Cybersecurity, the key role of the CISO between increasing risks and responsibilities
AI and new threats push Chief Information Security Officers to govern innovative tools with increasing responsibility and pressure
Cybersecurity is no longer a technical variable to be managed at the periphery of the organisation: an assumption that finds substance in the data contained in the report "Vice of the CISO 2025" by Proofpoint, a leading American company active in the field of digital security for the corporate world. Cyber risk, this is the double trend that emerges from the study, is now perceived as structural and destined to directly affect business continuity and enterprise value, while the role of the Chief Information Security Officer is increasingly central to corporate strategy and (at the same time) exposed to growing pressure, both operationally and personally.
The picture regarding Italian CISOs reflects a situation of great concern: 84 per cent of them believe an attack is likely in the next twelve months and half admit that their organisation is not adequately prepared for it. The feeling of vulnerability is therefore widespread and concerns not only the sophistication of the threats, but also the ability of companies to absorb their impact. It is not surprising, in this context, to learn that more than three quarters of the country managers have already experienced a significant data loss in the last year, a fact that reiterates how the cyber incident is no longer an exception or an episodic event, but a concrete eventuality with which corporate management (boards of directors of course included) must live, paying due attention to the economic and reputational consequences of these incidents.
Cybersecurity, in short, is consolidating as a governance issue, calling into question decisions concerning investments, priorities and responsibilities at the top level.
The most difficult factor to govern remains the human factor
Although threats and defence tools are constantly evolving, the organisation's most vulnerable point continues to be the human factor. 68% of Italian CISOs indicate, for example, people as the organisation's main security risk, while pointing out (in 64% of cases) that the majority of employees are aware of good cybersecurity practices. An obvious paradox, which highlights the gap between (declared) awareness and actual behaviour. In fact, according to ProofPoint's report, most of the data losses recorded in the last year can be traced back to errors, carelessness or improper actions of insiders; in particular, 94 per cent of cybersecurity managers who suffered incidents attribute at least part of the responsibility to outgoing employees, pointing to a criticality in the management of transition phases and sensitive information. The picture that emerges thus reflects the perception of an insufficient level of defence, which persists even in the presence of widely deployed protection tools. And irrespective of the nature of the threat - from email fraud to the well-known ransomware - the end result tends to be the same, namely data loss. It should come as no surprise, in this respect, that a significant proportion of CISOs admit to considering paying a ransom as an extreme damage limitation measure, confirming the high stakes.
Artificial intelligence between opportunities and new fears
Into this already complex scenario, comes the pervasive spread of AI generative, which is on the one hand a strategic priority to be grasped and on the other a major source of concern. Indeed, 69 per cent of Italian CISOs consider it essential to enable its secure use, but 60 per cent fear the loss of customer data through public platforms, chatbots and collaboration tools based on LLM models directly accessible to employees.
