How CISOs are balancing risk, pressure and board expectations

AI has moved to the top of the CISO agenda. Three in five CISOs see generative AI as a security risk, with many worried about sensitive data leaking through public tools. At the same time, most organizations are not blocking AI outright. Instead, they are trying to put guardrails in place so employees can use these tools without exposing data, according to the Proofpoint 2025 Voice of the CISO report.

CISOs are also weighing AI’s value as a defensive tool. Many are exploring AI-driven capabilities to help prevent human error and respond to fast-moving threats. Yet the belief that AI will be a silver bullet has cooled. Fewer CISOs now view it as a transformational solution. Instead, the focus is shifting to balancing innovation with governance and control.

Source: Proofpoint 2025 Voice of the CISO report

The people problem

For another year, CISOs rank human behavior as the top vulnerability. Insider threats, careless mistakes, and compromised accounts remain at the center of data loss events. Nearly all organizations have some form of data loss prevention technology, but the majority have still suffered sensitive data exposure.

The main causes of these losses trace back to people. Employees misusing data, mishandling credentials, or leaking information through AI-enabled platforms drive most incidents. Even though many CISOs say their staff understand security best practices, training and insider risk programs are inconsistent. This gap leaves many organizations exposed.

Boardroom alignment slipping

One of the more striking findings is the drop in alignment between CISOs and their boards. Last year, 84 percent of CISOs felt the board understood their view of cybersecurity. This year, that number is down to 64 percent.

The decline suggests progress in board-level awareness may have stalled. Some boards may feel less urgency now that CISOs have a regular presence at the table. At the same time, fewer CISOs think board members need formal cybersecurity expertise. While this could reflect growing confidence in their ability to translate complex issues, it also risks leaving boards underprepared to grasp cyber risk.

Despite this slide, CISOs note that boards are paying more attention to the business impact of attacks. The effect on company valuation now ranks as a top concern, showing that boards are beginning to connect cyber risk with financial outcomes.

Pressure on the role

The role itself continues to come under heavy strain. Two-thirds of CISOs say the expectations placed on them are excessive. Many feel personally accountable when incidents occur, often without the resources to match the responsibility. Burnout remains a serious problem, with many reporting high levels of stress and limited organizational support.

Some organizations are taking steps to protect CISOs from personal liability. Roughly two-thirds say they have safeguards in place that shield the security leader if a breach leads to legal or financial fallout. While this is encouraging, the overall sense is that support structures have not kept pace with the demands of the job.

Implications for the CISO role

The Proofpoint report paints a picture of a role pulled in multiple directions. AI represents both a new tool and a new risk. People remain the hardest challenge to secure, even with technology in place. Boards show more awareness of business impact but are less consistently aligned with their CISOs. And the personal pressure of the job continues to weigh heavily on security leaders.

Some see a future where the CISO role splits into separate tracks, one focused on defense and incident response and the other on governance and compliance. In any case, the scope of responsibility will keep expanding.