Skip to main content
close search
site logo

What roadblocks await CISOs in 2025

Burnout seems certain as CISOs confront budget constraints, a heavy workload and job dissatisfaction.

Published Jan. 30, 2025
By Jen A. Miller
an executive reviews information on their tablet inside a boardroom
simon2579 via Getty Images

The CISO role continues to grow and expand, but not without obstacles that could prevent security executives from achieving their goals — or trying to change positions altogether.

“The CISO job can be vastly different from organization to organization,” said Nick Kakolowski, senior research director at IANS. Those struggling are either not making headway with the C-suite to get them to realize the CISO can be a strategic role, or have too many areas to oversee, and are therefore burning out. 

Kakolowski sees CISOs falling into two cohorts: executives who are underappreciated or overburdened. 

The first are CISOs who are trying to advance a mature security program but confront a “situation where a business has yet to realize security’s role and ability to influence,” he said. “They’re really fighting an uphill battle.”

These CISOs can try to find cross-functional projects and “build relationships with business leaders,” Kakolowski said. That might be through steering committees like those on AI or governance, risk and compliance, to “show business leaders that [CISOs] bring something to the table that is valuable on a purely business level.” 

Undervalued CISOs are more common at smaller organizations. Nearly half of CISOs engage with their boards monthly or quarterly, according to the IANS Research and Artico Search 2025 State of the CISO report. For companies with annual revenues exceeding $10 billion, almost two-thirds of CISOs interact with the board at least quarterly. 

But at organizations with annual revenues under $400 million, only 37% reported monthly or quarterly board engagements; and 42% meet with their boards on an ad hoc basis — if they meet with them at all.

CISOs who are struggling to communicate with the board should tell a story explaining how their challenges translate to business risk, said Steve Cobb, CISO at SecurityScorecard. Data can also help tell that story, but it has to be in a format that senior leaders can digest. 

Bar charts and graphs are not always the best way to present risk. “They always cause more questions than they do answers, and lead to confusion and frustration, said Cobb.” CISOs can be more effective by providing actionable insights on things like revenue and brand reputation.

Beast of burden

The second cohort are CISOs who have a lot of exposure to the executive suite and board, who realize the importance of security, but are now expected to do a lot more. 

“Scope creep is really getting out of hand,” Kakolowski said. 

In its report, IANS found that nine in 10 CISOs are responsible for infosec domains, including security operations, architecture and engineering, governance, digital risk and compliance. 

That’s not surprising as those responsibilities fall under the traditional CISO role. 

But, IANS also found 50% to 99% of CISOs have a scope that includes identity and access management, application security and cloud security. The majority of CISOs surveyed have taken on more business risk functions, too, such as business continuity, third-party risk management and product security. 

That’s not all though. In the same report, IANS and Artico found that up to half of CISOs are overseeing enterprise risk management, and taking on more security functions like physical security, privacy or fraud protection, or owning parts of the IT stack. 

There is a smaller group, less than 1 in 4, who are now covering emerging domains including AI, M&A security, data governance, comprehensive IT oversight, digital transformation and innovation. 

These responsibilities can help CISOs maintain influence over an organization, but they can also put too much on a CISO’s plate. “CISOs are struggling with, and continue to struggle with, the business use of AI and large language models,” said Cobb. 

The organization may want the promised efficiency benefits of these new technologies, but it’s left to CISOs to figure out how that will work. “CISOs have to understand the ins and outs of AI and how their users are using it, and how they’re going to protect the control and usage. It adds extra work to an already busy day,” Kakolowski said. 

Some CISOs are “almost taken advantage of by the organization,” said Kakolowski. Enterprises need to delegate, he said. “When you have heads of functions who can take on more, it frees up the CISO to take on a wider range of tasks and influence the business in more ways.” 

Budget, salary and burnout

Though still increasing, budgets are “growing at a declining rate,” said Kakolowski. Researchers found the average security budget growth grew from 6% in 2023 to 8% in 2024, a IANS and Artico 2024 benchmark report on budgets shows. But that represents a marked growth slowdown from 2022, when budgets saw 17% growth. 

Last year, a quarter of CISOs reported flat budgets, while 12% said their budgets had declined.

Security budgets aren’t growing by leaps and bounds as before, but that’s usually a result of an organization’s maturity. “Organizations are not investing for the first time, but it’s also a reflection of general conservative spending across corporate environments over the past few years,” Kakolowski said. 

Vendors are also raising prices, which can pinch those budget increases more, according to Kakolowski. This is being complicated by the race to integrate AI solutions, which isn’t cheap.

The talent shortage continues to stretch on, too. “There isn’t enough budget to really compete for skilled, experienced staff or to retain skilled experience staff,” he said. “CISOs are really running into barriers at finding the right people on the budget and resources to bring those people in or retain them.” 

CISO salaries aren’t growing in kind with the extra workload, either. IANS found that only 3% of CISOs chalked their raises up to taking on a wider scope of responsibilities. The report also found that 7% of CISOs primarily gained more income by landing a job elsewhere, a move that was often accompanied by taking on a role with more responsibilities. 

Budget constraints, a heavy workload, and job dissatisfaction can lead to burnout, but turnover remains low. 

“CISOs just haven’t been seeing jobs on the surface that are significantly better to justify a move,” Kakolowski said. But that could be changing with expectations for economic growth. “Hopefully we’re on the upswing, and we expect to see more CISO movement in 2025.”

Filed Under: Leadership & Careers

Editors' picks

Company Announcements

View all | Post a press release
c/side's New PCI DSS Dashboard Covers Third-Party Web Script Security
From c/side
January 29, 2025
Americans Growing More Dependent on Digital Services, but Trust in Data Privacy Remains Low, N…
From Upwind
January 28, 2025
DNS4EU Achieves 2024 Milestones in EU Cybersecurity, Public Resolver Launch Set for 2025
From Whalebone
January 21, 2025
Moving On IT Gears Up for Explosive Growth in 2025
From Moving On IT | Tomorrow's Technology. Today.
January 22, 2025
Editors' picks
Latest in Leadership & Careers
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.