For much of the last decade, the CISO’s job has been framed as a race against increasingly sophisticated adversaries armed with automation, AI, and an expanding arsenal of attack tools. We’ve been told that security teams are losing ground, that attackers are always one step ahead, that the next breach is inevitable and unstoppable. The truth is messier than that narrative suggests.
The biggest challenge facing CISOs today has less to do with attacker sophistication and more to do with volume and speed. There are simply more attackers now; they can scale their operations faster than ever before, and most organisations are still struggling to build the human capability needed to match that pace. This reality is forcing a fundamental rethink of what the CISO role actually involves. The modern CISO has become a talent strategist, an educator, a translator between regulatory requirements and operational reality, and increasingly, someone who shapes organisational culture rather than just managing technical risk.
From Perimeter Defence to Resilient Teams
Walk through the timeline of most modern security failures, and you’ll rarely find a missing tool as the root cause. What you find instead are systems that weren’t properly understood, warnings that were ignored or misinterpreted, and teams that lacked the confidence or experience to make decisive calls under pressure. The technology was there, but the people weren’t ready to use it effectively.
AI has accelerated this dynamic in both directions. Detection and analysis have improved dramatically, which helps defenders spot threats they might have missed a few years ago. At the same time, AI has lowered the barrier for attackers by automating tasks that previously required specialist knowledge. We’re not necessarily seeing more sophisticated attacks across the board; we’re seeing a significant increase in attacks, most of which are at a baseline level of competence.
This shift changes what CISOs need to focus on. Preventing every single breach was never realistic, but many security programmes were built as though it was. What matters now is whether your organisation can absorb the impact of an incident, respond effectively while it’s happening and recover quickly afterwards. That kind of resilience comes from having capable teams, not just capable technology sitting in your stack.
Building Depth, Not Just Breadth
One of the most persistent gaps in cybersecurity remains experience. The industry has made real progress in attracting new people, helping ease some of the workforce shortage. But many teams are still heavily weighted towards generalists who have limited exposure to actual incidents beyond what they’ve read about or seen in training scenarios.
According to research by Savanta, the scale of this problem is significant. While 47% or organisations say their cyber teams are fully certified in recognised frameworks, a significant 36% report only partial certification coverage, and a worrying 16% have none at all. This skills gap is reflected in readiness levels: only 27% of teams are fully trained to respond to AI-driven threats, while the majority, 56%, are only somewhat trained, and 12% are not trained at all. These figures highlight a common pattern: organisations are often better at maintaining governance and baseline compliance than building fully capable, AI-ready cybersecurity teams that can respond effectively when an attack occurs.
Generalists are valuable and necessary. They keep environments running, maintain hygiene, and provide the breadth of knowledge needed for day-to-day operations. But when something genuinely complicated happens, like a subtle supply chain compromise, a patient insider threat, a complex intrusion that doesn’t follow the usual patterns, the depth of expertise becomes critical. Reading the alert is one thing; understanding what it actually means in context and what to do about it is something else entirely.
CISOs need to be intentional about developing this kind of depth. Building resilience means investing in specialists who can interpret what AI-generated insights are actually telling them, investigate ambiguous signals that don’t fit neatly into existing playbooks, and make sound judgement calls when the situation manual runs out. These capabilities come from structured training, hands-on scenario work, and exposure to real-world attack techniques, not from collecting vendor certifications.
Ethical hacking programmes work particularly well for this. When defenders understand how attacks are carried out in practice, they stop thinking in rigid checklists and start developing adversarial intuition. The goal isn’t to turn everyone into a penetration tester, but to build the ability to spot when something doesn’t look right before significant damage gets done.
User Awareness Needs to Evolve With the Threats
Despite all the automation and tooling improvements, people still sit at the centre of most breaches. A rushed decision at the end of a long day, a reused password that should have been changed, a moment of misplaced trust in what seemed like a legitimate request, these remain the weak points that attackers exploit most successfully. What has changed is how convincing those attacks have become. AI-generated phishing emails sound natural, fake voice messages are increasingly hard to distinguish from real ones, and deepfakes are blurring the line between legitimate communication and manipulation in ways that traditional red-flag training never anticipated.
CISOs need to rethink user education completely. The old approach of fear-based messaging and lists of things to avoid no longer works when attacks look and feel legitimate. Instead, employees need to understand why they’re being targeted, how manipulation works, and what good decision-making looks like when you’re under pressure and don’t have perfect information. Training should reflect real scenarios people encounter in their actual roles, and evolve as attacker tactics shift.
This also applies beyond entry-level staff. Senior leaders are increasingly targeted precisely because of their authority and access to sensitive information or systems. Building genuine security awareness across an organisation means ensuring everyone, regardless of seniority, understands their role in protecting it.
Emerging Threats and Regulatory Pressure
While operational pressure dominates most of a CISO’s time, there’s still a need to watch the horizon for threats that don’t announce themselves clearly. AI manipulation techniques offer a good example. Just over three-quarters of organisations now believe AI poses an increased risk, with a quarter viewing that risk as significant. This reflects a growing recognition that as organisations become more dependent on machine-driven decision-making, attackers are experimenting with ways to influence those systems gradually through data poisoning and similar approaches. Defending against this requires more than blind trust in AI outputs; it requires literacy about when to question what models are telling you and how they can fail or be compromised.
Regulatory change is also demanding attention, affecting how CISOs need to structure their programmes. The UK’s forthcoming Cybersecurity and Resilience Bill represents a clear shift in expectations. The legislation strengthens supply chain oversight, mandates faster incident-reporting timelines, and aligns requirements with established frameworks such as the NCSC’s Cyber Assessment Framework. For organisations operating critical infrastructure or providing digital services, the bar for governance and accountability is rising noticeably.
This shouldn’t be viewed purely as a compliance burden. The bill gives CISOs useful leverage to anchor security investment in recognised standards, improve the quality of governance conversations at the board level, and address long-standing gaps that attackers have been exploiting for years. When regulation moves in the same direction that good security practice already points, it’s worth using that momentum.
What Success Looks Like Now
The CISO role has evolved beyond being measured solely by the number of incidents avoided. Success increasingly depends on preparedness across multiple dimensions. The CISOs who will be most effective in this environment are those who prioritise building capability over accumulating tools, who value continuous learning over quick certifications, and who invest in people alongside process and technology. That means advocating for sustained skills development, supporting ethical pathways into the profession for people from non-traditional backgrounds, and creating space for teams to practice their response to realistic scenarios where making mistakes doesn’t create actual damage.
Technology will keep evolving, and attackers will keep adapting their methods. But organisations that invest seriously in developing resilient, well-trained teams will maintain an advantage that no amount of tooling can replicate on its own. Security ultimately depends on enabling people to make better decisions when it matters most, and that capability only comes from deliberate, sustained investment in human capability.
Phil Chapman is the Commercial Subject Matter Expert (CSME) for cybersecurity at Firebrand Training.
Following a full-service career within RAF intelligence he joined a Microsoft training academy and gained experience and qualifications in infrastructure and network security across multiple industry sectors and regions. This was followed by six years working as a security consultant and trainer where he gained experience in financial, health, government and small business cyber and information security.
Phil joined Firebrand as a full-time senior instructor in 2015 in order to support the cyber portfolio and was the lead technical trainer in the development of the law enforcement cybercrime program. During his time at Firebrand he has further developed his cybersecurity skills and experience and was instrumental in the development of the level 3 and 4 cybersecurity apprenticeship program and supported apprentices, in-work mentors and line managers across all industry sectors. He has also been responsible for the development of the cybersecurity modules within the BPP Technology Management masters degree.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.