Cybersecurity in 2025: The State of the CISO and Security within the Business

The role of the CISO and how cybersecurity is viewed within the business continues to evolve in a forward path. As a relativity new function, cybersecurity is beginning to transcend its traditional role as a defensive mechanism, emerging as a pivotal driver of business value. Driven by the adoption of digitation and an ever-increasing complex threat landscape it is only natural that organizations are now recognizing the imperative to integrate cybersecurity into their core strategic frameworks. Central to this transformation is the Chief Information Security Officer (CISO), whose role has expanded beyond safeguarding digital assets to becoming a key player in business innovation and resilience

The Escalating Cyber Threat Landscape

In 2024, the average cost of a data breach reached a record $4.88 million, with U.S. enterprises facing even steeper losses averaging over $9 million per incident. Alarmingly, 88% of these breaches were attributed to human error, underscoring the critical need for robust cybersecurity training and awareness programs. Worse yet, according to the Ponemon Institute, 60% of breaches were due to unpatched systems. Additionally, the accumulation of software technical debt, which often leads to another common attack vector, has reached $1.5 trillion. Together, these have real world consequences.

Ransomware attacks have surged, affecting approximately 72.7% of organizations globally in 2023. The financial ramifications are staggering, with recovery costs averaging $3.58 million per incident. Notably, only 8% of businesses that paid ransoms successfully retrieved all their data, highlighting the futility of capitulating to cybercriminal demands.

Small and medium-sized businesses (SMBs) are highly vulnerable due to staffing challenges along with limited budgets. They currently account for 43% of cyberattacks. The consequences are often dire, with 60% of SMBs ceasing operations within six months of a cyberattack. The impacts are real on the economy. Overall estimates are $10.5 trillion per year when you account for data theft, loss of productivity, post-breach disruptions, ransom payments and reputational damage. This is up from $3 trillion a decade ago.

Cybersecurity: From Cost Center to Value Creator

All of this said, it is critical for the role of cybersecurity to move beyond risk mitigation. To have a “voice at the table”, the traditional business view of a “necessary expense” must be reimagined. To move forward, cybersecurity must become a catalyst for business growth. According to EY, organizations are now shifting their perspective, recognizing cybersecurity's potential to create value by enabling digital transformation, fostering customer trust, and ensuring regulatory compliance.

This paradigm shift necessitates a proactive approach, where cybersecurity is embedded into the fabric of business operations. By aligning security initiatives with organizational objectives, businesses can not only mitigate risks but also unlock new opportunities for innovation and competitive advantage. Thus, it is critical for cybersecurity professionals to learn the language of the business. If you are only talking about risk, you’ve got it wrong.

The Evolving Role of the CISO

Much like the evolving viewpoint on cybersecurity within the business, the leadership role, the CISO's role is now undergone a significant transformation. No longer confined to the IT department, CISOs are now integral to executive leadership, often reporting directly to the CEO or board of directors. This elevation reflects a broader recognition of cybersecurity's strategic importance.

In 2025, the average compensation for CISOs at large U.S. companies stands at $532,000, encompassing base salary, bonuses, and equity. However, this increased remuneration comes with heightened responsibilities, including overseeing business risk assessments, product security, and digital strategy development. It also means the cybersecurity leader must be “board ready” at a senior level as they will be called into both explain the nuances of digital risk but also guide the business on how to create competitive advantages vs competitors.

Despite their elevated status, CISOs face persistent challenges. A significant 80% report insufficient funding to implement robust cybersecurity measures, often forcing difficult decisions about which vulnerabilities to address. Additionally, the global cybersecurity workforce shortage, projected to reach 3.4 million by 2025, exacerbates the strain on security teams while the business is clambering for new tools to unlock business value such as GenAI.

Navigating Budget Constraints and Talent Shortages

Economic uncertainties have led to tightened cybersecurity budgets, compelling CISOs to do more with less. To navigate these constraints, CISOs are increasingly linking security expenditures to business growth initiatives, thereby justifying investments in cybersecurity as enablers of innovation and revenue generation. It also means rationalization of the portfolio of security point tools which often do not generate the value expected of them. A report by IBM/Ponemon found that only half the security tools purchased are either misconfigured or underutilized. Thus, organizations are paying for capabilities they are not using effectively. This puts the CISO and senior security leaders on the backfoot when conversing with their business leadership peers when discussing tightening budgets.

Talent is another area of concern. This one is more complex. As cybersecurity runs the gamut of the business and is also technical in nature, addressing the talent shortage requires a multifaceted approach. Organizations are exploring alternative strategies, such as upskilling existing employees, recruiting from non-traditional backgrounds, and leveraging artificial intelligence to automate routine security tasks. These measures aim to bolster cybersecurity capabilities without solely relying on an expanding workforce. Additionally, they run the risk of either lack of deep skills or in a business with poor culture, talent flight. As a result, the CISO and senior leaders must also focus on building a team culture which is rewarding and open. This is often missed, leading to high turnover and requires the company pay more for talent they already have inhouse or hire from the outside.

Strategic Recommendations for Businesses

There is a lot to unpack here. The upside is the role of cybersecurity is not going away in the business. It is now a requirement to compete and win in the market. Without it, the business is at risk to the law of the Savannah, the least prepared gazelle gets eaten. But that is the baseline. That is checking the box. It is not enough. Rather, cybersecurity leaders must look to harness the potential to be a value creator. To do so, here are five recommendations.

1. Integrate Cybersecurity into Business Strategy: Embed cybersecurity considerations into all aspects of business planning and decision-making to ensure alignment with organizational goals. Develop security ambassadors and attached them to the various business units. This not only promotes cybersecurity but helps develop business minded security talent.

2. Empower the CISO: The CISO must have a seat at the table to enable them to influence strategic direction and resource allocation effectively. That said, the CISO must also understand the language of the business and seek to empower technology vs block it.

3. Invest in Employee Training: Implement comprehensive cybersecurity awareness programs to mitigate human error, a leading cause of security breaches.

4. Adopt Advanced Technologies (but use a planned, strategic mindset): While leveraging AI and machine learning may seem to be a silver bullet, remember only 50% of point security tools realize their value. Buying tools is not the answer. Thinking how they work together is a better approach.

5. Develop a Resilient Cybersecurity Framework: Perhaps the most important recommendation. By establishing robust incident response plans and conducting regular simulations to ensure preparedness for cyber incidents, your business is creating the muscle to take a cyber punch and recover. The days of the “no breach” policy are long gone. Applications, data and the employees are no longer under the lock and key of the four walls of the business. They exist everywhere and operate 24x7. Thus, focus efforts in how to be resilient in the face of a crisis.

Conclusion

As cyber threats continue to evolve, so too must the strategies employed to combat them. By reimagining cybersecurity as a strategic asset and empowering CISOs to lead this transformation, businesses can not only protect their digital assets but also drive innovation and growth. In the digital age, robust cybersecurity is not merely a defensive necessity—it is a foundational pillar of sustainable business success.