The role of the Chief Information Security Officer (CISO) has never been more exposed. Proofpoint’s latest annual Voice of the CISO 2025 report reveals a disturbing landscape: 76% of cybersecurity leaders worldwide anticipate suffering a material cyberattack within the next 12 months, amid growing adoption of generative artificial intelligence (GenAI) and increased professional burnout in the sector.
Published on August 26, 2025, the study surveyed 1,600 CISOs across 16 countries to analyze their priorities, perceptions, and pressures, revealing a group facing an increasingly hostile environment. The findings are clear: human risk remains the primary vulnerability, AI is both an ally and a threat, and the disconnect between CISOs and boards of directors threatens to deepen the crisis of confidence in corporate cybersecurity.
Fear of the Next Big Attack
One of the most striking data points is that three out of four CISOs (76%) acknowledge that their organizations are at risk of a severe cyberattack in the coming year. The figure is even more concerning when contrasted with the fact that 58% admit they do not feel prepared to respond effectively.
In 2024, the risk perception was 70%. The increase reflects not only the escalation of attacks but also their complexity: ransomware, email fraud, insider threats, and cloud account hijacking make up a fragmented yet equally damaging landscape.
The consequence is almost always the same: data loss. According to the report, two-thirds of CISOs experienced material information losses in the past year, up from 46% in 2024.
The Ransom Dilemma: To Pay or Not to Pay
In a context where data has become the most valuable asset, it’s no surprise that 66% of CISOs state they would be willing to pay a ransom to restore systems or prevent leaks. The trend varies by region: in Canada and Mexico, the figure rises to 84%.
This data sparks an ethical and strategic debate. While authorities and security experts openly advise against paying, the pressure to prevent operational collapse or the exposure of sensitive information is pushing many companies to consider this option as a “lesser evil.”
The Human Factor: The Weak Link
The report underscores a recurring reality: people remain the main vulnerability. Confirmed by 66% of CISOs, even though 68% believe employees understand cybersecurity best practices.
The contradiction is clear: knowledge doesn’t always translate into secure behavior. Staff turnover worsens the problem: 92% of data losses in 2025 were at least partly attributed to employees leaving the organization, up from 73% in 2024.
While most companies already employ Data Loss Prevention (DLP) tools, one-third of CISOs admit their systems are still insufficient.
Generative AI: Opportunity or Risk?
The emergence of generative AI is the dominant theme of the report. For 64% of CISOs, enabling the safe use of GenAI tools is a strategic priority in the next two years. However, enthusiasm has cooled: in 2024, the figure was 87%.
The concerns are evident: three out of five CISOs fear data leaks from clients via public GenAI platforms. In the U.S., 80% see it as a critical risk.
The response has not been a ban but governance. Already, 67% of organizations have implemented usage guidelines, and 68% are exploring AI-based defenses. Still, more than half (59%) continue to restrict the use of these tools among employees.
The double-edged sword of AI is obvious: it accelerates innovation and productivity but also amplifies human risks and exposes companies to new attack vectors.
The Pressure of the Role: Burnout and Lack of Support
The CISO position is increasingly strategic but also more unsustainable. The report highlights that:
- 66% of CISOs say they face excessive expectations.
- 63% acknowledge experiencing or witnessing burnout within the past year.
- Despite 65% stating their organizations have taken measures to shield them from personal liabilities, one-third feel they lack sufficient resources to meet security objectives.
Misalignment with senior management is another issue: support from boards dropped from 84% in 2024 to 64% in 2025. However, concerns about the impact on company valuation after an attack have risen to the top of board agendas, potentially opening the door to increased cybersecurity investments.
A Profession at a Crossroads
Today’s CISO must navigate not only adversaries but also a increasingly complex landscape where several factors converge:
- Technological innovation (AI, cloud, hybrid environments).
- Human factors (errors, turnover, security culture).
- Regulatory and legal pressures (compliance, personal liability).
- Business expectations (reducing costs and increasing resilience).
In the words of Patrick Joyce, Global Resident CISO at Proofpoint:
“Security leaders express optimism about their organization’s cybersecurity posture, but the reality tells a different story: increasing data losses, preparedness gaps, and persistent human risk.”
The Near Future
Everything suggests that 2026 will be a decisive year. With the consolidation of generative AI, the escalation of cyber threats, and mounting regulatory pressure, the CISO role is solidifying as a key component of corporate strategy.
The challenge will be to balance innovation and protection, attract and retain talent in increasingly demanding security teams, and maintain trust amid a landscape rife with misinformation and growing risks.
Frequently Asked Questions (FAQ)
1. What is a CISO, and what role do they play in a company?
The Chief Information Security Officer (CISO) is responsible for an organization’s cybersecurity strategy. Their role ranges from preventing attacks to incident management, including regulatory compliance and employee awareness.
2. Why does generative AI pose a cybersecurity risk?
Generative AI can facilitate productive tasks but also increases the risk of data leaks when employees use public platforms. Additionally, cybercriminals already utilize it to craft more convincing phishing or develop advanced malware.
3. What percentage of CISOs would be willing to pay a ransom after a cyberattack?
According to Proofpoint’s report, 66% would consider paying. In regions like Canada and Mexico, the figure reaches 84%.
4. What measures can companies take to reduce human risk in cybersecurity?
Key steps include strengthening hands-on training (beyond theoretical awareness), implementing DLP solutions, establishing clear AI usage policies, and building specialized internal teams to manage internal risks.
via: proofpoint