strategies.
CISOs will need to consider their personal liability, which could influence their approach to risk management and compliance efforts.
How have the pressures of the CISO role, including expectations around regulatory compliance and risk management, affected the position’s attractiveness to top talent?
When regulatory bodies like the SEC and NYDFS impose stricter compliance requirements, CISOs face greater personal accountability. This includes potential legal and financial repercussions for cybersecurity incidents. The risk of personal liability can deter top talent from pursuing or remaining in these roles.
Additionally, the rapid evolution of cyber threats requires CISOs to continuously update their skills and strategies. This constant need for adaptation can be overwhelming and may discourage potential candidates who prefer more stable roles.
The scope of the CISO role has expanded significantly over the past 10-15 years, and has moved from mainly technical oversight to strategic leadership, risk management, and regulatory compliance. The constant pressure to prevent breaches and manage incidents can lead to high stress and burnout, making the role less appealing.
This also means that modern CISOs must possess a blend of technical expertise, strategic thinking, and strong interpersonal skills. The requirement for such a diverse skill set can limit the pool of qualified candidates, as not all cybersecurity professionals have the necessary combination of skills.
The cybersecurity profession already suffers from a talent shortage, and the demanding nature of the CISO role exacerbates this issue, leading to high turnover rates. Organizations struggle to attract and retain skilled professionals who are willing to take on the extensive responsibilities and risks associated with the position.
As the CISO role increasingly involves board-level reporting, what skills or experiences do you think CISOs will need in 2025 that might not have been essential before?
CISOs will need to be able to effectively communicate complex cybersecurity issues to non-technical board members and executives. This involves translating technical jargon into business language, and clearly articulating the impact of cybersecurity risks on the organization’s overall business strategy. And as cybersecurity becomes integral to business strategy, CISOs must be able to think beyond immediate threats, and focus on long-term strategic planning. This includes understanding how cybersecurity initiatives align with business goals and contribute to competitive advantage.
A deep understanding of business operations and financial principles will be essential. CISOs will benefit from knowledge in areas such as finance, supply chain management, and regulatory compliance to make informed decisions that support the organization’s objectives. As the complexity of cyber threats increases, CISOs will need advanced skills in risk quantification and management.
CISOs will need to balance day-to-day operational demands with a strategic focus on long-term goals. This requires the ability to think critically about emerging threats and opportunities, and to develop strategies that ensure the organization’s cyber resilience.
Last but not least, a deep understanding of artificial intelligence and other emerging technologies will be crucial. CISOs will need to understand how these technologies can be leveraged for cybersecurity, as well as the new risks they introduce. As budgets tighten and the need for cost-effective solutions grows, CISOs will need strong negotiation skills to secure the best cybersecurity tools and services at competitive prices.
Given the expanding scope and pressures of the CISO role, are burnout and turnover becoming more significant concerns? What can organizations do to mitigate these risks?
Gartner predicted back in 2023 that many cybersecurity leaders would change jobs by 2025 due to work-related stress. The fact that this prediction does not seem to have fully panned out is likely due to macroeconomic factors. What remains true is that the CISO role often comes with an implied “scapegoat” component, where if a highly publicized breach occurs, the CISO will take the fall whether they are personally responsible for the incident or not. But overall, security teams have seen a general downsizing in 2023, which continued in 2024. This is especially true for threat intelligence teams and senior leadership roles, so CISOs were likely more hesitant to look for new jobs as the number of open roles has shrunk.
This hypothesis is supported by a recent CSO Online report, which states that there has been lower turnover for CISO roles. This likely means that even if a CISO finds their current position stressful and would like to make a lateral move to another organization, they may be out of luck at the present time.
What would you consider the top three priorities for CISOs as they look toward 2025?
Many organizations have accumulated a sprawling array of security tools over the years. In light of tighter budgets, CISOs now need to focus on optimizing these existing investments in order to reduce complexity and costs. This involves consolidating tools, and ensuring that remaining ones are used to their full potential to address security gaps.
For many CISOs, the emergence of new cyber threats that fully leverage generative AI technology, is a significant concern. As a result, CISOs are prioritizing investments in security tools that can enhance their defenses and close visibility gaps. Paradoxically, this can include using some AI solutions to improve threat detection and response capabilities.
As the complexity of hybrid and multi-cloud environments increases, CISOs will need to consider investments in advanced detection and response capabilities specific to cloud environments, which can help with fast mitigation of threats, reducing the potential impact on the organization.