In 2025, CISOs are navigating a dynamic cybersecurity landscape, where operational resilience has emerged as the strategic focus. This shift reflects a growing understanding across the business of the 'when, not if' approach to cyber attacks, underscoring the necessity for organizations to swiftly recover and maintain continuity in the face of disruptions.
As CISOs continue to integrate security into digital transformation and innovation initiatives, they are tasked with fostering a culture of resilience across their organizations. This involves the continuing enhancement of security measures along with ensuring that all stakeholders – leaders and team members alike -- are prepared to respond effectively to threats and vulnerabilities.
Cyber resilience was added as an option to our annual Leadership Perspective Survey for the first time, and it quickly superseded other focus areas to become the top CISO priority of 2025. According to Gartner’s Top 9 Trends in Cybersecurity 2025, security leaders are focusing on both prevention and recovery, noting that “cyber resilience seeks to minimize the impact of cyber incidents on the enterprise and enhance adaptability, rather than engage in misguided notions of outright prevention.”
Here, we take a closer look at security leaders’ functional and enterprise priorities, as well as their goals and challenges in 2025, based on our proprietary survey of 2,000 CISOs across Gartner C-level Communities.
Top Functional Priorities for CISOs
In 2025, CISOs made Cyber Resilience their top priority, which speaks to the need for organizations to not only withstand and respond to cyber attacks, but also to resume operations in a timely manner. This is a new area of focus for security leaders as User Access, IAM and Zero Trust and Cloud Security, Strategy and Architecture have been trading the top spot for the past few years.
User access remains the second highest priority for CISOs, while cloud security has dropped to number five. This could be partially due to the fact that organizations have been on a cloud journey and investing in this area for several years.
Interestingly, Generative and Traditional AI, which only made an appearance in the top five last year, has decreased somewhat in importance, but remains in CISOs’ top ten priorities. Based on written responses to the survey, CISOs are interested in specific use cases demonstrating how AI can improve risk management and resiliency and how AI can automate security tasks.
Measuring and Communicating Risk continues to be a focus area, and Security Operations has moved up into the top five priorities for CISOs this year. Security leaders may be focusing on how to evolve security operations, possibly through automation, with one CISO saying, “Automation is critical to manage the high volume of events."
Next, we dive deeper into each of the top three priorities for CISOs, including what they cite as the key opportunities and challenges in these areas.
Strengthening Cyber Resilience
Cyber resilience speaks to the need for security leaders to have robust response strategies in the event of attacks and improve their organizational resilience and ability to recover quickly. One CISO explains that resilience is "recognition that cyber attacks are a constant threat.” Another executive writes that “cyber resilience encompasses everything my team does and is basically the mandate for a CISO.”
Some CISOs note they need to plan for the resilience of both IT systems and the overall company. Others talk about the “minimum viable company activities,” or the most critical processes that have to remain running for the organization to function. They share that there are challenges in aligning IT protection with business continuity, but they want to make internal stakeholders aware of IT dependencies in implementing continuity plans. One CISO commented: “It’s one thing to secure the IT and to recover in an emergency; the other issue is how the business reacts.”
CISOs’ specific goal is to improve resiliency, and their top challenge is competing priorities. Here are their other goals and challenges in the area of cyber resilience.
Goals for Cyber Resilience
70% Improving resiliency
66% Mitigating risks
46% Improving processes and efficiencies
Challenges around Cyber Resilience
43% Competing priorities
40% Technical debt
36% Lack of resources
Following the survey, we conduct hundreds of follow-up conversations with security leaders to learn in depth about their priorities. Here is a sample of what CISOs are saying about cyber resilience:
We have adopted a ‘not if, but when’ mentality. We have been trying to identify ways to keep our systems up, identify issues quickly, and keep the impact to the smallest areas.”
Cyber resilience goes well beyond IT recovery plans — it includes legal, public relations, market disclosures, and supplier readiness. It’s about full, end-to-end coordination and readiness across departments.”
What happens if you're unable to access SaaS products, or third party or fourth party vendors? It’s not just about whether we are ready to handle disaster recovery – we can't fix vendor issues.”
Improving User Access, IAM & Zero Trust
User Access, Identity Access Management and Zero Trust have been a top priority for CISOs for the past three years. Many organizations are still on a mulit-year zero trust journey, and others are refining their strategies. One CISO told us that “zero trust has been our strategy, and now we would like to refine it with automation and other improvements.” Another executive mentioned that their zero trust strategy this year is focused “on user experience and standardization across entities.”
Challenges for CISOs in this area include a diverse set of applications and deploying authentication mechanisms globally. Several CISOs mentioned exploring a shift to passwordless authentication. One security leader wrote, “Our goal is to achieve passwordless access, but there are challenges posed by disparate systems.” Some CISOs are also looking at alternative authentication methods, such as PINs, instead of passwords, and another executive mentioned a “movement towards integrating biometrics.”
Below are CISOs’ specific goals and challenges in improving on user access, IAM and Zero Trust. Most security leaders have the goal of mitigating risks, and their top challenge this year is all of their competing security priorities.
Goals for User Access/IAM/Zero Trust
69% Mitigating risks
55% Improving processes and efficiencies
40% Improving employee experience
Challenges around User Access/IAM/Zero Trust
45% Competing priorities
43% Legacy technology
40% Technical debt
Here is a sample of what CISOs are saying in our follow-up conversations to the survey about this priority:
We are working on a three-year roadmap to overhaul identity management systems, emphasizing the importance of zero trust principles. We are shifting from a tool-heavy approach to focusing on processes, procedures and governance to make tools work effectively.”
Password challenges often account for breaches. We need to better understand the attack surface and then apply the right password policy. Multi-Factor Authentication (MFA) is not enough – we need to move to passwordless security and biometric authentication.”
We had a breach that occurred through malware that accessed MFA via a password, leading to phishing emails from an internal address. The threat was identified and blocked. Internal emails are more trusted, highlighting the importance of security in this area.”
Enhancing Risk Communications & Measurement
Measuring and communicating risk remains a top focus area for CISOs in 2025, as it has been for several years. They continue to be challenged by how to articulate risk, with one CISO saying that it’s difficult “both with our teams to figure out the true risks, and then to communicate that up to executives.” Security leaders also have to translate information about threats for different audiences, including board members and employees.
CISOs also find it a challenge to quantify risk. As one commented, “Quantifying a risk appetite doesn't work.” Other security leaders mentioned they are trying to shift from qualitative risk categories (such as red, yellow, green) to quantitative risk metrics. One CISO said, “It’s important to establish a risk appetite and thresholds to effectively measure and communicate risk levels.”
Another security leader mentioned that it is difficult to articulate enterprise risk. Not only do they attempt to quantify risk, but also lost revenue or delayed revenue. This CISO noted that “it’s challenging to find universal themes and tell a story. How do we take real learnings from real incidents and translate that to our own programs and what we need to address?”
The primary goal for CISOs is to improve their metrics, and the main challenge they cite – again – is competing priorities.
Goals for Measuring & Communicating Risk
61% Improving metrics & KPIs
60% Mitigating risks
53% Making data-driving decisions
Challenges around Measuring & Communicating Risk
42% Competing priorities
37% Data quality & availability
36% Company culture
CISOs shared more thoughts on improving risk measurement and communication, including the following:
Measuring and communicating risk is a fundamental aspect of the CISO role. A key responsibility is to effectively explain risk to the board, translating technical concepts into terms that non-technical stakeholders can understand.”
CISOs are always translators. How do you take very technical topics and data and articulate the risk to the business? There’s a lot of art in that.”
The evaluation of risk and communicating this in business language is so important. We also need to demonstrate the value of quantifying risk.”
CISOs’ Priorities Across the Enterprise
In our annual survey, we ask executives across the C-suite about their priorities as enterprise leaders, in addition to their functional goals and objectives. In 2025, all C-level leaders, including CISOs, cite driving growth as their top priority. This is a change from last year when increasing operational efficiencies and productivity was the unanimous first choice across C-level roles.
For many roles, increasing operational efficiencies and productivity has become their second priority, but for CISOs, optimizing or reducing costs is their second highest priority as enterprise leaders this year. Possibly due to the volatile and uncertain economic environment, C-level leaders are focused on efficiencies and cost optimizations along with their objective to drive growth.
Interestingly, CISOs selected reducing risk – often at number one – as their fifth highest priority across the enterprise. These priorities perhaps demonstrate how the CISO role is evolving beyond security to more of a business focus. As one CISO wrote, “The evolving role of the CISO encompasses broader business resilience responsibilities. Leadership or a connection with the business leadership team must be a constant.”
Here is a snapshot of the top enterprise initiatives for CISOs and their C-suite peers.
The Outlook for CISOs
The role of the CISO continues to evolve and expand as they try to both protect and enable the enterprise in a challenging environment. Security leaders are managing a growing amount of data, platforms, technologies and vendors, while simultaneously facing an increasing number of threats. As Gartner notes in the Top 9 Trends in Cybersecurity 2025, “Security and risk management leaders are tasked with improving organizational resilience in a world of increasing risk.”
This year, CISOs are shifting their focus to cyber resilience, creating a balance between threat protection and business recovery. This requires even more influence, communication and leadership across the organization to ensure all stakeholders understand strategies for risk management and resilience.
At the same time, CISOs are enabling business growth and innovation in a secure manner. They are helping their organizations govern data and implement AI and automation securely. As one CISO explained, their role “is at the intersection of cyber, data privacy, business and AI.”
Stay up-to-date with CISO peers on key priorities by joining a regional Gartner CISO community near you. If you are already a member, explore opportunities to connect with other CISOs at an upcoming community gathering.
This article is an update to a previous report, which you can find here: Top 3 Goals & Challenges for CISOs in 2024.
Based on 2,000 CISOs’ responses to Gartner C-level Communities' 2025 Leadership Perspective Survey.
By CISOs, For CISOs™
Join the conversation with peers in your local CISO community.
