BLOG

Have you ever wondered why people are chosen to become CISOs?

Ira Winkler, a former Chief Security Architect at Walmart, wrote an article that explores why people are chosen to become CISOs and what it takes to succeed in that role. It highlights that CISOs are often chosen based on a combination of gut instinct, experience, and intangible soft skills, as well as proven communication and executive presence to effectively work with organization executives and boards. He also contrasts the "art" of a seasoned CISO's gut-based decision-making with the emerging application of science and data-driven approaches in cybersecurity leadership. It discusses the preference for external hires over internal promotions like Deputy CISOs, since experienced CISOs tend to have demonstrated the ability to influence at the executive level.  Read his article here.

In an article entitled "Is the generative AI bubble about to burst?", its writer Matthew Tyson postulated that the AI industry could experience a significant correction in 2025. He explains that the AI hype has peaked in 2024 and anticipates a pullback in promises, investment, and exaggerated marketing in 2025 due to these factors:

• AI technologies have underdelivered compared to the hype, with terms like "AI-enabled" becoming overused and likely to lose their marketing appeal. 

• The industry will settle into practical, narrower AI use cases rather than broad or general AI claims. 

• Generative AI is expected to become a tool used mainly for automating workflows, product creation, and basic security tasks, rather than transforming industries overnight. 

• Cyber threats will grow with AI-enabled social engineering and phishing attacks becoming more sophisticated due to AI’s low barrier to entry.

The article reflects a growing consensus that while AI has real potential, many organizations are still struggling with integration and ROI, and the exuberant valuations seen recently are unsustainable. Read this article. 

Cyber leaders are besieged not only by malicious code but also by an unending wave of stress and mental fatigue. The weight of constant vigilance, the pressure of imminent breaches, and the unyielding demands of their high-stakes environment are forging a silent crisis, one that threatens to compromise not just their well-being, but the very security they are trying to protect.

The article "The Human Firewall: Why Prioritizing Mental Health is Essential for Cybersecurity Success" written by Megan Thome, discusses the mental health challenges faced by cybersecurity professionals and recommends four actionable strategies for organizations to prioritize mental health in cybersecurity. Leveraging technology such as automation tools can reduce cognitive load by simplifying communication and workflows, decreasing error rates and supporting mental health. Organizations investing in mental health are protecting their most valuable asset, their people, which in turn strengthens cybersecurity defenses. Read this article.

A new wave of AI-powered attacks is pushing companies to adjust their cybersecurity spending, according to a new survey of CISOs worldwide by BCG and GLG. 

The survey results show that AI-powered cyber attacks have become the top concern, cited by 80% of CISOs in the survey. Persistent concerns like cloud risk, third-party security, and endpoint protection continue to hold steady. To prepare for AI-powered attacks and evolving cyber threats, CISOs expect to continue increasing spend across cyber categories, especially in threat intelligence and application security—and increasingly on AI-enabled solutions. Given the evolving landscape of cyber threats, companies cannot afford to relax. That is particularly true for AI-empowered threats, which increasingly rely on social engineering and fraud and are extremely cheap to produce convincingly and at massive volume. View this survey. 

Budget time is here. Do you struggle with getting your cyber budget for the new year? 

An article entitled "Navigating the Cybersecurity Budget Tug-of-War" written by Scott Cooper, a VP at Index Engines, addresses the complex challenges organizations face when allocating budgets for cybersecurity. A tug-of-war exists between IT operations teams prioritizing system availability and performance and cybersecurity teams emphasizing data protection and compliance. He provides insights into navigating internal budget battles by advocating for balanced, coordinated, and business-aligned cybersecurity investments. Read this article. 

In the past 25 years, many cycles of security innovation had brought more complexity, challenges, and generated opportunities for career growth. From combatting mass-market worms like ILoveYou, to organised cybercrime like Botnets and DDoS campaigns, to cloud security threats and DevSecOps, and finally to targeted Advanced Persistent Threats (APT)  and ransomware attacks. Each cycle fueled demand for new defensive skillsets and more cyber professionals.

Today, the AI era will redefine both attack surface and defense strategies. This will open green fields for cybersecurity careers, as innovation sparks fresh opportunity. Cybersecurity leaders will focus on how organizations will secure AI solutions, given that these systems are inherently designed to ingest, interpret, and act on available data.  An article entitled "Will Secure AI Be the Hottest Career Path in Cybersecurity" written by Melina Scotto , Founder of Mastin & Associates, explains why AI will be the next hottest career path in cybersecurity. Check out this article. 

Being a CISO today is a balancing act of strategic leadership, financial literacy, technical expertise, and human connection, regardless of the company size. The role is no longer about defending the perimeter; it's about driving the business forward with resiliency while managing risk with clarity, courage, and strategic intent.  

An insightful article entitled "Redefining the Role: What Makes a CISO Great" published by Dark Reading discusses how the CISO role is evolving to meet new demands in cybersecurity leadership and shares 11 key takeaways about what it really takes to be an effective CISO.  Read this article. 

Many cyber leaders are concerned about the new security risks that will be introduced by agentic AI applications.

Good news. The Open Worldwide Application Security Project (OWASP) has published a new Securing Agentic Applications Guide for securing agentic AI applications powered by large language models (LLMs). This guidance offers concrete technical recommendations for developers and security professionals involved in building AI agents with autonomous, multi-agent capabilities. Agentic AI applications operate autonomously, passing data or results between AI tools without human prompts, adapting dynamically to changing environments. This autonomy can raise significant security concerns, especially when these AI systems write code, configure systems, or operate with minimal human oversight. There is also concern that such technology could be exploited by cybercriminals to automate attacks like account takeovers. This guidance aims to address the gap in traditional application security methods, which do not fully cover the complexities of agentic AI with its autonomy and multi-agent interactions. Download this report here. 

The Q3 2025 "CISO Top 10" rankings, published by CyberRisk Collaborative, offer a sample roundup of the areas that cyber leaders are focusing amid rising geopolitical tension, regulatory scrutiny, and digital transformation next quarter. It is organised into two sections - "Executive Management Priorities" and "Technology Priorities" - that capture the changing expectations, cyber risks, and leadership priorities facing CISOs. Together, this report reveals an important update of a dynamic profession undergoing major reinvention. Download these reports here.

It is not just about hard technical skills. Soft skills matter for effective cyber leadership too. 

The article "Why Sincerity Is a Strategic Asset in Cybersecurity" from SecurityWeek emphasizes that sincerity is foundational to successful cybersecurity programs because it builds trust, fosters teamwork, and enables genuine risk reduction.  The writer contrasts sincerity with insincerity, likening insincere actors to merely "hitting play" on a talk track, which fails when engagement and improvisation are required. The essence is that better security starts with sincerity at every level—from leadership to individual contributors—and influences technology, process, and people aspects of cybersecurity programs. Read more here.

While the CISO role is critical and increasingly influential, it is also marked by high stress, growing complexity, accountability pressures, and evolving technological challenges. These factors contribute to the role’s reputation as difficult and sometimes undesirable. In this article,  "Has CISO become the least desirable role in business?", CSO Online highlights the challenges that CISOs face and proposes measures that they can take to develop broad leadership, technical, and strategic skills to succeed in 2025 and beyond.  Read this article.

Imagine AI agents working autonomously to perform complex tasks by mimicking human decision-making through interaction with external systems for your team. Sounds good?

While agentic AI offers powerful automation benefits, it also presents a complex and evolving security challenge. CISOs must understand and address these new attack surfaces through careful agent selection, robust oversight, strong security controls, and cautious adoption to safely leverage agentic AI in their organizations. "The Wild West of Agentic AI – An Attack Surface CISOs Can’t Afford to Ignore"  by SecurityWeek examines the benefits and risks that Agentic AI brings. Read this article.

This question can be a good opportunity to shine or a tough one to answer, especially when it comes from a member of your C-suite or Board. SANS has released a CISO Scorecard and Cloud Security Maturity Model poster to provide a comprehensive framework to help cybersecurity leaders assess and advance their leadership performance and cloud security posture. This poster will also enable CISOs to manage cyber risks and align security with their organizational goals.  You may download this infographic. 

The Security Guidance for Critical Areas of Focus in Cloud Computing , now in its 5th version, is a comprehensive resource for understanding modern cloud components and cloud security best practices. This new version incorporates the latest developments in areas such as Zero Trust, Generative AI, CI/CD, Security Monitoring and Operations, Resilience, Cloud Telemetry, Security Analytics, and Data Lakes. Published by the Cloud Security Alliance, this guide is vendor-neutral and reflects real-world cloud security practices, making it a vital resource for organizations and individuals involved in cloud security.  Download this report. 

How does one steal from the world’s most secure banks and government facilities - without breaking a single law?

This book is a gripping and often humorous account of the author's work as an ethical hacker and social engineer. FC aka Freakyclown, an elite penetration tester with over 20 years of experience, shares vivid real-life stories of testing physical security at some of the world's most secure banks, government facilities, and companies by attempting to "steal" money, data, and other valuables—without breaking any laws. Overall, How I Rob Banks is recommended for anyone interested in cybersecurity, physical security, or thrilling true stories of espionage and penetration testing, blending practical security insights with Ocean’s 11-style intrigue. 

The Hackers News is offering a FREE copy of this eBook (worth $25) for a limited period now.  Get your copy here. 

The article "A CISO's Guide to Reporting on Cloud Security (Without Putting Everyone to Sleep)" by Sarah Elkaim offers practical advice for CISOs on effectively reporting cloud security metrics to stakeholders, especially boards, without overwhelming them. Reporting is critical not only for demonstrating security but also for validating the security program’s value by showing how efficiently threats are detected and resolved, risk is reduced, and resources are used wisely. Elkaim offers a valuable list of essential metrics for CISOs to track. Presenting real incident case studies alongside metrics makes reports more tangible and relatable for stakeholders. Reporting should show how security efforts enable faster innovation and reduce disruptions, linking security to broader business goals. This is a recommended read for all CISOs and cyber leaders. Read this article here.

This Gartner infographic lists 9 top cyber trends and it emphasizes the need for more focused cybersecurity programs that prioritize business continuity and collaborative risk management. CISOs in 2025 will do well to enable secure, AI-enabled business transformation while embedding resilience and collaborative risk management across their organizations. This requires agile capabilities, clear accountability, and a balance between security and business enablement. Download this infographic.