CISOs Under Pressure: Balancing Automation, AI and Talent Shortages
Key Highlights
-
CISOs face rising complexity and ROI pressure from executives
-
Tool sprawl is driving a push toward streamlined security stacks
-
Talent gaps make automation and AI essential, but data quality limits impact
CISOs today are under a perfect storm of pressures: rapidly expanding digital environments, demands to demonstrate ROI on past security investments and an ongoing shortage of skilled talent. At the same time, organizations are turning to automation and artificial intelligence (AI) to close gaps and improve efficiency. But these technologies can only succeed if built on a reliable foundation of accurate data.
In this conversation, Ryan Knisley, Chief Product Strategist at Axonius, shares insights from his daily discussions with CISOs on how security leaders are balancing these pressures while working to strengthen resilience and reduce risk.
Leaving aside the CISA cuts for a moment, what are the greatest pressures currently facing CISOs?
In my new role at Axonius, I am talking with CISOs every day. What I hear is that CISOs are currently facing three significant pressures:
First, the scale and complexity of the digital environment. Almost every company today isn't just adopting digital—they are inherently digital businesses with rapidly expanding digital landscapes. Cloud infrastructure, applications, connected devices, and data footprints are growing exponentially, outpacing the ability of cybersecurity programs to keep up.
In parallel, budgets for cybersecurity saw significant increases in 2020, 2021, and even into 2022. A few years on from those investments, CFOs and other business leaders are looking for evidence that those dollars have translated into real maturity gains. This dynamic has created rising expectations to demonstrate ROI, yet CISOs often find program maturity struggling to keep pace.
That mismatch can create friction at the leadership level and lead to increased scrutiny, frustration, and ongoing pressure to show tangible cybersecurity advancements in a digital environment that keeps growing more complex.
This challenge is reflected in recent research showing that while 81% of organizations feel prepared to manage critical vulnerabilities, it still takes them more than 24 hours to remediate them, leaving wide-open windows of risk. Nearly a third say they struggle with prioritization and risk assessment, and 27% cite a lack of integration between tools as a core blocker to timely response.
Next, CISOs face significant pressure around tool and platform consolidation. Many organizations historically have adopted a "shiny object" approach to cybersecurity, acquiring numerous best-of-breed tools that each address a specific threat or function.
Over time, this approach has created sprawling and overly complex cybersecurity environments. Rather than reducing risk, these fragmented toolsets expand the attack surface of their asset architecture without the proper security controls, making the tech stack more vulnerable.
CISOs today are under pressure to simplify and rationalize their cybersecurity stack to reduce complexity, improve efficiency, and, ultimately, decrease risk. This involves standardizing on fewer, more comprehensive platforms and maximizing their capabilities rather than maintaining numerous overlapping tools at partial utilization.
Last, but certainly not least, talent remains one of the most difficult challenges CISOs face. Traditionally, cybersecurity teams have tried to address the growing demands by simply adding more human resources. However, the cybersecurity talent market is highly competitive, and there are simply not enough skilled professionals to meet the growing demand.
Budget constraints have also limited headcount growth for most cybersecurity teams. CISOs must therefore shift strategies, leveraging automation, artificial intelligence, and other advanced technologies to alleviate the burden on their teams.
However, AI and automation can only go so far without the right foundation. Many organizations (42%) want to automate patching, and 40% hope to leverage AI for smarter risk prioritization but are discovering that their confidence in their security posture is based on incomplete or outdated data.
Without a reliable, up-to-date view of assets and exposures, even the best AI models can misfire, introducing new risks instead of mitigating them. Building trust in data accuracy is becoming a prerequisite for truly proactive security strategies.
This focus frees cybersecurity professionals from mundane, repetitive tasks, enabling them to focus on meaningful, higher-value work, an essential factor in employee retention, satisfaction, and long-term workforce development.
Building trust in data accuracy is becoming a prerequisite for truly proactive security strategies.
How are CISA budget cuts likely to impact critical services, such as threat intelligence sharing and vulnerability management?
The specific impacts remain uncertain, as detailed allocations haven't been fully disclosed. This lack of clarity itself is concerning, since uncertainty complicates strategic planning. However, CISOs must remain agile and resilient, ready to adapt as circumstances shift.
Fortunately, threat intelligence sharing and vulnerability management don't solely rely on CISA. Organizations receive valuable intelligence from multiple sources, including other federal agencies (like the FBI and Secret Service), industry-specific Information Sharing and Analysis Centers (ISACs), and private partnerships. CISOs should proactively diversify their intelligence sources to avoid becoming overly dependent on any single organization.
Additionally, this moment presents cybersecurity teams with an opportunity to critically evaluate the tools and platforms currently in place. Historically, organizations have trended towards acquiring multiple cybersecurity tools, each addressing specific threats or tasks, which usually leads to inefficiency.
The truth is that security teams aren’t short on tools; they’re short on answers. The problem they face is wholly a visibility problem. When an incident hits or leadership asks, “Are we at risk?”, teams must eliminate any guesswork by deploying a unified platform providing an automated, up-to-date view of their assets so they can respond with confidence instead of assumptions.
This shift improves operational efficiency and reduces complexity while also freeing up human and financial resources. To address higher-value cybersecurity tasks, teams require automated tools to deliver both actionability and visibility for complete asset management.
The data backs this up: 58% of organizations report adopting Continuous Threat Exposure Management (CTEM) frameworks to become more proactive. But many are still struggling to make it work, citing integration (38%), ROI measurement (35%), and automation (34%) as major hurdles.
And a common thread across all these challenges is unreliable data. If the underlying context is fragmented or incomplete, even the most ambitious CTEM strategy is built on shaky ground.
Why are CISOs being expected to manage both cybersecurity and business continuity issues?
CISOs are taking responsibility for business continuity because cybersecurity inherently affects an organization’s overall operational resilience.
Cyber incidents, whether malicious attacks or system outages, directly impact continuity. Given that cybersecurity teams focus exclusively on protecting the organization's critical assets and operations, it naturally aligns with ensuring business continuity after disruptions occur.
Additionally, cybersecurity teams uniquely possess the mindset, infrastructure, and processes necessary to quickly respond to and recover from incidents. This integrated approach helps businesses better manage risks in the highly digitized operational environment of today.
Do you think this will raise the profile of the CISO within the business management structure?
Not necessarily. The profile of CISOs within the business management structure has already risen significantly due to the critical role cybersecurity plays in overall business risk management. Whether it's budget cuts or expanded responsibilities like business continuity, these changes themselves are unlikely to further elevate the role.
What truly raises a CISO’s profile is their ability to articulate cybersecurity as a strategic business issue rather than merely a technical one. CISOs who clearly communicate how cybersecurity directly contributes to business objectives, informs strategic decisions, and protects the organization's value will naturally maintain and build their influence within the leadership team.
CISOs who clearly communicate how cybersecurity directly contributes to business objectives, informs strategic decisions, and protects the organization's value will naturally maintain and build their influence within the leadership team.
What opportunities do these CISA budget cuts present for CISOs to foster stronger internal collaboration and build a more comprehensive, organization-wide cybersecurity culture?
These budget cuts underscore the importance of resilience and self-sufficiency. CISOs can leverage this moment to reinforce the message that effective cybersecurity relies on internal strength, collaboration, and diversified partnerships, not solely external agencies.
Internally, CISOs should emphasize building stronger cross-functional relationships, breaking down silos, and ensuring cybersecurity is embedded across all business units. Externally, CISOs can deepen collaboration with other federal agencies, private-sector organizations, and industry-specific ISACs to strengthen their threat intelligence and response capabilities. Ultimately, this situation presents an opportunity to reinforce an organization-wide culture of proactive cybersecurity resilience.
It’s also an opportunity to unify teams around a shared understanding of exposure. When everyone, from IT to security to operations, has access to the same accurate picture of what assets exist and where risk lives, collaboration becomes more fluid and informed. That common operating picture is what transforms cybersecurity from a standalone function into an enterprise-wide capability.
