According to Manufacturing.net, a new RSAC study found that 76% of CISOs saw budget increases between 2024 and 2025, with only 12% experiencing declines. The top investment priorities for 2025-2026 are identity and data protection, reflecting where organizations feel most vulnerable. Meanwhile, 60% of Fortune 1000 CISOs report their mental or physical health has been affected by the role, and cybersecurity teams aren’t far behind with 78% at serious burnout risk in 2024. Nearly half of smaller company CISOs lack indemnification against personal liability for breaches, creating massive career risk. Despite low turnover rates around 5%, this reflects a soft job market rather than satisfaction, with salaries remaining the biggest retention challenge.
The Constant Crisis Management Loop
Heath Renfrow from Fenix24 nails it when he describes the CISO role as “a constant crisis-management loop.” Cloud sprawl, SaaS proliferation, identity-driven attacks, and 24/7 ransomware pressure have created an impossible situation. The attack surface is expanding faster than teams, budgets, and tooling can keep up. Basically, CISOs are being asked to prevent the unpreventable while responding flawlessly under global scrutiny. And they’re never allowed to show fatigue.
Here’s the thing: the solution isn’t just throwing more money at the problem. Renfrow argues CISOs need to shift from “owning” everything to governing outcomes. That means automating operational drag, outsourcing commodity functions, and focusing internal talent on what actually differentiates security resilience. Any CISO trying to personally quarterback every domain is heading for failure.
Identity Becomes the True Front Line
Shane Barney from Keeper Security makes a crucial point: attackers don’t need to breach technical defenses when stolen credentials provide direct entry. Identity now represents the true front line of defense. Without full visibility into who has access and what they’re doing, organizations are already operating at a disadvantage.
Diana Kelley at Noma Security highlights another wrinkle: the explosion of Non-Human Identities. With autonomous AI agents that can “reason” and act through connected tools coming soon, identity management is about to get even more complex. That’s why nearly 25% of respondents are making IAM their top investment priority for next year.
The Mental Health Crisis Nobody’s Solving
Let’s be real: the mental health strain in cybersecurity is worsening, and CISOs are carrying the heaviest emotional load. Renfrow suggests we’ll see formal wellness support built into security programs by 2026 – mandatory downtime post-incident, rotation-based on-call models, executive mental-health resources. The CISO protects the organization, but who protects the CISO?
Gareth Lindahl-Wise from Ontinue offers practical advice: CISOs need mentors both inside and outside their business. “The experience of mentors is a goldmine waiting to be tapped into,” he says. External, internal, and personal expectations are all increasing, loading more tension on mental wellbeing. Many CISOs’ career paths didn’t equip them for managing larger, distributed teams while participating in strategic business activities.
The Organizational Shift That’s Needed
Dana Simberkoff at AvePoint makes the crucial point that cybersecurity can’t just be a C-suite concern anymore. It needs to become an organization-wide cultural priority. When top executives understand and endorse upskilling colleagues on spotting cyberthreats, that sends a strong message through the entire organization.
Emma Werth from Cowbell highlights the implementation gap that’s costing companies dearly. There’s a significant difference between deployment and proper deployment. Policyholders might implement MFA, but not everywhere, and not for the crucial software that could actually prevent losses. Patching within a strong cadence doesn’t prevent CVEs from penetrating networks between patches.
So where does this leave us? Budget increases are nice, but they’re not solving the fundamental problems. The CISO role has become unsustainable for many, and the talent pipeline isn’t keeping up. As manufacturing and industrial organizations increasingly digitize their operations, the pressure on cybersecurity teams managing complex industrial control systems continues to intensify. The companies that will survive this crisis are the ones treating cyber burnout as a strategic risk rather than a personal failing.
