What are the biggest challenges that a CISO faces today?

The role of Chief Information Security Officer or CISO has been around for 25 years, pioneered Steve Katz 1995, but only seems to have gained traction more broadly over the past 5 - 7 years.
The role has now firmly established itself as an integral part of the corporate hierarchy as enterprises have begun to take security concerns more seriously. Which is understandable as according to the IBM Security Cost of Data Breach Report; the Average cost of a data breach in 2020 was a staggering $3.86 Million.
Some of the key challenges faced by CISO’s and those responsible for a company’s security capability include, but are of course not limited to;
Hackers and Adversarial AI
Very likely near the top spot. Coming from multiple vectors, times and styles. The ol’ game of cat and mouse.
Human Error
There is a lot a CISO can do to mitigate risk and reduce the possibility of data breaches and system compromise. But that all gets thrown out of the window when an employee unknowingly falls for a phishing scam, clicks on ransomware, introduces Shadow IT etc
Tick box security
Probably the most challenging of all. When a company hires someone to focus on its security capability but isn’t really invested in it, but need to be seen to do something.
In reality in many cases this is down to the board, owners etc not understanding the importance and or impact of security.
Does the CISO join for the challenge and try to manage upwards, educate and make a difference? Or bang your head against the wall and leave like others have in the past.
Lack of Developed Security Professionals
When faced with threats from multiple vectors, a well-developed cybersecurity team poses the most reliable defence to hackers. But Identifying, sourcing, building and retaining that crack commando unit is no easy feat. There is a chronic skills shortage of the very best cyber talent in the industry. The top 25- 30% of talent in the industry have their head down and are well looked after. Combine that with the fact that the traditional methods that most internal talent teams and external recruiters use do not consistently attract this talent in a buoyant market, yet alone in the strange times we find our self in #2020, and it is no surprise that companies struggle and often fail to attract the very best talent .
Budget
Since the beginning of the IT services profession, budget allocation, constraints and reductions have always been a challenge. Allocating a budget into something where there is no obvious return can be a hard pill for a board to swallow. But in the case of security- no news is very much good news. Unless of course you have been breached and don’t know it.
Thoughts from an expert:
Robert Rodger, CISO at Butterfield Group.
Security is a team sport.
Often security teams fail as they try to own everything, the we can do it best mentality it creates animosity, is costly, does not scale and will fail. Security is a team game where everyone in an organisation needs to play their part. Enable teams to do their job securely, as a example; provide developers with the tools, knowledge and support to deliver security code and test it themselves. Do the same with the front-line business team, infrastructure folks. Do that and you have delivered one method of scaling security and making it culturally embedded not just a bolt on process.
Alex Radford, CISO at Global Processing Services Ltd
It sounds cheesy, but security really is everyone’s responsibility. It would be great if common sense was common but unfortunately it isn’t. One of the aims today, is to make security as simple as possible for the users to comply with, which means focusing on the core pieces of security such as good access control processes and simplifying the requirements on the users. Mistakes will still happen, and they are an opportunity to learn, but when they do happen having the correct controls to ensure impact is small is helpful for the business.
Good security is not just how many compliance standards have you passed, it needs to be pervasive and ongoing. Achieving standards is a demonstration that the right things are being done, but being secure is more than just the minimum to meet a standard.
Elliot Rose, Member of PA's Management Group
In the current challenging COVID19 conditions we are seeing an increase in attacks as organisations around the world have been forced to divert resources and adopt more porous operating modes. Organisations and employees are working out of habit and employee’s defences can be down, as they adjust to the new ways of working and are having to make significant personal adjustments to daily life in order to operate safely. Increasingly organisations are experiencing a greater number of attempts to ‘socially engineer’ an attack in order to elicit sensitive information. CISOs are under pressure to provide employees with secure collaboration tools and messaging facilities. Communication is also key and business leaders (not just the CISO) need to ensure that employees are fully aware of the increase security risks.
We are also seeing secure remote as a business enabler, driving greater take up of digitisation and reducing costly office overheads. Many organisations are already looking ahead and planning how they can make the most of their investment in secure remote working to grow their business further. That means CISOs need to properly understand the changes in the business that are planned, identifying where cyber security can underpin the changes in a way that is supportive to the business.
David King, RISO at OmnicomMediaGroup
“The Boy that cried Wolf”
We are (or perhaps ‘were’) often accused of being that boy… the one that cried wolf… and we all know how that ended! There is often a disconnect between what we, as security professional, say and what our customers, clients or users expect or hear. In the same way, we are often accused of scare mongering. The GDPR was an example of that “If you don’t do as we say you’ll end up with a massive fine”. We need to get better at telling impactful stories. Why we want the company to part with cash, why people need to do their training, why we need to install more agents on the machines and why we need to monitor the network. Telling the right kinds of stories helps people understand and appreciate what we are doing and why. It’s another way of building trust, and trust is key when you’re trying to develop a culture of security.

Latest Jobs
-
- Identity Channel Partner Manager | London
- London
- N/A
-
Identity Channel Partner Manager | London Location: South East UK (commutable to London) We are working with a Cyber Security business who are looking for a Channel Partner Manager to drive and grow relationships across their identity ecosystem. Prior experience working within VARs, distributors, vendors or resellers in the identity space is essential. You must have experience working with technologies such as CyberArk, Sailpoint, Okta etc Responsibilities will include, but not be limited to: Build, maintain and develop strong relationships with channel partners. Work closely with partner sales teams to support growth drive sales opportunities. Identify and onboard new partners while strengthening existing partnerships. Act as the key point of contact for all channel-related activity. If you are an experienced channel professional, with experience in the Identity space and are ready for your next challenge, apply today.
-
- Service Architect- DACH regions
- Germany
- Upto €110,000 plus bonus and benefits
-
Lead Service Architect with the authority and experience to take control of complex, multi-million-euro outsourcing bids. This role is about leading the Service/ solutioning effort, bringing structure to chaos, and driving the entire bid team to deliver winning proposals. The company area a global managed services business working with enterprise and public sector clients, across Cloud, End-User Computing, Digital Workplace, Service Desk, and Network Infrastructure. What You’ll Do: Lead Service/ solution design from qualification to contract. Control bid teams — architects, pricing, delivery, and SMEs. Break down RFPs/RFIs into actionable, costed, client-ready solutions. Present internally and to clients at decision-maker level. Run solution workshops, own the architecture, and shape the financial model. You’ll Need: Experience working as a Service architect, Service Manager or Customer Success Manager R Gravitas to lead and drive teams through high-stakes bids. Deep knowledge of managed services delivery and commercial models. Strong technical grasp: Cloud, Security, EUC, Unified Comms, Service Desk, and more. Experience leading deals across onshore, offshore, and hybrid delivery models.
-
- Deal Architect- DACH region
- Germany
- Upto €110,000 plus bonus and benefits
-
Lead Deal Architect with the authority and experience to take control of complex, multi-million-euro outsourcing bids. This role is about leading the solutioning/ Service effort, bringing structure to chaos, and driving the entire bid team to deliver winning proposals. The company is a global managed services business providing solutions to enterprise and public sector clients, across Cloud, End-User Computing, Digital Workplace, Service Desk, and Network Infrastructure. What You’ll Do: Lead the deal from qualification to contract. Control bid teams — architects, pricing, delivery, and SMEs. Break down RFPs/RFIs into actionable, costed, client-ready solutions. Present internally and to clients at decision-maker level. Run solution workshops, own the architecture, and shape the financial model. Be responsible for the service Wrap and ensuring the Service meets clients requirements You’ll Need: A back ground with IT Services Experience in a similar type of role, for example: Deal, Service, or Solution Architect in ICT outsourcing. Gravitas to lead and drive teams through high-stakes bids. Deep knowledge of managed services delivery and commercial models. Strong technical knowledge: Cloud, Security, EUC, Unified Comms, Service Desk, and more. Experience leading deals across onshore, offshore, and hybrid delivery models.
-
- Pre Sales Lead- IT Services
- Germany
- Upto €100,000 plus benefits
-
As the Pre-Sales Lead (Sales Engineer/ Solution Architect) you will drive large-scale ICT managed services and outsourcing deals (from €0.5M to €20M+). You'll work directly with Business Development and clients to design high-impact solutions across Cloud (Azure, IaaS, SaaS, PaaS), EUC, Unified Comms, Security (SIEM, PAM), Networks, and Smart Workplaces. What You’ll Do: Lead the end-to-end pre-sales cycle — from RFI/RFP to contract. Design innovative, client-specific solutions with technical & commercial impact. Present at CxO level and steer proposal strategies & financial models. Collaborate closely with Portfolio, Service Desk, Field, and Digital Workplace teams. Support deal shaping with strong knowledge of ITIL, SIAM, Automation, and cost analysis. What You’ll Bring: Have strong experience in pre-sales or solution architecture. Experience with €M+ managed service deals. Deep technical expertise in modern ICT stack and enterprise IT services. Strong German (C1) and English communication skills. Certifications: ITIL v3/v4 required; SIAM, ISO20000 desirable.