At RSAC 2025, it was one of the main themes that could hardly go unnoticed: Chief Information Security Officers (CISOs) are significantly increasing their investments in identity and data protection in response to the growing complexity of cyber threats. According to the RSAC Cybersecurity Insights & Futures Report 2025, the majority of the CISOs (76%) reported that their budgets were raised in the period from 2024 to 2025, thus being an indication that organizations are finally providing adequate resources to the level of threats they are facing.
Complementing this, Gartner forecasts that global information-security spending will reach $212 billion in 2025, up 15% from 2024, reflecting that organizations are aligning budgets with the scale of cyber threats.
Identity: The Front Line of Defense
Around 25% of CISOs considered identity and access management (IAM) as the most urgent issue to be dealt with in 2025-2026, with as many as 32% of the Fortune 1000 CISOs pointing out identity as the main area for their investment. The Noma Security CISO, Diana Kelley, states that, “The explosion of non-human identities is only going to be accelerated by autonomous AI agents. I think prioritizing IAM right now is laying down the groundwork for security that is future-proof.”
This focus is supported by McKinsey’s findings that 84% of organizations surveyed experienced identity-related breaches, showing why IAM has become a strategic priority, not just a technical concern.
The Keeper Security CISO, Shane Barney, points out that identity should not only be considered as a set of login credentials, but in fact, it is the access control gateway across various systems. Without having full insight into who is granted access and at what time, organizations are already at a disadvantage before any breach takes place, in his view.
Data Protection: Beyond Compliance
As many as 15% of CISOs identified the protection of data as the primary issue they would focus on. In order to protect valuable business data, one must start by controlling the identity of those who have access. Managing privileged access, verifying requests, and maintaining detailed activity logs are not just compliance activities – these empower organizations with the capabilities to quickly roll back malicious events and keep accountability intact. Gartner projects that the global security-software segment alone will exceed $100 billion by 2025, highlighting that enterprises are investing heavily in tools and solutions to safeguard critical data.
Dana Simberkoff of AvePoint remarks, “The accidental leaking of sensitive data can be done by only one person. The implementation of cybersecurity should be a cultural change, which has to start from the C-level and be disseminated through continuous training and governance.”
The Human Element: Stress and Responsibility
This is a fact that CISOs are exposed to pressure. According to a report from RSAC, 60% of Fortune 1000 CISOs who were surveyed felt that job demands had an impact on their mental or physical health. The comment is also true for cybersecurity teams, as they are likely to experience burnout, with 78% of the staff being at high risk. According to Heath Renfrow of Fenix24, “Boards need to treat cyber burnout on the same level as other strategic risks. Just as it is important to protect the network, the CISO also needs to be protected.”
On top of personal pressure, governance is still a tough nut to crack. The majority of CISOs are still reporting directly to the CIO or CTO; however, 57% of them at least quarterly present their cases to the board. The Ontinue’s Gareth Lindahl-Wise comments, “CISOs should not only focus on optimizing their operational tasks to create more time for their strategic role but also to be able to make strategic contributions.”
Emma Werth, Vice President at Cowbell, stresses that modern CISOs must collaborate with every team, as cybersecurity affects all employees. She highlights the difference between implementation and proper optimization, noting that partial deployment of controls like multi-factor authentication or patching can leave critical systems exposed. Key mitigations include MFA for email and remote access, regular patching of vulnerabilities, cybersecurity awareness training, and frequent offline data backups, which collectively reduce risk and improve organizational resilience.
Agnidipta Sarkar, Chief Evangelist at ColorTokens, emphasizes that cybersecurity must be integrated by design across data centers, operational technology, cloud environments, and both legacy and modern applications. CISOs must combine technical expertise with business acumen to build digital resilience across all potential points of breach. While the role is challenging, it positions CISOs as strategic leaders, driving innovation and protecting enterprise operations against emerging threats in an increasingly interconnected digital landscape.
Technology, Process, and People: A Balanced Approach
The RSAC insights present three elements that, when coupled together, result in effective cybersecurity:
- Technology: AI-driven IAM, zero-trust frameworks, and passwordless authentication.
- Process: Uniform policies, risk assessments, and following NIST or ISO 27001 guidelines.
- People: Ongoing training, mentoring, and wellness programs targeted at building resilience.
Additionally, McKinsey reports that over 90% of AI capabilities in cybersecurity are expected to come from third-party providers, underscoring the growing importance of partnering with specialized vendors to scale security operations effectively.
Those companies that are willing to spend on all three fronts will be in a better position to fend off the ever-changing threats while maintaining the performance of their teams.
Key Takeaways
Identity management should be the main focus of the first line of defense.
Protecting data is a part of the organization’s strategy, not just a regulatory requirement.
The mental health of CISOs needs to be considered as a business issue.
The main purpose of governance is to connect security initiatives with the board through communication.
Technology, process, and human resources should be coordinated.
Conclusion
RSAC 2025 clearly shows the picture that CISOs are on their way up, receiving more budget allocations, and with a strategic focus on permission and data protection. Such organizations combine technological, procedural, and human resources aspects while at the same time giving priority to mental wellness and governance, will not only secure but also build the capacity for the future. As a result of the constant changes in cyber threats, the money spent most wisely today will be the guarantee of the digital operations being stable, secure, yet flexible, and ready for growth tomorrow.
FAQs
1. What makes identity management so vital for CISOs?
By employing it, the entities are assured of limited scenarios, and thus only authorized individuals have access to sensitive systems. It significantly lowers the chance of security breaches caused by the use of stolen credentials.
2. Modern data protection entails what?
Some of the elements are privileged access management, logging, zero-trust policies, encryption, and employee training.
3. How does the stress experienced by CISOs impact the rest of the organization?
They are usually accompanied by such symptoms as impaired decision-making and reaction times may be impaired, which is why organizations should provide wellness programs for their employees.
4. What is the point of reporting to the board?
Board updates that occur on a quarterly basis or other short periods of time deliver the benefits of accountability, governance, and agreement with business priorities.
5. In what ways should organizations integrate technology, process, and people to get the best results?
The implementation of a robust cybersecurity strategy entails the employment of technological tools, the adoption of well-defined and structured policies, and the skills and endurance of the teams to achieve continuous protection.
Don’t let cyber attacks catch you off guard – discover expert analysis and real-world CyberTech strategies at CyberTechnology Insights.
To participate in upcoming interviews, please reach out to our CyberTech Media Room at info@intentamplify.com.
