The role of the Chief Information Security Officer (CISO), or Responsable de la Sécurité des Systèmes d'Information (RSSI) in France, has evolved considerably over the years, shifting from a purely technical function focused on infrastructure management to a strategic position within organizations. This evolution reflects the growing importance of cybersecurity in an increasingly digitized world. However, this increased visibility comes with unprecedented pressures and challenges.
A Changing and Pressured Role
Historically, the CISO was primarily a technical expert in charge of managing information systems. Today, they are at the intersection of multiple expectations and pressures emanating from various figures of authority within the company, such as the Head of HR, the CFO, and the CIO. Each of these "Big Bosses" can impose their own constraints, particularly in terms of human or financial resources, thereby limiting the CISO's ability to act effectively. This situation often leads the CISO to have to "make do with what they have" while remaining the guarantor of the organization's overall security.
This duality between the recognized importance of the role and the lack of means or support leads to significant professional stress. A recent study, while showing a slight decrease in the overall stress level of CISOs in 2025 (50% reporting stress, compared to 60% in 2021), reveals that 27% of respondents feel they cannot handle all their tasks. The reasons for this persistent stress are numerous: a significant gap between the current cyber maturity level and targeted objectives (for 38% of CISOs), stress felt during audits (for 77%), a discrepancy between the organization's expectations and the capacity to act (for 73%), concern about the rapid evolution of cyber threats (for 44%), and sometimes the need to validate security policies contrary to their judgment to avoid conflicts (for 58%). The feeling of responsibility and guilt, the need to constantly justify actions, the perception of others (at work and in private life) when an attack has not been prevented, the lack of expertise, and the need to adapt continuously are also major factors of exhaustion. The CISO is often perceived as a "necessary brake" on innovation or transformation projects due to their role in identifying and correcting security flaws.
Despite these pressures, some CISOs report handling the adrenaline of cyber-crisis situations well (85%) and feel increasingly understood or supported by their loved ones (80%). Better consideration of their role by management, increased allocated resources, and better perception by other organizational entities contribute to this improvement.
Key New Challenges
The cybersecurity landscape is constantly changing, presenting CISOs with new strategic and operational challenges.
1. Increasing Regulatory Compliance
The rapid increase in regulations is at the heart of the CISO profession's evolution. Directives like NIS2 (Network and Information Systems Directive), the DORA (Digital Operational Resilience Act) regulation, and projects around the AI Act impose additional obligations on companies. These regulations require the implementation of new security measures and make the documentation of these measures crucial for meeting legal requirements.
This results in increased effort at the administrative and organizational levels. Incident reports must be clearly established and regularly verified, with very short notification deadlines in the event of a major incident (24 hours for an early warning, 72 hours for a qualified incident within the framework of significant cyber incidents). These rules also strengthen the legal responsibility of leaders and impose transparency of operations. For organizations not already regulated by strict frameworks like the LPM (Loi de Programmation Militaire), rapid adaptation is necessary. The CISO is on the front lines to present and explain their organization's cybersecurity posture. Paradoxically, these regulations can serve as an opportunity for CISOs to impose requirements and support their requests to partners or suppliers with a solid legal basis.
2. Supply Chain Security
Cyber risks related to the supply chain have become a major concern. "Supply chain" attacks exploit vulnerabilities at service providers or partners to access the target organization's critical systems. Regulations, such as the NIS2 directive and the Cyber Resilience Act (CRA), aim to reduce potential vulnerabilities introduced by external components and ensure complete traceability. Every link in the global supply chain can pose a cybersecurity risk. Vulnerabilities can be introduced during design and production, exploited during deployment or operation, or during maintenance or patching activities.
Evaluating supply chain risks involves considering elements such as technology sensitivity, product function (impact on data confidentiality, availability, integrity), the type of data processed, and the cybersecurity maturity of suppliers (compliance with standards, data protection, cybersecurity policies). The CISO must adopt a role as a negotiator, capable of ensuring that the various supply chain actors comply with cybersecurity requirements. This requires not only technical expertise but also relationship skills. The "Zero Trust" model, where external access is closed by default and strictly supervised, is a key approach to reducing these risks.
3. The Rise of Cloud and "as a Service" Solutions
The increasing use of Cloud services and "as a Service" models is transforming how security is managed. More and more cybersecurity tools are offered in SaaS mode, facilitating their deployment and updating. The Security Operations Center (SOC), traditionally internal or outsourced but with a controlled hardware component, is seeing the emergence of "SOC as a Service," fully hosted in the Cloud. Similarly, the Zero Trust Network Access (ZTNA) model, which replaces VPNs for remote access, is often offered "as a Service".
These developments offer opportunities, such as reduced infrastructure investment and increased flexibility. However, they also pose significant challenges for the CISO, including the issue of trust in the external provider, the protection of data and event logs, guarantees in terms of availability, confidentiality, and integrity, data sovereignty, and managing reversibility in case of changing providers. Adopting ZTNA, for example, enhances security by limiting the attack surface, but represents a challenge in managing the transition, application compatibility, and training users.
Cloud security in the era of regulations is becoming a strategic challenge, forcing decision-makers (CIOs, CISOs, compliance managers) to rethink their approaches towards proactive and dynamic security. "As code" approaches like Policy as Code and Compliance as Code are becoming a strategic necessity for automating the application of security policies and regulatory requirements, minimizing configuration risks, and generating auditable evidence.
4. Artificial Intelligence as a Concrete Issue
Artificial Intelligence (AI) is becoming a concrete issue for the CISO. The rise of generative AI tools, integrated into everyday applications (office suites, browsers, collaborative tools), makes their deployment harder for the CISO to control. Employees can activate these features without being aware of the security implications. The CISO must deal with software components they haven't necessarily audited beforehand. Vigilance must focus on the data flowing through these AI tools, the confidentiality of sensitive data, who holds the processed information, and the risk of unauthorized transfer. A clear framework policy is needed to avoid increasing the risk of exposure and non-compliance.
In parallel, AI is subject to specific regulations, such as the European AI Act, which means CISOs will have to ensure that AI processing complies with data confidentiality, transparency, and security rules. The main challenge is the proliferation of local and scattered AI initiatives within the organization, making it necessary to inventory these projects, raise awareness among teams, and establish a minimum level of governance. The goal is to support innovation while ensuring a minimum level of security. "Shadow AI," in particular, undermines the confidentiality of sensitive data. CISOs are increasingly considering using AI to automate threat detection and neutralization, but this requires perfect mastery of use cases and awareness of risks (hallucination, manipulation).
5. Incident and Vulnerability Management
Threat and cyber incident detection and response are crucial, especially with the strict notification deadlines imposed by regulations (NIS2, CRA, SEC). These deadlines (24h/72h) require modernization of detection and response processes and tools, including the adoption of "detection as code" and the use of specialized tools like cloud-native security platforms (CNAPP) for real-time visibility. Detailed incident documentation is required, which "as code" approaches facilitate by providing auditable evidence. Resilience ensures the continuity of essential activities in case of disruption or major incident.
Vulnerability management is also essential for compliance and resilience. It aims to reduce the risks associated with unpatched vulnerabilities and strengthen trust. This involves implementing a structured process, including Coordinated Vulnerability Disclosure (CVD) to manage flaws discovered outside a contractual framework, rapid impact assessment, and transparent communication with authorities. The difficulty often lies in coordinating roles and responsibilities between operational teams and security teams.
6. Expansion of Security Testing
To cover all potential attack surfaces in modern cloud architectures, it is crucial to integrate more comprehensive security tests. Beyond traditional scans, this includes software composition analysis (SCA) to identify vulnerabilities in dependencies, static (SAST) and dynamic (DAST) testing to analyze code and running applications, and specific security for APIs and containers.
7. Securing Connected Objects (IoT)
Although less prevalent in businesses for professional use, the trend of connected objects (IoT) represents a future challenge for CISOs. These objects often collect sensitive data, but their security is not always a priority for manufacturers. The heterogeneity of products and technologies makes standardization difficult, but interoperability with secure APIs could be a path forward. Existing security best practices (encryption, authentication, physical protection) should be applied to connected objects to prevent them from becoming the weakest link in security.
Strategies and Approaches to Strengthen Cyber Resilience
Facing these challenges, CISOs and organizations can adopt various strategies and approaches to strengthen their resilience. Digital resilience is based on an analysis of the cyber risks weighing on the organization.
A technical strategy involves relying on proven tools and methodologies (risk analysis via EBIOS/ISO 27005, MFA, EDR, SOC). However, this approach has its limits without institutional support and sufficient resources and can isolate the CISO from human and organizational dimensions.
A consulting strategy implies the CISO acting as a prescriber, leaving other departments to make decisions. This offers personal resilience by shifting operational responsibility but can reduce the CISO's impact and be poorly perceived.
A more provocative approach, the "Detritus" strategy, involves subjecting the organization to intentional stress tests to reveal systemic flaws and raise awareness. Although effective, it presents risks of tension and conflict.
Beyond these individual approaches, a systemic and integrated approach is necessary. Mr. Cartau identifies four key areas for increased resilience:
- Organizational frontiers: Securing interdependence with third parties and the ecosystem, using approaches like Zero Trust.
- Information system entropy management: Reducing accumulated complexity and disorder in infrastructures, drawing inspiration from Lean Management, to gain a global view and manage risks effectively.
- Allocated resources: Making better use of available resources and optimizing existing means before requesting new funding, prioritizing initiatives and clarifying responsibilities.
- Perception of time: Avoiding time crushing focused on immediate emergencies, dedicating spaces for strategic thinking and long-term planning to anticipate crises and disruptions (AI, regulations).
These areas require cultural change and commitment from all levels of the organization.
Collaboration is essential. Collaboration between the DPO (Data Protection Officer) and the CISO is crucial to align security and data protection. The DPO focuses on personal data compliance and regulatory adherence, while the CISO implements technical and organizational measures. Together, they ensure the implementation of appropriate security measures. Fluid communication, cooperation and coordination (regular meetings), and continuous evaluation and improvement ("Privacy by Design") are key to effective collaboration. Harmonizing their efforts is crucial in facing the challenges of a digitized world.
Awareness, skill development, and training are fundamental. Organizations must train their employees and managers on rules (like GDPR). ANSSI offers training (CFSSI, SecNumacadémie, training labeling). Awareness tools exist, such as the kit from Université Laval covering key themes (phishing, viruses/ransomware, passwords, MFA, Wi-Fi security, social engineering) and offering sheets, videos, quizzes, and best practices. Training in cyber crisis management is also crucial. ANSSI co-produced a guide and developed an exercise kit for local authorities. The Retex (After-Action Review) on the REMPAR22 exercise is also mentioned.
Integrating security from the design phase of systems ("Security by Design") is a strategic necessity, particularly in cloud-native environments.
The Role of ANSSI
The Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI) plays a central role in France in strengthening national cyber resilience. Created in 2009, it is a defensive national authority attached to the Prime Minister. Its missions revolve around four pillars:
- Defend: Protect critical information systems and intervene in the event of major cyberattacks. ANSSI focuses on addressing incidents on essential digital systems and services.
- Know: Provide continuous threat intelligence and publish analyses.
- Share: Produce practical and educational guides adapted for different audiences.
- Accompany: Support the national and international ecosystem (audits, training, projects).
ANSSI manages a training center (CFSSI), evaluates and qualifies security products and services, and contributes to the development and application of regulations (NIS/NIS 2 directives, SAIV mechanism). The agency provides expertise in research and innovation. It is also involved in cyber crisis management and training. The state has developed governmental plans like VIGIPIRATE and PIRANET to anticipate major crises. Each crisis is subject to an after-action review to permanently strengthen information systems.
ANSSI is particularly involved in critical sectors like healthcare and strategic infrastructures. It has a CARE program to strengthen the cyber resilience of hospitals. It plays a role in transposing NIS2 and implementing the cyber resilience law.
Conclusion: The CISO of 2025
The CISO profession in 2025 is marked by continuous evolution under the pressure of new trends: increasing regulatory compliance, massive adoption of SaaS solutions, and the emergence of AI as a major issue. The fundamental mission of protection remains unchanged, but the way it is accomplished is becoming more complex.
CISOs must develop new skills, beyond technical expertise, including negotiation, communication, and the ability to convince. They must expand their toolset and step out of their comfort zone. The ongoing transformations also open opportunities to play a more transversal role and be recognized as strategic partners.
Facing the increasing complexity of threats, managing constant pressure, navigating a dense and rapidly evolving regulatory landscape, securing increasingly distributed architectures (Cloud, SaaS, supply chain, IoT), and managing the risks associated with new technologies like AI are the major challenges for CISOs. A proactive, integrated approach, based on strong internal and external collaboration, continuous user awareness, and permanent adaptation of strategies and means is essential to ensure the digital resilience of organizations in a constantly changing world.
Amadou Lamine Diouf
Expert Consultant | Trainer | Information Systems Auditor
🌐 Website: www.truetechnologie.com
📧 Email: lamine.diouf@truetechnologie.com
📞 Phone: +221 77 856 27 66
0 Commentaires