6 hard truths security pros must learn to live with

A career in cybersecurity is attractive for a number of reasons. The perpetual shortage of security practitioners means you can always get a job, and the tight talent market ensures a shot at great pay and benefits.

Plus, for people who thrive in a fast-paced, high-pressure environment, there’s certainly never a dull moment in security. And you’re doing something important; working to keep your organization safe from cyberattack.

On the flip side, hard truths abound for security pros. Here are six of the most challenging and what you can do to mitigate and deal with them.

Every technological leap will be used against you

Information technology is a discipline built largely on rapid advances. Some of these technological leaps can help improve your ability to secure the enterprise. But every last one of them brings new challenges from a security perspective, not the least of which is how they will be used to attack your systems, networks, and data.

Generative AI, for example, can be used to augment security operations, but it is also proving to be a challenge to secure. Moreover, gen AI is enabling hackers to generate more convincing phishing lures, voice spoofs, and deepfake videos — and to mount multi-channel attacks that span email, social media, and collaboration platforms.

Eighty-seven percent of security professionals report that their organization has encountered an AI-driven cyberattack in the past year, according to SoSafe’s 2025 Cybercrime Trends, a survey of 600 global security professionals. While 91% of security experts surveyed said they anticipate a surge in AI-driven threats over the next three years, only 26% express high confidence in their ability to detect these attacks.

As if that weren’t enough, quantum computing is coming fast, posing new security risks. Chris Dimitriadis, chief global strategy officer at ISACA, says, “Given recent quantum advancements, we can expect quantum computing to be present in our day-to-day platforms and processes within the next few years. While this will present great opportunities for innovation in several industries, significant cybersecurity risks emerge. Cryptography is present in all businesses, industries, and sectors, and quantum computing has the potential to break the cryptographic protocols that we use, rendering simple services useless.”

What you can do: Organizations need to start preparing now. Hackers are already engaged in so-called “harvest now, decrypt later” attacks in which they steal encrypted data for decryption via quantum at a later date. Staffers need to be trained on both AI and quantum. Security execs need to develop and implement policies, put guardrails in place, and deploy the appropriate tools to make sure that the organization is prepared for these new types of threats.

No matter how good you are, your organization will be victimized

This is a hard one to swallow, but if we take the “five stages of grief” approach to cybersecurity, it’s better to reach the “acceptance” level than to remain in denial because much of what happens is simply out of your control.

A global survey of 1,309 IT and security professionals found that 79% of organizations suffered a cyberattack within the past 12 months, up from 68% just a year ago, according to cybersecurity vendor Netwrix’s Hybrid Security Trends Report.

Compromised credentials (16%) and phishing (15%) were the two top causes of data breaches identified in the 2024 edition of IBM’s annual Cost of a Data Breach report, conducted by the Ponemon Institute.  So, despite security training, end users still fall for phishing attacks and still allow their credentials to be stolen.

Once a hacker is insider your network, they can operate for months without your knowledge. Ponemon says it takes an average of 292 days to identify and contain breaches involving stolen credentials, 261 days to identify and resolve phishing attacks, and 257 days for social engineering attacks.

What you can do: Gartner recommends that security and risk management (SRM) leaders shift from a prevention mindset to a focus on cyber resilience, which emphasizes minimizing impact and enhancing adaptability. In other words, adopt a “when, not if” mentality and accept that incidents are inevitable.

Breach blame will fall on you — and the fallout could include personal liability

As if getting victimized by a security breach isn’t enough, new Securities and Exchange Commission (SEC) rules put CISOs in the crosshairs for potential criminal prosecution. The new rules, which went into effect in 2023, require publicly listed companies to report any material cybersecurity incident within four business days.

There have already been two high-profile cases brought against CISOs. Uber CSO Joe Sullivan was charged with obstructing a Federal Trade Commission investigation related to a data breach at the ridesharing company that occurred in 2016. He was found guilty and sentenced to probation in 2023.

Also in 2023, the SEC charged SolarWinds CISO Timothy G. Brown with fraud and internal control failures related to the infamous SolarWinds breach of 2019. More recently, an appeals court dismissed nearly all counts against SolarWinds and Brown.

But the concern remains that CISOs will take the fall for data breaches. In Proofpoint’s 2024 Voice of the CISO survey, 66% of global CISOs said they are concerned about personal, financial and legal liability in their role, up from 62% in 2023.

What can you do: You can’t always prevent breaches, but you can have a solid incident detection and response plan in place. And there are ways CISOs can protect themselves from personal liability, including obtaining your own lawyer and lobbying for inclusion in your company’s D&O insurance policy. Establishing open lines of communication with the board and C-suite is essential, as is having a playbook that lays out what types of disclosures and filings are required to comply with the new regs. It’s also vital to consider how you communicate in order to safeguard yourself from liability.

Skills and talent shortages aren’t going away anytime soon

The raw numbers are always a bit shocking when ISC2 unveils its annual cybersecurity workforce study. This year, the shortage of workers grew by 19% to hit 4.8 million, while the overall size of the workforce remained flat at 5.8 million.

Even more troubling than the staff shortage numbers, 90% of those surveyed said there are skills shortages in their organizations, with two thirds (64%) viewing these shortages as more serious than the personnel shortages they are dealing with.

“It’s not just about the people available in the market. It’s about the skilling, and I think that’s where the focus needs to be — getting the right skill sets into the right job roles,” said Jon France, CISO at ISC2.

The cyber skills gap has increased 8%, with two out of three organizations reporting moderate-to-critical skills gaps, according to the World Economic Forum’s Global Cybersecurity Outlook 2025.

This double whammy makes organizations more vulnerable to attack and renders organizations less equipped to respond to breaches.

What you can do: Here’s where AI can help. Organizations can leverage AI to automate and optimize manual processes. Upskilling existing staffers is vital. And recruiting from within the organization is another tactic that can pay dividends.

The bad actor plotting an attack might be sitting right next to you

This is another tough pill to swallow, but insider attacks, either employees stealing data to sell for profit or disgruntled employees trying to do harm, are on the rise. When security pros strategize about how to stay one step ahead of cybercriminals, the image that typically springs to mind is somebody from Kazakhstan, not somebody in the next cubicle.

But, according to a survey from Gurucul, 60% or organizations reported insider attacks in 2023, and that number jumped to 83% in 2024. The 2025 Ponemon Cost of Insider Risks Report shows the cost of an insider attack rising to $17.4M, up from $16.2M in 2023. 

What can you do: Here’s another area where AI can be put to good use. AI and machine learning systems can conduct threat hunting activities and can analyze human behavior to try to spot suspicious activity to pre-emptively prevent insider attacks.

Burnout remains a significant problem

Gartner sums it up this way: “The ever-shifting threat and technology landscape, increasing business demand, and regulatory requirements, coupled with the endemic talent shortage, is generating a perfect storm. As a result, the security industry is experiencing a mental health crisis as security and risk management leaders and their teams experience increasing levels of burnout.”

Gartner analyst Deepti Gopal adds, “Cybersecurity professionals are facing unsustainable levels of stress. CISOs are on the defense, with the only possible outcomes that they don’t get hacked or they do. The psychological impact of this directly affects decision quality and the performance of cybersecurity leaders and their teams.”

The vicious cycle starts with an understaffed security department where practitioners are required to work unsustainably long hours. Fatigue exacerbates the pre-existing stress associated with the job, which leads to burnout.

The implications can be disastrous; burned out workers might skip routine tasks like installing patches or ignore alerts (alert fatigue), leading to more breaches. In fact, 39% of IT leaders fear a major incident due to overburdened staff, according to a recent survey from Adaptivist.

What you can do: Experts recommend a multi-pronged approach that includes attempting to reduce cognitive overload by simplifying and streamlining processes, automating as much of the job as possible, and making sure to provide adequate and frequent training and upskilling.

In addition, HR should be involved with stress management training, resilience-building programs, flexible work arrangements, digital detox programs, and other tactics designed to address burnout.

Gartner predicts that by 2027, CISOs investing in cybersecurity-specific personal resilience programming will see 50% less burnout-related attrition than peers who don’t.