2. Weighing security investments when the budget forces choices: Closely related to the trade-off around risk is what CISOs must navigate when it comes to security investments.”For most CISOs, when they have to make tough choices, 99% of the time it’s due to budget constraints that force them to weight risks versus rewards,” says John Allen, managing director of technology, media, and telecommunications at cybersecurity consultancy MorganFranklin Cyber.Given that no CISO has unlimited budget, Allen says they’re often asking what would happen if they don’t do a desired security project whose price tag is beyond their budget, and then trying to either fit it into the budget or table it if they can.The Panorays’ 2025 CISO Survey provides a specific example: 98% of security leaders surveyed have had to leave at least 10% of third-party vulnerabilities unresolved due to limited resources.CISOs make tough trade-offs in other areas due to budget constraints, too, says Chris Simpson, director of National University’s Center for Cybersecurity. They’re sometimes spending less on detection and incident response than they’d like in favor of spending more on prevention or they’re spending more on compliance and regulatory requirements than they want because they must, leaving with less to spend on other desired security investments.Each CISO’s organization will have its own unique context in which to weigh budget trade-offs. As research shows, not all cuts are equal, with certain choices in certain settings having greater impacts on organizational risk.
3. Wanting, but not getting the desired ‘Cadillac’ tools: CISOs also often compromise on the security tools they get, EY’s Watson says, noting that “CISOs who want the best of everything won’t win every time.”Pendo’s Kelser knows this firsthand. He had set his sights on a cloud security posture management tool with lots of features and functions that addressed a long list of risks. He saw it as “a Cadillac option.”But like actual Cadillacs, that security tool came at a premium. Eventually Kelser had to come to terms with the fact that many of the platform’s capabilities were nice-to-haves rather than must-haves.”So we decided it wasn’t the right time for this purchase,” Kelser explains, adding that he found a middle ground by implementing several other tools that provided the capabilities that his company needed and addressed the risks he had sought to mitigate at that time.”There are so many great security tools on the market. We see a demo and we get excited and we think they’ll address all our risks, and the reality is we’re going to have a hard time getting the budget for all we want, so part of it is working through what’s doable,” he says. “I would have preferred to have the Cadillac that would do everything for me, but instead we addressed the risks that were specific to our particular environment and that came at a lower price tag.”
4. Taking on more risks to help foster innovation: Innovation, particularly around emerging technologies such as agentic AI, introduces risks, particularly if the innovation is happening without actively engaging security, a scenario that still happens today, especially around AI.That creates more risks than many CISOs are ready to secure.”The revenue-generating portion of the business is driving the decisions; it’s not a 50/50 thing; it’s not going to be ‘Mr. CISO says we’re not going to do it because of the risk.’ It’s the business saying, ‘Figure it out, because we’re going to do it,’” MorganFranklin’s Allen says.That doesn’t mean the CISO is powerless, he explains, saying that they still have the ability, and obligation, to “clearly articulate the security concerns, pitfalls, and cons of what the business wants to do.” They just need to frame their security assessments in a business context and “come with a solution that the business feels is an enabler for growth and for what they want to do.”Many, but far from all, are doing that. The LevelBlue 2025 Futures Report: Cyber Resilience and Business Impact report found that 61% of CISOs surveyed said their organizations “can risk more with innovation because we take an adaptive approach”, a percentage that rises to 79% for CISOs that identified as leading “cyber-resilient organizations.”
5. Securing at the pace of business: Similarly, CISOs must often balance how fast the business wants to go versus the slower pace of security, says Simon Backwell, head of information security at tech company Benifex and a member of the Emerging Trends Working Group at ISACA, a professional association.Business and security are hardly evenly matched when it comes to their capabilities for speed, he says. Business also has the option of iterative innovation, experts say, but CISOs typically must meet compliance regulations and security frameworks that don’t allow for the same iterative approach. Moreover, business teams typically receive an influx of resources to fund dedicated teams when launching new initiatives, but security teams do not.”[Security] might be working on 20 other things and someone wants security to now work on something new and security has to decide then what to drop to make room,” he adds.As is the case when they’re trying to figure out what gives, CISOs can find an equilibrium by aligning with the business and, more to the point, by inserting security into business initiatives early to better keep pace, Simpson says.”CISOs who do that can embrace velocity,” he adds.
6. Investing proactively when facing the here and now: As CISOs become less reactive and more strategic, they’re better able to see what’s coming down the pike in terms of business opportunities and emerging threats.But that puts CISOs in a quandary: Invest in new security tools or initiatives now to get ahead of the curve, even though there are other immediate needs that need attention, or later when the needs could be right on top of them?Pendo’s Kelser has had to deal with this dilemma. He determined that he would eventually need to beef up his company’s defenses against distributed denial-of-services attacks, given his company’s strategic plans, but DDoS attacks weren’t a significant threat at that moment.”We saw that this was going to be a threat for us, but we decided to punt it down the road,” he says, noting that he had to make the tough choice to focus on addressing the most pressing risks knowing that he could address the rising risk of DDoS attacks later on in his security road map.
7. Securing access without impeding user experience: Another longstanding trade-off that any experienced CISO has encountered time and again: getting the right balance between security mechanisms and the friction they add to the user experience. But these days, with customer and employee experience paramount, and infostealers rising and malicious actors increasingly abusing privileged access, attention to this trade-off is rising once again.Kesler, in his prior role as a security chief at a healthcare organization, had to make such a trade-off when he implemented multifactor authentication. He says his executive colleagues knew the value of MFA but also had concerns about the extra time it would add to accessing applications.”We recognized that we had to be smart about how and when we required people to use that second factor,” Kesler explains. “We decided it couldn’t be every time they accessed a computer, because we had doctors and nurses moving between devices and patients frequently throughout the day and we couldn’t ask them to reauthenticate every five minutes. It would be a significant impact on workflows where minutes and seconds matter.”So security and business together decided to require MFA for onsite users for the first access of the day only, “so they weren’t constantly nagged through the day to do that second factor,” Kesler says.
8. Staying on the job in the face of big (and frequent) trade-offs: Perhaps one of the toughest trade-offs CISOs may make is to stay on the job even when they’ve made a lot more trade-offs than they’d like, Allen says.It happens often enough.”CISOs get frustrated because they feel they’re the subject matter experts on security, and if they can’t get the things they believe are needed done, if there’s not alignment, if it’s a constant fight, they could end up wanting to leave,” Allen says.Some do go, some do not, he adds.”At the end of the day, CISOs have to follow what the business wants,” Allen says, “and if that’s untenable, they leave; those who are malleable are able to work with it and they stay for the long haul.”
5. Securing at the pace of business: Similarly, CISOs must often balance how fast the business wants to go versus the slower pace of security, says Simon Backwell, head of information security at tech company Benifex and a member of the Emerging Trends Working Group at ISACA, a professional association.Business and security are hardly evenly matched when it comes to their capabilities for speed, he says. Business also has the option of iterative innovation, experts say, but CISOs typically must meet compliance regulations and security frameworks that don’t allow for the same iterative approach. Moreover, business teams typically receive an influx of resources to fund dedicated teams when launching new initiatives, but security teams do not.”[Security] might be working on 20 other things and someone wants security to now work on something new and security has to decide then what to drop to make room,” he adds.As is the case when they’re trying to figure out what gives, CISOs can find an equilibrium by aligning with the business and, more to the point, by inserting security into business initiatives early to better keep pace, Simpson says.”CISOs who do that can embrace velocity,” he adds.
6. Investing proactively when facing the here and now: As CISOs become less reactive and more strategic, they’re better able to see what’s coming down the pike in terms of business opportunities and emerging threats.But that puts CISOs in a quandary: Invest in new security tools or initiatives now to get ahead of the curve, even though there are other immediate needs that need attention, or later when the needs could be right on top of them?Pendo’s Kelser has had to deal with this dilemma. He determined that he would eventually need to beef up his company’s defenses against distributed denial-of-services attacks, given his company’s strategic plans, but DDoS attacks weren’t a significant threat at that moment.”We saw that this was going to be a threat for us, but we decided to punt it down the road,” he says, noting that he had to make the tough choice to focus on addressing the most pressing risks knowing that he could address the rising risk of DDoS attacks later on in his security road map.
7. Securing access without impeding user experience: Another longstanding trade-off that any experienced CISO has encountered time and again: getting the right balance between security mechanisms and the friction they add to the user experience. But these days, with customer and employee experience paramount, and infostealers rising and malicious actors increasingly abusing privileged access, attention to this trade-off is rising once again.Kesler, in his prior role as a security chief at a healthcare organization, had to make such a trade-off when he implemented multifactor authentication. He says his executive colleagues knew the value of MFA but also had concerns about the extra time it would add to accessing applications.”We recognized that we had to be smart about how and when we required people to use that second factor,” Kesler explains. “We decided it couldn’t be every time they accessed a computer, because we had doctors and nurses moving between devices and patients frequently throughout the day and we couldn’t ask them to reauthenticate every five minutes. It would be a significant impact on workflows where minutes and seconds matter.”So security and business together decided to require MFA for onsite users for the first access of the day only, “so they weren’t constantly nagged through the day to do that second factor,” Kesler says.
8. Staying on the job in the face of big (and frequent) trade-offs: Perhaps one of the toughest trade-offs CISOs may make is to stay on the job even when they’ve made a lot more trade-offs than they’d like, Allen says.It happens often enough.”CISOs get frustrated because they feel they’re the subject matter experts on security, and if they can’t get the things they believe are needed done, if there’s not alignment, if it’s a constant fight, they could end up wanting to leave,” Allen says.Some do go, some do not, he adds.”At the end of the day, CISOs have to follow what the business wants,” Allen says, “and if that’s untenable, they leave; those who are malleable are able to work with it and they stay for the long haul.”
7. Securing access without impeding user experience: Another longstanding trade-off that any experienced CISO has encountered time and again: getting the right balance between security mechanisms and the friction they add to the user experience. But these days, with customer and employee experience paramount, and infostealers rising and malicious actors increasingly abusing privileged access, attention to this trade-off is rising once again.Kesler, in his prior role as a security chief at a healthcare organization, had to make such a trade-off when he implemented multifactor authentication. He says his executive colleagues knew the value of MFA but also had concerns about the extra time it would add to accessing applications.”We recognized that we had to be smart about how and when we required people to use that second factor,” Kesler explains. “We decided it couldn’t be every time they accessed a computer, because we had doctors and nurses moving between devices and patients frequently throughout the day and we couldn’t ask them to reauthenticate every five minutes. It would be a significant impact on workflows where minutes and seconds matter.”So security and business together decided to require MFA for onsite users for the first access of the day only, “so they weren’t constantly nagged through the day to do that second factor,” Kesler says.
8. Staying on the job in the face of big (and frequent) trade-offs: Perhaps one of the toughest trade-offs CISOs may make is to stay on the job even when they’ve made a lot more trade-offs than they’d like, Allen says.It happens often enough.”CISOs get frustrated because they feel they’re the subject matter experts on security, and if they can’t get the things they believe are needed done, if there’s not alignment, if it’s a constant fight, they could end up wanting to leave,” Allen says.Some do go, some do not, he adds.”At the end of the day, CISOs have to follow what the business wants,” Allen says, “and if that’s untenable, they leave; those who are malleable are able to work with it and they stay for the long haul.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4021179/8-tough-trade-offs-every-ciso-must-navigate.html
