{"id":14989,"date":"2025-10-21T07:06:25","date_gmt":"2025-10-21T07:06:25","guid":{"rendered":"https:\/\/newestek.com\/?p=14989"},"modified":"2025-10-21T07:06:25","modified_gmt":"2025-10-21T07:06:25","slug":"cisos-security-priorities-reveal-an-augmented-cyber-agenda","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14989","title":{"rendered":"CISOs\u2019 security priorities reveal an augmented cyber agenda"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Technology may be changing rapidly but one thing remains constant: It\u2019s not an easy time to be a CSO. The role continues to evolve with security leaders taking on even more responsibilities<\/a>, and 76% reporting that understanding which security solutions best fit their company has grown more complex, according to CSO\u2019s 2025 Security Priorities Study.<\/p>\n

Further, 57% of respondents report their organization has struggled to find the root cause of security incidents they experienced in the past year.<\/p>\n

These days, security leaders find themselves tasked with a range of high-level responsibilities, including cyber strategy and policy development, risk management, and managing the risks of AI-enabled technology. Moreover, 67% of security leaders say their responsibilities require them to address security issues outside their country or region.<\/p>\n

Holding them back are perennial problems: employee awareness training; lack of budget; retaining qualified employees; process complexity; and, increasingly, the ability to address the risks presented by disruptive technologies such as AI.<\/p>\n

Protecting data continues to be a key priority<\/h2>\n

According to CSO\u2019s survey, security leaders have several key areas of focus, including strengthening protection of confidential and sensitive data (48%), securing cloud data and systems (45%), and simplifying IT security infrastructure (39%).<\/p>\n

\n
<\/figure>\n

CSO<\/p>\n<\/div>\n

Zach Lewis<\/a>, CIO and CISO of University of Health Sciences & Pharmacy in St. Louis, says consolidating tools<\/a> and using what they have more fully are his main priorities going into next year. \u201cWe\u2019re moving more in the direction of platforms instead of best of breed to try and find some cost savings and simplify the tech stack,\u2019\u2019 Lewis says.<\/p>\n

Additionally, the university\u2019s data governance journey continues. \u201cWe have managed to classify and categorize our data,\u2019\u2019 he says. \u201cNow we are locking that data into our retention period policy and cleaning up duplicate data.\u201d<\/p>\n

AI plans vary<\/h2>\n

AI continues to penetrate deeper into the enterprise, including the security operations center<\/a>. Seventy-three percent of security decision-makers are more likely this year to consider a security solution that uses AI, up from 59% in 2024, and 58% plan to increase spending on AI-enabled security technology, according to the CSO survey.<\/p>\n

Keavy Murphy<\/a>, vice president of security at Net Health, is giving considerable thought to AI\u2019s impact and how the organization is going to navigate the technology heading into 2026.<\/p>\n

\u201cThis year, it became abundantly clear that AI isn\u2019t going anywhere. In fact, it\u2019s becoming more integral than ever, even in industries like healthcare that have historically been considered laggards,\u2019\u2019 Murphy says. In a recent survey<\/a> of healthcare leaders Net Health participated in, 93% of respondents indicated their organizations are prioritizing AI adoption for clinical decision support in the next 12 to 24 months, she says.<\/p>\n

The same survey revealed that confidence in AI is still forming, and adoption will depend on whether these tools demonstrate sufficient ROI, ease of use, and regulatory safety, Murphy notes. While she is \u201cin full support of this level of AI adoption,\u201d Murphy acknowledges that this \u201cmight be an unusual take from a cybersecurity expert, since many of us are wary of advanced technologies that might open us up to threat.\u2019\u2019<\/p>\n

Murphy reasons that since \u201cthere\u2019s no question that bad actors will be using AI and the most advanced software possible in their attacks,\u2019\u2019 organizations that are susceptible to these attacks, like hospitals or private practices, must respond with equally sophisticated tools.<\/p>\n

\u201cI think AI is an incredible innovation that can help healthcare organizations streamline so many of their day-to-day operations like documentation, administrative tasks, and more,\u2019\u2019 she explains. \u201cIt\u2019s only right that we take advantage of it for cybersecurity purposes, as well.\u201d<\/p>\n

AI is already party of cyber risk planning at Aflac, says Tim Callahan<\/a>, global CISO, who expects its usage will only increase in 2026. Already, his team is leveraging AI and machine learning for threat detection and response<\/a> as well as malware\u00a0identification.<\/p>\n

\u201cAdditionally, AI is also helping us automate repetitive tasks, triage alerts, and\u00a0prioritize vulnerabilities, but never at the expense of a hands-on approach where expert\u00a0evaluation and intelligence is critical,\u2019\u2019 Callahan stresses. \u201cAs the world\u2019s adversaries launch more sophisticated AI-driven attacks, it is critical that we use these technologies to not only keep pace but stay ahead.\u201d<\/p>\n

He says leadership is carefully evaluating AI\u2019s role at Aflac and within the cybersecurity teams, \u201cespecially as\u00a0regulatory frameworks adapt to new technologies.\u201d\u00a0<\/p>\n

Lewis of University of Health Sciences & Pharmacy is not as gung-ho on AI, saying it will not play a significant role in his cyber risk planning. While things like phishing emails, video deepfakes, voice fakes, and fake images are a concern, \u201cfoundationally, a lot of things still hold,\u2019\u2019 he says. \u201cI\u2019m not pouring a ton of funding into that; just reinforcing those \u2026 security stack pieces that I already have in place and making sure that users are aware and that our systems are tuned properly.\u201d<\/p>\n

Concern over AI-enabled attacks rises<\/h2>\n

Like Net Health\u2019s Murphy, security buyers are concerned about AI-enabled cyberattacks.<\/p>\n

Specifically, 38% of respondents expressed worry about AI-enabled ransomware, while security leaders also cited attackers leveraging AI to facilitate attack automation (35%) and an adversary\u2019s use of AI to hunt for vulnerabilities in their enterprise (33%) as other top AI-related concerns.<\/p>\n

\n
<\/figure>\n

CSO<\/p>\n<\/div>\n

Consequently, 41% are planning to leverage AI to detect threats, for anomaly detection, and to automate security responses. Other respondents cited plans to leverage AI for malware detection and real-time risk prediction (39%), as well as DLP and improving enterprise system visibility.<\/p>\n

Further, 40% expect to see AI enhancements as part of their existing security systems \u2014 without additional charges \u2014 while 32% are willing to pay a premium for AI-enabled security solutions that meet their specific security needs.<\/p>\n

\n
<\/figure>\n

CSO<\/p>\n<\/div>\n

The benefits AI security tech provides<\/h2>\n

A whopping 99% of respondents have already seen benefits from the AI-enabled security technologies, up from 72% in 2023.<\/p>\n

Among the benefits: faster identification of unknown threats (44%), accelerated detection and response times (42%), the ability to sift through large amounts of data faster(42%), reduced employee workloads due to automation (42%), and the ability of to be more proactive (42%).<\/p>\n

Tool priorities for a shifting threat landscape<\/h2>\n

Security leaders report a wide range of tools in production, including solutions for authentication (36%), security awareness and training (35%), incident response (34%), DLP (33%), and EDR (32%).<\/p>\n

Tools on their radar include security analytics (28%), enterprise security management (27%), SIEM (26%), and data governance (26%).<\/p>\n

\n
<\/figure>\n

CSO<\/p>\n<\/div>\n

Aflac\u2019s Callahan says his organization is prioritizing \u201chighly evolved security tools.\u2019\u2019 For example, the company took a customized approach when implementing zero trust<\/a>, including access detection and blocking, he says. \u201cThis approach has helped us avoid mistakes and pitfalls that could impact our business,\u2019\u2019 Callahan says.<\/p>\n

Next year, the plan is to implement tools \u201cthat increase visibility and provide better automation and integration across our environment,\u201d he adds.<\/p>\n

The University of Health Sciences & Pharmacy recently added a new DLP tool that is still in stealth mode, which \u201ccomes back to the AI concerns,\u2019\u2019 Lewis says.<\/p>\n

He is also planning to consolidate a couple of tools focused on email security and utilizing Microsoft\u2019s email gateway and other security pieces, since the university is a Microsoft shop. That will give him the ability to purchase the DLP system, \u201cwhich is very important, as our data is now going into more AI systems,\u201d he says. \u201cI want to be sure I\u2019m keeping an eye on that and making sure sensitive and proprietary data or research isn\u2019t slipping away into these public LLMs.\u201d<\/p>\n

Budgets will remain relatively unchanged<\/h2>\n

Some 55% of respondents said their security budgets will remain the same, while 43% report expecting an increase, according to the Security Priorities survey.<\/p>\n

Lewis anticipates level funding next year, with a possible 1% increase, which is par for the course in higher ed, he says. \u201cI will make do with the tools I have,\u2019\u2019 he says.<\/p>\n

Any increases to Callahan\u2019s budget at Aflac \u201cwill be driven by the need to invest in advanced technologies, tactics to address\u00a0emerging regulatory requirements, and the ongoing need for talent development,\u201d he says. \u00a0<\/p>\n

Survey respondents reported the main business priorities driving security spending to be: increasing cybersecurity protections (42%), increasing operational efficiency (37%), accelerating AI-driven innovation and applications (31%), improving profitability (30%), and transforming existing business processes such as automation and integration (30%).<\/p>\n

MSPs retain their value as the security landscape grows more complex<\/h2>\n

Another finding in this year\u2019s survey is that 90% of respondents plan to outsource security functions to a managed services provider (MSP) or other third-party provider in the next year.<\/p>\n

Aflac has been utilizing managed security service providers (MSSPs) for years, particularly to provide 24\/7 coverage, Callahan says.<\/p>\n

\u201cIn 2026, we will continue to expand our partnerships with third-party providers, though not to replace our core team, but rather to enhance our team\u2019s outputs\u00a0around strategic initiatives,\u2019\u2019 he says. \u201cAs the environment grows more complex, we expect to see\u00a0additional support in areas such as vulnerability management and compliance.\u201d \u00a0<\/p>\n

Lewis echoes that, saying the university will continue to use third-party providers to have 24\/7 SOC coverage. His MSSP is also handling SIEM, logging events, and EDR.<\/p>\n

CSOs\u2019 visibility is on the rise<\/h2>\n

As their responsibilities increase, security leaders are gaining the attention of their boards \u2014 95% reported they engage with their board of directors, up from 85% in 2023. Forty-eight percent engage with their board multiple times a month.<\/p>\n

Additionally, 70% of respondents report that someone on their organization\u2019s board of directors has specific responsibility or oversight for cybersecurity, up from 59% in 2024. Seventy-two percent said engagement with their board has helped improve cybersecurity\/security initiatives, up from 66% in 2024.<\/p>\n

\n
<\/figure>\n

CSO<\/p>\n<\/div>\n

Lewis meets with the university\u2019s board or audit committee almost quarterly, and he thinks that\u2019s adequate.<\/p>\n

\u201cI think a lot of CISOs really think they need a seat at table,\u2019\u2019 which may be organization- or industry-specific, he says. But he believes security leaders ought to instead work on having a better relationship with their CEO.<\/p>\n

CISOs should be \u201cworking to secure things more internally than necessarily what\u2019s happened externally, and having that relationship with the executive team [and] other functional leaders in the organization,\u2019\u2019 he says. That, Lewis adds, is \u201carguably more important than necessarily having a seat at the board table.\u201d<\/p>\n

CSO\u2019s Security Priorities Report surveyed 641 respondents to gain a better understanding of the various security projects organizations are focused on now and in the coming year. The research also looked at issues that will demand the most time and strategic thinking for IT and security teams. Respondents came from North America (46%), APAC (36%), and EMEA (18%). <\/strong>The average company size is 14,494 employees.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Technology may be changing rapidly but one thing remains constant: It\u2019s not an easy time to be a CSO. The role continues to evolve with security leaders taking on even more responsibilities, and 76% reporting that understanding which security solutions best fit their company has grown more complex, according to CSO\u2019s 2025 Security Priorities Study. Further, 57% of respondents report their organization has struggled to… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14989","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14989","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14989"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14989\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14989"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14989"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14989"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}