Data SecurityAI SecurityProofpointSecurity OperationsSecurity
Partner Contribution5 minute read

Partner POV | Inside the Mind of CISOs: Key Insights from Proofpoint's 2025 Voice of the CISO Report

In 2025, CISOs face escalating cyber threats, data sprawl, and human vulnerabilities, despite strong cybersecurity cultures. The Voice of the CISO report reveals a paradox of confidence and concern, urging a shift towards smarter technology, robust governance, and strategic board engagement to transform organizational confidence into true resilience.

In this article

  1. 1: Confidence collides with concern
  2. 2: Cyber threats are coming from all angles
  3. 3: Data sprawl outpaces security controls
  4. 4: The people problem persists
  5. 5: Shifting from restriction to governance with AI
  6. 6: A shifting seat at the boardroom table
  7. 7: Mounting pressure, limited relief
  8. Final thoughts

This article was written and contributed by, Proofpoint.

Every year, Proofpoint's Voice of the CISO report captures insights from cybersecurity leaders on the front lines. In 2025, CISOs are navigating a landscape shaped by persistent cyber threats, complex data environments, emerging technologies like generative AI (GenAI), and mounting personal and professional pressures.

Based on a global survey of 1,600 CISOs across 16 countries, the latest report offers critical insights into their challenges, priorities, and the evolving nature of the role. Below, I've outlined the most compelling findings across seven core themes.

 1: Confidence collides with concern

While 67% of CISOs say their cybersecurity culture is strong, a striking 76% believe their organization is at risk of a material cyberattack in the next 12 months—up from 70% in 2024. This paradox reflects a growing sentiment: breaches are increasingly viewed as inevitable rather than avoidable.

The rise in concern isn't without merit. Two-thirds (66%) of CISOs reported a material loss of sensitive information in the past year—up dramatically from 46% in 2024. Despite investments in security posture and awareness, more than half (58%) of CISOs still feel unprepared for a cyberattack in 2025.

 2: Cyber threats are coming from all angles

With so many options to select from, CISOs were divided on what constitutes the biggest cyber threat. Email fraud and insider threats tied for the top spot (37%), followed closely by ransomware (36%), cloud account takeover (34%), and supply chain attacks (33%).

The common denominator across all these threats? Data loss. Regardless of the attack vector, sensitive information remains the ultimate prize for cybercriminals. It's no wonder then that two-thirds (66%) of CISOs admit their organization would likely pay a ransom to restore systems or prevent data exposure based on survey responses.

 3: Data sprawl outpaces security controls

Data is not just growing; it's sprawling or being 'sprayed'—across clouds, devices, and now GenAI tools. This widespread distribution makes data classification, governance, and protection more difficult than ever. While 98% of CISOs say they have a data loss prevention (DLP) program in place, only 6% have dedicated resources to manage it.

And the results show: 66% of the CISOs surveyed experienced material data loss in the past 12 months. Notably, the top causes were human in origin—careless insiders, compromised insiders, and malicious insiders. 

 4: The people problem persists

People remain both an organization's greatest asset and its greatest cyber vulnerability. A full 66% of CISOs agree that human risk is the top cybersecurity threat their organization faces—even as 68% believe employees understand their role in safeguarding data.

Despite this, many organizations lack adequate human-centric protections. Employee security training ranks low on the list of deployed technologies, and just 70% of organizations have a dedicated insider risk management program. This mismatch between perceived employee awareness and actual behavior continues to be a blind spot.

 5: Shifting from restriction to governance with AI

Generative AI is now a fixture in the enterprise, and in the cyber threat landscape. 60% of CISOs see GenAI as a security risk, up from 54% last year. Their top concerns include data leakage through public GenAI tools, the use of collaboration platforms like Slack and Teams, and the ease with which employees can create and share sensitive data outside traditional protection.

Still, CISOs recognize AI's potential. 64% say enabling the safe use of AI is a top priority over the next two years, and 68% are exploring AI-powered capabilities to defend against human error and advanced threats.

 6: A shifting seat at the boardroom table

After peaking in 2024, CISO-board alignment has declined. This year, only 64% of CISOs feel their board sees eye to eye with them on cybersecurity—down significantly from 84% last year. Meanwhile, just 66% of CISOs believe board directors should have cybersecurity expertise, a significant drop from 84%.

Still, progress has been made. For the first time, impact on business valuation is the board's top concern in the event of a cyberattack, signaling a more strategic appreciation of cyber risk at the executive level.

 7: Mounting pressure, limited relief

The demands on CISOs remain relentless. 66% say they face excessive expectations—which is flat from last year yet still higher than previous years. Even more troubling: 67% feel personally accountable in the event of a cyber incident, and yet only 67% believe they have adequate budgets, tools, and staff to meet their goals.

There is, however, a silver lining. 65% of CISOs say their organization has taken steps to protect them from personal liability—a crucial step toward addressing the burnout epidemic that continues to rise year over year.

 Final thoughts

The 2025 Voice of the CISO paints a complex picture: security leaders are more knowledgeable and more visible than ever, yet they're also more vulnerable—to attacks, to burnout, and to potentially unreasonable expectations.

The challenge now is converting organizational confidence into true resilience. That means smarter technology, yes, but also stronger governance, greater investment in people, and meaningful board engagement. As the threat landscape evolves, so too must our approach to protecting what matters most: our people and our data.

Learn more about Security Operations and Proofpoint Contact an Expert 

Technologies