The Essential CISO Primer [Second Edition]
Table of contents
CybelAngel’s comprehensive CISO Primer 2025 is now available – featuring insights from leading cybersecurity executives.
This comprehensive primer, developed through extensive interviews with CISOs and senior cyber professionals, reveals the real challenges facing security leadership today. From AI-powered threats to regulatory pressures, this data-driven analysis covers what is front and centre for CISOs.
The research features contributions from cybersecurity leaders including, Gerhard Burtscher (SEFAR), Niamh Vianney Muldoon (CISO and Board Member), Olivier Busolini (Mashreq Bank), and Jaïs Pingouroux (CybelAngel).
CISOS are operationally stretched
The data paints a concerning picture of CISO burnout and operational challenges.
94% of CISOs surveyed in a Proofpoint 2025 report cite job-related stress affecting their performance, with 63% experiencing or observing burnout this year, pointing to a worrying executive-level cybersecurity stress.
The talent shortage continues to compound these pressures.
Organizations are struggling with “patchy, painfully long, and time consuming” recruitment processes, particularly for AI security specialists and cloud experts. This shortage directly impacts operational resilience when teams are already stretched thin.
But the most striking challenge? Tool sprawl.
Organizations now juggle over 75 security products on average, with some enterprises managing even more. This fragmentation isn’t just operational complexity – 44% of CISOs, according to a Gigamon Survey, were unable to detect a data breach in the last year using their existing security tools
Above: Find more interesting data points, only in our new guide.
The data behind the most critical CISO challenges today
Our research identifies five critical pressure points dominating the CISO agenda:
- AI-powered threat escalation: 80% of CISOs identify AI social engineering as a primary threat. In a similar vein, generative AI is driving sophisticated phishing campaigns, polymorphic malware, and hyper-realistic deepfakes, that stretch taut already thin resources.
- Alert fatigue crisis: Security operations centers are receiving up to 10,000 alerts daily, with 54% of alerts never investigated due to overwhelming volume. This data deluge is paralyzing threat response capabilities.
- Shadow IT expansion: Unknown assets account for up to 40% of an organization’s total technology environment. While 70% of CISOs express concern about insufficient visibility into their external attack surface, it is a key blind spot that 21% of data breaches exploit.
- Compliance pressure: New regulations like DORA and evolving AI governance requirements are reshaping compliance landscapes. As 75% of the world’s population will have personal data covered by privacy regulations by end of 2025, requiring global compliance strategies.
- Budget constraints: Cybersecurity spending has dropped to 6.4% of overall IT budgets, forcing teams to optimize existing investments rather than expand capabilities.
How to better communicate risk to the C-suite as a CISO
The successful CISOs we spoke to are transforming how they communicate with boards and executives. Wider data supports this.
78% of board members feel cybersecurity reports are overly technical and fail to connect threats to business outcomes. The shift is from activity metrics to outcome-driven metrics — moving from “We blocked 500,000 threats” to “We reduced financial risk exposure of crown jewel assets by 40%.”
Key metrics that resonate with executives include:
- Time to remediate critical AI vulnerabilities
- Third-party AI supply chain risk exposure
- Ransomware recovery time objectives
- Business impact of external exposures
Only 44% of CISOs have direct communication channels to their CEOs, limiting effective advocacy. By 2026, 50% of CISOs will be required to formally report on business risks associated with cyber-physical systems and external exposures.
The most effective approach? Frame cybersecurity as a business enabler, not just a cost center. Organizations using unified security platforms see up to four times greater ROI than those with fragmented stacks, averaging 101% ROI versus just 28%.
The bottom line: This primer reflects a challenging year where attacks, breaches, and business impact continue to escalate. However, organizations that embrace strategic AI adoption, consolidate their security stacks, and communicate in business terms are building resilient foundations for future growth.
Why read more?
This primer focuses on measurable impacts, strategic frameworks, and actionable recommendations.
The research methodology combines quantitative data with qualitative insights from practicing CISOs, creating a resource that bridges the gap between technical challenges and business outcomes.
