{"id":16301,"date":"2026-06-01T07:04:18","date_gmt":"2026-06-01T07:04:18","guid":{"rendered":"https:\/\/newestek.com\/?p=16301"},"modified":"2026-06-01T07:04:18","modified_gmt":"2026-06-01T07:04:18","slug":"6-critical-security-gaps-every-ciso-must-address","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=16301","title":{"rendered":"6 critical security gaps every CISO must address"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

CISOs acknowledge that no organization is completely safe, but many also admit their security measures aren\u2019t where they\u2019d like them to be.<\/p>\n

One-third of CISOs surveyed for Proofpoint\u2019s 2025 Voice of the CISO Report<\/a> said the data within their organization is not adequately protected, and 58% said their organizations were unprepared to respond to a cyberattack. Meanwhile, only 67% believed their organizations offered adequate budget, staff, and tools to meet their cybersecurity goals.<\/p>\n

Such figures indicate that critical cybersecurity gaps remain in many, if not most, organizations. As adversaries lean into automation and artificial intelligence, the pressure is mounting to address security gaps that could be exploited. Here are six critical security gaps that demand CISOs\u2019 attention, according to their IT security leader colleagues and industry observers.<\/p>\n

1. The perception gap<\/strong><\/h2>\n

Although CISOs have become more business-oriented in recent years<\/a>, many still view their primary job as protecting digital systems when they should see it as ensuring business resilience, says Errol Weiss<\/a>, CSO with Health-ISAC.<\/p>\n

\u201cCISOs still think of a bad day from the IT perspective; they still think of security as an IT problem,\u201d he notes. \u201cThey need to shift from protecting systems at all costs to instead building resilience and thinking about the downstream impacts when something fails.\u201d<\/p>\n

Weiss notes that part of the reason this gap persists in many organizations is because business continuity<\/a>, which is at the heart of resilience, usually falls to executives other than CISOs. \u201cThe business continuity piece has traditionally been someone else\u2019s problem, but now it has to become a focus for the security organization,\u201d he says.<\/p>\n

When CISOs think broadly about how digital threats could impact the business<\/a>, rather than focus on how attacks impact the IT environment, they get a more accurate view of the top risks and can better access the blast radius of an incident, Weiss explains. That in turn enables CISOs to more effectively prioritize defensive moves and remediation action, making it more likely that an incident can be contained and not have unexpected follow-on impacts that stymie business operations.<\/p>\n

The 2024 cyberattack on Change Healthcare<\/a>, the consequences of which rippled through the entire healthcare industry, shows why CISOs need to close this gap in perspective on cyber threats and risk, he says.<\/p>\n

2. The gap between the speed of threat actors and security<\/h2>\n

The 2025 Year in Review report from threat intelligence firm Cisco Talos<\/a> stated that \u201cthe 2025 threat landscape was defined by an unprecedented acceleration in the speed of vulnerability exploitation, with adversaries weaponizing new security flaws like React2Shell and ToolShell almost immediately upon disclosure.\u201d<\/p>\n

Most security teams aren\u2019t moving as fast, creating an agility gap between them and the threat actors, says Buck Bell<\/a>, director of security strategy at IT services provider CDW.<\/p>\n

\u201cMost of the gaps we see today are execution gaps,\u201d he adds.<\/p>\n

Many security programs still feature legacy thinking, including \u201csome static security measures in a world that needs real-time adjustments,\u201d he says. Monthly penetration testing and patch Tuesdays, for example, are relics of an older era yet remain in some security departments. \u201cThe reality is that organizations today need to execute at a higher velocity,\u201d he adds.<\/p>\n

Bell says leading CISOs are adding speed to their operations by adopting AI, automation, and practices such as continuous threat exposure management (CTEM)<\/a>.<\/p>\n

3. The gap between the speed of the business and security<\/h2>\n

Similarly, some CISOs also need to increase their speed and agility so that security can move as quickly as the business does. As professional services firm PwC notes in its 2026 CISO Outlook<\/a>, \u201cThe CISO role is at a pivotal moment. As technology accelerates and new threats emerge, you\u2019re expected to lead at the pace of change. AI, quantum computing, and a hyperconnected world are reshaping risk \u2014 and your business is watching.\u201d<\/p>\n

Chirag Shah<\/a>, global information security officer and data protection officer at software company Model N, knows that business is the pacesetter these days. \u201cBusiness wants to run faster, and if they\u2019re wanting to run faster, that means we at security and compliance have to run with them,\u201d he says.<\/p>\n

But he also knows security struggles to keep up. \u201cWe\u2019re always playing a catchup game,\u201d he adds.<\/p>\n

Shah has taken action to add speed, such as upskilling security staffers on AI so they\u2019re ready to work with the business on their priority projects.<\/p>\n

Chris Cochran<\/a>, field CISO and vice president of AI security at SANS Institute, says CISOs who adopt frameworks and standards and who collaborate with their security colleagues can also add speed by learning and deploying proven tactics that can quickly expand and scale as the business changes.<\/p>\n

4. The gap between existing and needed skills<\/h2>\n

CISOs have long struggled to get the talent they need. In the past, the issue centered mainly around getting enough people to fill roles; now they\u2019re more concerned that security pros don\u2019t possess the updated skills they need to succeed.<\/p>\n

According to the SANS 2026 Cybersecurity Workforce Research Report<\/a>, \u201cthe cybersecurity workforce is undergoing a fundamental transformation. Organizations are rebuilding their teams from the top down as artificial intelligence disrupts traditional entry points while regulatory compliance demands create new frameworks for skills validation. This convergence is producing a widening skills gap that organizations struggle to close, even as they increasingly recognize that having the right abilities matters more than simply adding headcount.\u201d<\/p>\n

It further states that \u201cthe need for specialists in new roles nearly doubled year-over-year, while additional hiring for existing skills increased substantially.\u201d<\/p>\n

Here, CISOs\u2019 concern has accelerated, with 60% of security leaders identifying this skills gap as their primary workforce challenge in 2026 (up from 52% last year) \u2014 and compared to 40% who said headcount shortages were their chief issue.<\/p>\n

Beth Miller<\/a>, global field CISO at software maker Mimecast, says it\u2019s not just a skills gap within security that plagues CISOs but a gap in needed security skills throughout the organization.<\/p>\n

\u201cYou can have a fully skilled security team, but if you don\u2019t have security skills in the business, too, you still will have a gap,\u201d she says.<\/p>\n

Closing the gap requires \u201cinvesting in the human layer across the organization,\u201d she adds.<\/p>\n

SANS Institute\u2019s Cochran made similar observations, saying CISOs need to build a culture of continuous learning and training<\/a>. \u201cClosing the gap comes down to one word: intention,\u201d he says.<\/p>\n

5. Gaps in securing AI deployments<\/strong><\/h2>\n

CISOs lag in securing AI deployments for several reasons.<\/p>\n

To start, Mimecast\u2019s Miller says, \u201cthe mandate around AI is moving faster than CISOs are prepared for. The pattern we\u2019re seeing in our and other organizations is that leadership announces an AI adoption initiative, it\u2019s top down, and it\u2019s often tied to competitive pressure or board expectations. And then within weeks business units are building AI tools, connected to data, and integrating AI into existing systems, and CISOs are finding out about these [initiatives] during or after implementation.\u201d<\/p>\n

There are also the AI deployments happening from the bottom up, often without any leadership involvement or knowledge at all. \u201cShadow AI is happening industry wide,\u201d Model N\u2019s Shah says. And while security or IT may find those deployments after the fact, that discovery doesn\u2019t erase the security gap on its own.<\/p>\n

Experts also cite the challenges of, first, developing the right security controls for AI as the technology evolves and, second, getting everyone to buy into and then follow those controls and governance frameworks<\/a> as they morph with the technology\u2019s evolution. Those dynamics inevitably create gaps between what\u2019s needed to secure AI and what controls are being implemented.<\/p>\n

\u201cIt\u2019s a governance gap masquerading as an IT problem,\u201d Miller adds.<\/p>\n

The SANS report found that only 54% of surveyed organizations had AI security policies in place and only 20% had comprehensive governance frameworks ready, with about 75% either implementing or still building governance structures.<\/p>\n

SANS concluded that \u201cAI security governance is still in early days.\u201d Other experts acknowledged as much, saying that CISOs need to lean on observability tools, executive influence skills, AI-related security awareness and training, emerging AI security best practices, and new AI governance frameworks to close what seems to be a yawning gap in many organizations.<\/p>\n

6. The legacy gap<\/strong><\/h2>\n

Jason Lish<\/a>, Cisco\u2019s global CISO, says many business leaders have adopted a \u201cset-it-and-forget-it mentality\u201d with technology, resisting moves to modernize IT as long as systems perform and aren\u2019t differentiating.<\/p>\n

That challenges not only CIOs as they try to integrate AI and other new technologies into legacy tech, but also CISOs as they seek to implement modern security practices and technologies, Lish explains. And it\u2019s becoming a more acute security problem as threat actors become more skillful at using AI to exploit out-of-support systems and legacy tech that can\u2019t implement modern security controls.<\/p>\n

A 2026 study from National Association of State CIOs and Deloitte & Touche<\/a> found that CISOs listed legacy infrastructure as one of the top three barriers to meeting cybersecurity challenges, along with the increasing sophistication of threats and insufficient funding for cybersecurity.<\/p>\n

\u201cCISOs should be thinking about a risk-based approach here,\u201d Lish says, \u201cgoing to the board or the C-suite and saying, \u2018These are the most critical pieces of legacy equipment or devices we need to replace\u2019 and help them understand the risk of not doing so. The CISO has to be the one to provide that prioritization.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

CISOs acknowledge that no organization is completely safe, but many also admit their security measures aren\u2019t where they\u2019d like them to be. One-third of CISOs surveyed for Proofpoint\u2019s 2025 Voice of the CISO Report said the data within their organization is not adequately protected, and 58% said their organizations were unprepared to respond to a cyberattack. Meanwhile, only 67% believed their organizations offered adequate budget,… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-16301","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16301","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16301"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16301\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16301"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16301"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16301"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}