Many security leaders believe a cyberbreach is inevitable, with the timing being the only uncertainty. It’s a belief encapsulated in the common refrain that a breach is “not if, but when.”
But a growing number of CISOs now expect an incident sooner than later: Some 76% said they feel at risk of experiencing a material cyberattack in the next 12 months, according to the Voice of the CISO Report released by security tech company Proofpoint in August 2025. That’s up from 70% the prior year.
The report also found that 58% of CISOs believe their organization is unprepared to respond.
Besides the overall feeling of near inevitability of attack, security chiefs acknowledge that various challenges keep them from boosting their overall security posture and feeling more confident in their ability to block or respond to attacks.
Here, security leaders share four issues that hold back the enterprise security agenda.
1. Failure to train and empower team members to act on priorities
CISOs readily admit their security teams have more work to do than can be done. That leads to a lot of stress: Some 80% of CISOs report being under high or extreme pressure today, according to the 2025 CISO Pressure Index from tech maker Nagomi Security, and 87% said that pressure has increased over the past 12 months. Additionally, 67% report being burned out weekly or daily.
“Every CISO feels very overwhelmed,” says Omar Khawaja, who leads Databricks’ field security practice, teaches at Carnegie Mellon University’s CISO program, and sits on the boards of HITRUST and FAIR Institute.
To cope, CISOs have become skilled at prioritizing, with tasks that reduce the most significant risks to the organization topping their lists.
Too often, however, CISOs don’t train their team members so they can competently make decisions and take actions that align with those priorities, says Khawaja, a former CISO at Highmark Health.
That keeps executives making all the priority calls, which ties them up and slows the whole team down.
CISOs should aim to have team members know when and how to make prioritization calls for their own areas of work, “so that every single team is focusing on the most important stuff,” Khawaja says.
“To do that, you need to create clear mechanisms and instructions for how you do decision-support,” he explains. “There should be criteria or factors that says it’s high, medium, low priority for anything delivered by the security team, because then any team member can look at any request that comes to them and they can confidently and effectively prioritize it.”
2. Inability to keep pace with AI innovation and adoption
Executives and employees alike have been rushing to adopt artificial intelligence, enticed by expectations that AI will transform workflows and save time, money, and effort.
But CISOs for the most part have not kept pace with their business colleagues’ rate of AI adoption.
According to a survey of 921 IT and cybersecurity professionals conducted for Cyera’s 2025 State of AI Data Security Report, 83% of organizations use AI but only 13% have strong visibility into how those systems access or handle sensitive data; only 16% treat AI as a distinct identity; only 11% of organizations can automatically block risky AI activity; and only 7% have a dedicated AI governance team.
“Most CISOs are wrestling with how to secure AI,” says Robert T. Lee, chief AI officer and chief of research at SANS, a security training and certification firm.
According to Lee, a good number of CISOs still either prohibit proposed AI use cases because of security concerns — what he terms the “Security Framework of No” — or slow adoption while they evaluate the AI’s security.
“There is a general lack of knowledge on how to approach AI,” Lee says.
In fairness to CISOs, the business doesn’t always help matters here, Lee notes. “At many organizations their AI strategy is changing quickly; a new AI version comes out and so their agenda changes, and then a month later something else new comes out and it changes again. There is this moving target of what the security team is being asked to secure,” he says.
Regardless, Lee says it’s clear that the security team’s inability to keep pace with AI innovation and the enterprise’s desire to quickly adopt is problematic. It stymies the organization’s agenda by slowing transformation. It also hinders the security department’s success, because the business often bypasses security altogether rather than have to slow or stop its AI journey.
As a result, CISOs and their organizations end up with shadow AI, unmanaged agents, and opaque data flows that create a poorly secured expanded attack, Lee adds.
Of course, there is still a need to adequately evaluate and secure AI deployments, Lee says, adding that organizations should not simply accept vendor assurances that their AI components are secure.
According to Lee, the CISOs who keep pace with their organization’s AI strategy take a holistic approach, rather than work deployment to deployment. They establish a risk profile for specific data, so security doesn’t spend much time evaluating AI deployments that use low-risk data and can prioritize work on AI use cases that need medium- or high-risk data. They also assign security staffers to individual departments to stay on top of AI needs, and they train security teams on the skills needed to evaluate and secure AI initiatives.
3. Limited adoption of AI for security operations
Like their business colleagues, some CISOs are embracing AI to transform their operations — but they appear far from being a majority, despite the benefits the technology brings to cybersecurity.
The 2025 ISC2 Cybersecurity Workforce Study found that only 28% of the 16,000 enterprise leaders surveyed had integrated AI tools into their security operations. The study found 19% testing them and 22% in the early evaluation phase.
“CISOs are playing a bit of catch-up” in terms of deploying AI at the same speed as the business, says Jon France, CISO of ISC2, a cybersecurity training and certification organization.
That slow pace exists even though use of AI in security operations is proving beneficial, France adds, noting that 63% of those who are using AI security tools reported a significant boost to their productivity.
According to the ISC2 study, “In terms of where AI is expected to have the most impact on cybersecurity operations in the shortest amount of time, 40% pointed toward network monitoring for the highest positive impact, followed by security operations and security testing (both at 30%), vulnerability management (29%), threat modeling and endpoint protection (both at 28%).”
4. The lack of needed talent and required skills
Although CISOs have long cited challenges in hiring enough qualified security workers, they’re increasingly citing it as a roadblock to advancing their security agendas.
The 2025 State of Cybersecurity Resilience from professional services firm Accenture found that 83% of IT executives identified their cyber talent shortage “as a major obstacle to achieving a strong security posture.”
The ISC2 study highlighted a two-headed problem.
First is the talent shortage, with 63% reporting in 2025 that they have a slight or significant cybersecurity shortage, a modest improvement over the 68% who said as much in 2024.
Second is the skills gap. According to the report, 59% in 2025 have critical or significant skills needs, up from 44% in 2024, and 95% have at least one or more skills needs, up 5% on the previous year. Survey respondents said AI was the most pressing skills need (41%), followed by cloud security (36%), risk assessment (29%), application security (28%), security engineering and governance, (27%) and risk and compliance (also at 27%).
“We need people who are suitable to discharge the duties of security roles today,” France says.
Khawaja also cites the lack of “the right skills on the security team” as an obstacle for CISO success.
However, Khawaja sees the challenge for CISOs not being about hiring for technical skills or even soft skills, but what he called “middle skills,” such as risk management and change management. These skills he sees becoming more crucial for aligning security to the business, getting users to adopt security protocols, and ultimately improving the organization’s security posture. “If you don’t have [those middle skills], there’s only so far the security team can go,” he says.
Although CISOs are fighting labor market forces that are well beyond their direct control and influences, Khawaja and others say there are steps CISOs can take to address their talent and skills shortages, saying a solid talent strategy that focuses on hiring for skills and competencies can help CISOs get what they need to advance their security agendas.