{"id":14436,"date":"2025-07-14T09:05:44","date_gmt":"2025-07-14T09:05:44","guid":{"rendered":"https:\/\/newestek.com\/?p=14436"},"modified":"2025-07-14T09:05:44","modified_gmt":"2025-07-14T09:05:44","slug":"8-tough-trade-offs-every-ciso-must-navigate","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14436","title":{"rendered":"8 tough trade-offs every CISO must navigate"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

One key to success in the C-suite is being able to balance multiple competing interests.<\/p>\n

And while each executive faces high-pressure choices, CISOs in particular contend with trade-offs that could have monumental consequences for their businesses and their careers.<\/p>\n

Increasingly responsible for security outcomes over which they don\u2019t always have full authority<\/a>, CISOs are well aware of this dynamic. According to the 2024 LevelBlue Futures Report: Cyber Resilience<\/a>, \u201c73% of CISOs expressed concern over cybersecurity becoming unwieldy, requiring risk-laden trade-offs, compared to only 58% of both CIOs and CTOs.\u201d<\/p>\n

Moreover, with added responsibility has come a greater need for CSOs and CISOs to align their security strategies with business objectives, creating additional tension when it comes to determining where to draw lines on security edicts versus the need to support accelerated business innovation.<\/p>\n

To help you better balance the competing interests of being both a security and business executive today, here are the key trade-offs every CISO must consider, with advice from security leader peers and industry experts on how to navigate each to the benefit of business and career.<\/p>\n

1. Recalibrating risk tolerance in the larger business context<\/h2>\n

Despite all the talk about aligning with the business, CISOs overwhelming report C-suite misalignment on risk.<\/p>\n

According to the Modern CISO: Bringing Balance<\/a> survey from cybersecurity vendor Netskope, 92% of CISOs said differing attitudes toward risk were causing tension with the wider C-suite, and 66% described themselves as \u201cwalking a tightrope\u201d between what the business wants and what makes sense from a security perspective.<\/p>\n

Chuck Kelser, CISO at tech company Pendo, says he has had to work on finding middle ground on risk issues. \u201cThis is as much about the business educating me on their needs as me educating the business on the risks,\u201d he says.<\/p>\n

Kelser acknowledges having to \u201crecalibrate\u201d his risk tolerance in the past, after evaluating business objectives, his initial assessments of the risks associated with those objectives, and the security controls in place.<\/p>\n

Richard Watson, global consulting cybersecurity leader at EY, says such scenarios are common. \u201cCISOs are often asking themselves: \u2018How much risk do I tolerate?\u2019 That\u2019s the question we get the most,\u201d he says.<\/p>\n

2. Weighing security investments when the budget forces choices<\/h2>\n

Closely related to the trade-off around risk is what CISOs must navigate when it comes to security investments.<\/p>\n

\u201cFor most CISOs, when they have to make tough choices, 99% of the time it\u2019s due to budget constraints that force them to weight risks versus rewards,\u201d says John Allen, managing director of technology, media, and telecommunications at cybersecurity consultancy MorganFranklin Cyber.<\/p>\n

Given that no CISO has unlimited budget, Allen says they\u2019re often asking what would happen if they don\u2019t do a desired security project whose price tag is beyond their budget, and then trying to either fit it into the budget or table it if they can.<\/p>\n

The Panorays\u2019 2025 CISO Survey<\/a> provides a specific example: 98% of security leaders surveyed have had to leave at least 10% of third-party vulnerabilities unresolved due to limited resources.<\/p>\n

CISOs make tough trade-offs in other areas due to budget constraints, too, says Chris Simpson, director of National University\u2019s Center for Cybersecurity. They\u2019re sometimes spending less on detection and incident response than they\u2019d like in favor of spending more on prevention or they\u2019re spending more on compliance and regulatory requirements than they want because they must, leaving with less to spend on other desired security investments.<\/p>\n

Each CISO\u2019s organization will have its own unique context in which to weigh budget trade-offs. As research shows, not all cuts are equal<\/a>, with certain choices in certain settings having greater impacts on organizational risk.<\/p>\n

3. Wanting, but not getting the desired \u2018Cadillac\u2019 tools<\/h2>\n

CISOs also often compromise on the security tools they get, EY\u2019s Watson says, noting that \u201cCISOs who want the best of everything won\u2019t win every time.\u201d<\/p>\n

Pendo\u2019s Kelser knows this firsthand. He had set his sights on a cloud security posture management<\/a> tool with lots of features and functions that addressed a long list of risks. He saw it as \u201ca Cadillac option.\u201d<\/p>\n

But like actual Cadillacs, that security tool came at a premium. Eventually Kelser had to come to terms with the fact that many of the platform\u2019s capabilities were nice-to-haves rather than must-haves.<\/p>\n

\u201cSo we decided it wasn\u2019t the right time for this purchase,\u201d Kelser explains, adding that he found a middle ground by implementing several other tools that provided the capabilities that his company needed and addressed the risks he had sought to mitigate at that time.<\/p>\n

\u201cThere are so many great security tools on the market. We see a demo and we get excited and we think they\u2019ll address all our risks, and the reality is we\u2019re going to have a hard time getting the budget for all we want, so part of it is working through what\u2019s doable,\u201d he says. \u201cI would have preferred to have the Cadillac that would do everything for me, but instead we addressed the risks that were specific to our particular environment and that came at a lower price tag.\u201d<\/p>\n

4. Taking on more risks to help foster innovation<\/h2>\n

Innovation, particularly around emerging technologies such as agentic AI, introduces risks \u2014 particularly if the innovation is happening without actively engaging security, a scenario that still happens today, especially around AI<\/a>.<\/p>\n

That creates more risks than many CISOs are ready to secure<\/a>.<\/p>\n

\u201cThe revenue-generating portion of the business is driving the decisions; it\u2019s not a 50\/50 thing; it\u2019s not going to be \u2018Mr. CISO says we\u2019re not going to do it because of the risk.\u2019 It\u2019s the business saying, \u2018Figure it out, because we\u2019re going to do it,\u2019\u201d MorganFranklin\u2019s Allen says.<\/p>\n

That doesn\u2019t mean the CISO is powerless, he explains, saying that they still have the ability \u2014 and obligation \u2014 to \u201cclearly articulate the security concerns, pitfalls, and cons of what the business wants to do.\u201d They just need to frame their security assessments in a business context and \u201ccome with a solution that the business feels is an enabler for growth and for what they want to do.\u201d<\/p>\n

Many \u2014 but far from all \u2014 are doing that. The LevelBlue 2025 Futures Report: Cyber Resilience and Business Impact<\/a> report found that 61% of CISOs surveyed said their organizations \u201ccan risk more with innovation because we take an adaptive approach\u201d \u2014 a percentage that rises to 79% for CISOs that identified as leading \u201ccyber-resilient organizations.\u201d<\/p>\n

5. Securing at the pace of business<\/h2>\n

Similarly, CISOs must often balance how fast the business wants to go versus the slower pace of security, says Simon Backwell, head of information security at tech company Benifex and a member of the Emerging Trends Working Group at ISACA, a professional association.<\/p>\n

Business and security are hardly evenly matched when it comes to their capabilities for speed, he says. Business also has the option of iterative innovation, experts say, but CISOs typically must meet compliance regulations and security frameworks that don\u2019t allow for the same iterative approach. Moreover, business teams typically receive an influx of resources to fund dedicated teams when launching new initiatives, but security teams do not.<\/p>\n

\u201c[Security] might be working on 20 other things and someone wants security to now work on something new and security has to decide then what to drop to make room,\u201d he adds.<\/p>\n

As is the case when they\u2019re trying to figure out what gives, CISOs can find an equilibrium by aligning with the business and, more to the point, by inserting security into business initiatives early to better keep pace, Simpson says.<\/p>\n

\u201cCISOs who do that can embrace velocity,\u201d he adds.<\/p>\n

6. Investing proactively when facing the here and now<\/h2>\n

As CISOs become less reactive and more strategic, they\u2019re better able to see what\u2019s coming down the pike in terms of business opportunities and emerging threats.<\/p>\n

But that puts CISOs in a quandary: Invest in new security tools or initiatives now to get ahead of the curve \u2014 even though there are other immediate needs that need attention \u2014 or later when the needs could be right on top of them?<\/p>\n

Pendo\u2019s Kelser has had to deal with this dilemma. He determined that he would eventually need to beef up his company\u2019s defenses against distributed denial-of-services attacks, given his company\u2019s strategic plans \u2014 but DDoS attacks weren\u2019t a significant threat at that moment.<\/p>\n

\u201cWe saw that this was going to be a threat for us, but we decided to punt it down the road,\u201d he says, noting that he had to make the tough choice to focus on addressing the most pressing risks knowing that he could address the rising risk of DDoS attacks later on in his security road map.<\/p>\n

7. Securing access without impeding user experience<\/h2>\n

Another longstanding trade-off that any experienced CISO has encountered time and again: getting the right balance between security mechanisms and the friction they add to the user experience. But these days, with customer and employee experience paramount, and infostealers rising<\/a> and malicious actors increasingly abusing privileged access<\/a>, attention to this trade-off is rising once again.<\/p>\n

Kesler, in his prior role as a security chief at a healthcare organization, had to make such a trade-off when he implemented multifactor authentication. He says his executive colleagues knew the value of MFA but also had concerns about the extra time it would add to accessing applications.<\/p>\n

\u201cWe recognized that we had to be smart about how and when we required people to use that second factor,\u201d Kesler explains. \u201cWe decided it couldn\u2019t be every time they accessed a computer, because we had doctors and nurses moving between devices and patients frequently throughout the day and we couldn\u2019t ask them to reauthenticate every five minutes. It would be a significant impact on workflows where minutes and seconds matter.\u201d<\/p>\n

So security and business together decided to require MFA for onsite users for the first access of the day only, \u201cso they weren\u2019t constantly nagged through the day to do that second factor,\u201d Kesler says.<\/p>\n

8. Staying on the job in the face of big (and frequent) trade-offs<\/h2>\n

Perhaps one of the toughest trade-offs CISOs may make is to stay on the job even when they\u2019ve made a lot more trade-offs than they\u2019d like, Allen says.<\/p>\n

It happens often enough.<\/p>\n

\u201cCISOs get frustrated because they feel they\u2019re the subject matter experts on security, and if they can\u2019t get the things they believe are needed done, if there\u2019s not alignment, if it\u2019s a constant fight, they could end up wanting to leave,\u201d Allen says.<\/p>\n

Some do go, some do not, he adds.<\/p>\n

\u201cAt the end of the day, CISOs have to follow what the business wants,\u201d Allen says, \u201cand if that\u2019s untenable, they leave; those who are malleable are able to work with it and they stay for the long haul.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

One key to success in the C-suite is being able to balance multiple competing interests. And while each executive faces high-pressure choices, CISOs in particular contend with trade-offs that could have monumental consequences for their businesses and their careers. Increasingly responsible for security outcomes over which they don\u2019t always have full authority, CISOs are well aware of this dynamic. According to the 2024 LevelBlue Futures… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14436","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14436","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14436"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14436\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14436"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14436"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14436"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}