–Supply chains: With more than half of large organizations citing third-party risk management as a major challenge, supply chain challenges remain a top concern for achieving cyber resilience.6 The growing interdependencies of (digital) supply chains imply that cyberthreats can come from a multitude of entry points. Additionally, as integral players in their clients’ supply chains, organizations have a responsibility to uphold strong cybersecurity practices across both upstream and downstream interactions – protecting not only supplier connections but also customer relationships.7 CISOs must foster collaborative security, make sure there are no blind spots among their suppliers and develop strong relationships with the most critical of these to ensure resilience in the event of a percolating cyber incident. –The cyber skills gap: The cyber skills gap has widened since 2024, with two in three organizations reporting moderate-to-critical skills gaps. In today’s hyperconnected digital landscape, the cybersecurity industry faces a critical global shortage, with estimates ranging from 2.8 million to 4.8 million unfilled positions.8,9 Research shows that the cybersecurity skills shortage creates additional cyber risks for 70% of organizations.10 Additionally, ISACA’s State of Cybersecurity 2024 report notes rising stress levels among cybersecurity professionals due to increased workloads and complex threat environments.11 The current cybersecurity talent pool is still under-developed and insufficient to meet workforce demand. CISOs must build teams that are attractive to talent, nurture that talent internally, ensure the well-being of their employees and use technology innovatively to augment the capacity of their teams. –Constant emergence of new vulnerabilities: This creates a persistent and worsening dilemma – while business pressures demand speed and innovation, security remediation adds requirements and time to technology deployment. The gap between security needs and actual implementation continues to widen, making organizations more susceptible to breaches. Accelerated action from CISOs on security measures is no longer optional; it is essential to maintaining resilience in an increasingly hostile digital landscape. –The ever-changing risk landscape: Change is constant in modern organizations – whether through technology upgrades, configuration tweaks or daily code deployments. However, this velocity of change heightens cyber risk. Security gaps are often unknowingly introduced by business teams who may not fully grasp the downstream security implications. Meanwhile, new application code is pushed rapidly into production, in some instances without the knowledge or involvement of the CISO or security teams. This lack of visibility and control creates blind spots and a risk of unanticipated security exposures. CISOs must invest time and effort to keep oversight across the full digital footprint of the enterprise. Taken together, these factors illustrate the increasingly complex environment in which CISOs are expected to operate. Additionally, while CISOs are accountable for protecting the organization from cyberthreats, they often do not control all IT or OT (operational technology) systems. Therefore, establishing and maintaining an influence over business unit decisions or vendor selections becomes paramount. The CISO role is thus evolving beyond its traditional technical boundaries to encompass a more strategic, collaborative function within the organization. To remain effective, CISOs must engage across business lines, stay aligned with regulatory and technological developments and ensure that cybersecurity supports overall organizational resilience and decision-making. In this context, there is a growing need to explore the CISO mandate, relationships, tools and culture to ensure that CISOs are equipped to respond to both present and future challenges. Elevating Cybersecurity: Ensuring Strategic and Sustainable Impact for CISOs 7

Elevating Cybersecurity 2025