CISOs acknowledge that no organization is completely safe, but many also admit their security measures aren’t where they’d like them to be.
One-third of CISOs surveyed for Proofpoint’s 2025 Voice of the CISO Report said the data within their organization is not adequately protected, and 58% said their organizations were unprepared to respond to a cyberattack. Meanwhile, only 67% believed their organizations offered adequate budget, staff, and tools to meet their cybersecurity goals.
Such figures indicate that critical cybersecurity gaps remain in many, if not most, organizations. As adversaries lean into automation and artificial intelligence, the pressure is mounting to address security gaps that could be exploited. Here are six critical security gaps that demand CISOs’ attention, according to their IT security leader colleagues and industry observers.
1. The perception gap
Although CISOs have become more business-oriented in recent years, many still view their primary job as protecting digital systems when they should see it as ensuring business resilience, says Errol Weiss, CSO with Health-ISAC.
“CISOs still think of a bad day from the IT perspective; they still think of security as an IT problem,” he notes. “They need to shift from protecting systems at all costs to instead building resilience and thinking about the downstream impacts when something fails.”
Weiss notes that part of the reason this gap persists in many organizations is because business continuity, which is at the heart of resilience, usually falls to executives other than CISOs. “The business continuity piece has traditionally been someone else’s problem, but now it has to become a focus for the security organization,” he says.
When CISOs think broadly about how digital threats could impact the business, rather than focus on how attacks impact the IT environment, they get a more accurate view of the top risks and can better access the blast radius of an incident, Weiss explains. That in turn enables CISOs to more effectively prioritize defensive moves and remediation action, making it more likely that an incident can be contained and not have unexpected follow-on impacts that stymie business operations.
The 2024 cyberattack on Change Healthcare, the consequences of which rippled through the entire healthcare industry, shows why CISOs need to close this gap in perspective on cyber threats and risk, he says.
2. The gap between the speed of threat actors and security
The 2025 Year in Review report from threat intelligence firm Cisco Talos stated that “the 2025 threat landscape was defined by an unprecedented acceleration in the speed of vulnerability exploitation, with adversaries weaponizing new security flaws like React2Shell and ToolShell almost immediately upon disclosure.”
Most security teams aren’t moving as fast, creating an agility gap between them and the threat actors, says Buck Bell, director of security strategy at IT services provider CDW.
“Most of the gaps we see today are execution gaps,” he adds.
Many security programs still feature legacy thinking, including “some static security measures in a world that needs real-time adjustments,” he says. Monthly penetration testing and patch Tuesdays, for example, are relics of an older era yet remain in some security departments. “The reality is that organizations today need to execute at a higher velocity,” he adds.
Bell says leading CISOs are adding speed to their operations by adopting AI, automation, and practices such as continuous threat exposure management (CTEM).
3. The gap between the speed of the business and security
Similarly, some CISOs also need to increase their speed and agility so that security can move as quickly as the business does. As professional services firm PwC notes in its 2026 CISO Outlook, “The CISO role is at a pivotal moment. As technology accelerates and new threats emerge, you’re expected to lead at the pace of change. AI, quantum computing, and a hyperconnected world are reshaping risk — and your business is watching.”
Chirag Shah, global information security officer and data protection officer at software company Model N, knows that business is the pacesetter these days. “Business wants to run faster, and if they’re wanting to run faster, that means we at security and compliance have to run with them,” he says.
But he also knows security struggles to keep up. “We’re always playing a catchup game,” he adds.
Shah has taken action to add speed, such as upskilling security staffers on AI so they’re ready to work with the business on their priority projects.
Chris Cochran, field CISO and vice president of AI security at SANS Institute, says CISOs who adopt frameworks and standards and who collaborate with their security colleagues can also add speed by learning and deploying proven tactics that can quickly expand and scale as the business changes.
4. The gap between existing and needed skills
CISOs have long struggled to get the talent they need. In the past, the issue centered mainly around getting enough people to fill roles; now they’re more concerned that security pros don’t possess the updated skills they need to succeed.
According to the SANS 2026 Cybersecurity Workforce Research Report, “the cybersecurity workforce is undergoing a fundamental transformation. Organizations are rebuilding their teams from the top down as artificial intelligence disrupts traditional entry points while regulatory compliance demands create new frameworks for skills validation. This convergence is producing a widening skills gap that organizations struggle to close, even as they increasingly recognize that having the right abilities matters more than simply adding headcount.”
It further states that “the need for specialists in new roles nearly doubled year-over-year, while additional hiring for existing skills increased substantially.”
Here, CISOs’ concern has accelerated, with 60% of security leaders identifying this skills gap as their primary workforce challenge in 2026 (up from 52% last year) — and compared to 40% who said headcount shortages were their chief issue.
Beth Miller, global field CISO at software maker Mimecast, says it’s not just a skills gap within security that plagues CISOs but a gap in needed security skills throughout the organization.
“You can have a fully skilled security team, but if you don’t have security skills in the business, too, you still will have a gap,” she says.
Closing the gap requires “investing in the human layer across the organization,” she adds.
SANS Institute’s Cochran made similar observations, saying CISOs need to build a culture of continuous learning and training. “Closing the gap comes down to one word: intention,” he says.
5. Gaps in securing AI deployments
CISOs lag in securing AI deployments for several reasons.
To start, Mimecast’s Miller says, “the mandate around AI is moving faster than CISOs are prepared for. The pattern we’re seeing in our and other organizations is that leadership announces an AI adoption initiative, it’s top down, and it’s often tied to competitive pressure or board expectations. And then within weeks business units are building AI tools, connected to data, and integrating AI into existing systems, and CISOs are finding out about these [initiatives] during or after implementation.”
There are also the AI deployments happening from the bottom up, often without any leadership involvement or knowledge at all. “Shadow AI is happening industry wide,” Model N’s Shah says. And while security or IT may find those deployments after the fact, that discovery doesn’t erase the security gap on its own.
Experts also cite the challenges of, first, developing the right security controls for AI as the technology evolves and, second, getting everyone to buy into and then follow those controls and governance frameworks as they morph with the technology’s evolution. Those dynamics inevitably create gaps between what’s needed to secure AI and what controls are being implemented.
“It’s a governance gap masquerading as an IT problem,” Miller adds.
The SANS report found that only 54% of surveyed organizations had AI security policies in place and only 20% had comprehensive governance frameworks ready, with about 75% either implementing or still building governance structures.
SANS concluded that “AI security governance is still in early days.” Other experts acknowledged as much, saying that CISOs need to lean on observability tools, executive influence skills, AI-related security awareness and training, emerging AI security best practices, and new AI governance frameworks to close what seems to be a yawning gap in many organizations.
6. The legacy gap
Jason Lish, Cisco’s global CISO, says many business leaders have adopted a “set-it-and-forget-it mentality” with technology, resisting moves to modernize IT as long as systems perform and aren’t differentiating.
That challenges not only CIOs as they try to integrate AI and other new technologies into legacy tech, but also CISOs as they seek to implement modern security practices and technologies, Lish explains. And it’s becoming a more acute security problem as threat actors become more skillful at using AI to exploit out-of-support systems and legacy tech that can’t implement modern security controls.
A 2026 study from National Association of State CIOs and Deloitte & Touche found that CISOs listed legacy infrastructure as one of the top three barriers to meeting cybersecurity challenges, along with the increasing sophistication of threats and insufficient funding for cybersecurity.
“CISOs should be thinking about a risk-based approach here,” Lish says, “going to the board or the C-suite and saying, ‘These are the most critical pieces of legacy equipment or devices we need to replace’ and help them understand the risk of not doing so. The CISO has to be the one to provide that prioritization.”