As 2025’s cyber-attacks dominate headlines, stricter regulatory demands, and increased personal accountability for security breaches, the role of a CISO is under unprecedented scrutiny.

Compounding this are challenges like budget constraints, talent shortages, and an ever-evolving threat landscape. This relentless stress often wreaks havoc on work-life balance, with burnout and isolation becoming alarmingly common.

To get a perspective on how the CISO deals with these challenges a month on from Y2K, SC UK talked to Nick Godfrey, senior director, Office of the CISO at Google Cloud to understand and explore the intense stresses CISOs are facing today.

What are the best steps to win the board's trust and get the budget you're looking for?

Getting the board on your side starts with speaking their language. Cybersecurity should be framed as a business enabler, not just another cost. That means quantifying cyber risks in financial terms and linking security investments to business priorities. Instead of leading with technical metrics, like blocked threats or patching stats, CISOs should present cybersecurity in terms of potential financial losses, reputational damage, and operational disruptions.

Boards need to see that cybersecurity is about more than just following regulations - it’s about protecting an organisation’s ability to keep running, growing, and staying ahead of the competition. Highlighting how investing in security upfront can save money by preventing breaches, reducing downtime, and giving the company a stronger competitive edge can help strengthen your case. 

It’s also important to make cybersecurity an ongoing conversation. It definitely shouldn’t just be a once a year check-in; keep security on the agenda with regular, digestible updates on threats, trends, and progress. Be transparent about risks and improvements, and show a clear roadmap toward stronger security.

A board that understands the value of security is more likely to support appropriate investment. CISOs should position themselves as partners in business risk management to earn the trust and budget needed to protect the organisation.

Despite all of the headlines and research, do senior execs still need to be convinced on security spending?

 Like any department, cybersecurity is competing for budget with other business priorities. While high-profile breaches make headlines, security investments can feel intangible to senior executives who don’t see an immediate return. The challenge is demonstrating how cybersecurity underpins business continuity, and importantly, builds customer trust.

The global average cost of a data breach reached a staggering $4.88 million last year, so the financial stakes are clear. One of the most effective ways to get buy-in is by shifting the conversation from threats to business impact. Instead of discussing phishing or malware, CISOs should highlight how cyber incidents can disrupt revenue streams, delay product launches, or cause regulatory fines.

Executives are often focused on growth, so another approach is to flip this to tie cybersecurity investment to business enablement. A strong security posture can facilitate digital transformation, streamline compliance, and enhance customer confidence. Showcase how security can be a strategic advantage, not just a defensive measure.

Security doesn’t operate in a vacuum. It increasingly relies on modern IT infrastructure, from cloud-native architectures to automation and scalable identity management. Security and IT investments are interdependent, so budgets should be considered together. Aligning them enables organisations to build resilient, secure-by-design systems, rather than bolting on protection later.

How can the question be ‘reframed’ so the board asks the CISO what they need to do the job?

 Boards can foster more productive cybersecurity discussions by shifting from a compliance-driven mindset to a risk-informed approach. Instead of asking, “Do you have the right security budget?” a better question would be: “How can we ensure our security investment aligns with our risk landscape and business goals?”

This reframe moves the conversation beyond just budget approvals and towards a deeper discussion about risk tolerance, resilience, and prioritisation. It also encourages the CISO to present not just funding requests but a comprehensive view of what’s needed to build an effective security culture - from talent investment to cross-functional collaboration.

Another valuable shift is for boards to focus on enabling their security leaders. Questions like, “What barriers are preventing you from implementing the best security practices?” or “How can we better integrate security into company-wide decision-making?” help CISOs feel supported rather than scrutinised. A board that actively engages with its security leadership is one that strengthens its overall organisational resilience.

How much is the budget dilemma contributing to CISOs’ stress?

Budget constraints are certainly a challenge, but they’re just one piece of a more complex picture. The CISO role brings significant responsibility - with pressures of responding to fast-evolving threats, navigating complex stakeholder expectations, and operating under heightened regulatory and legal scrutiny: but it’s important we frame this pressure with perspective.

There are many roles across industries that carry high levels of stress and responsibility. What makes the CISO role unique is its intersection of technical depth, risk management, and cross-business influence. While it can be tough, it’s also incredibly rewarding - this is a role with purpose and impact.

The budget dilemma certainly plays a role in CISO stress, but it’s not just about money, it’s about feeling valued. Security leaders don’t operate in isolation; they’re part of broader systems that can either support or strain them. When security is underfunded it creates pressure to do more with less. Boards and executive teams play a key role in reducing that pressure by involving CISOs in strategic planning, aligning security and IT budgets, and fostering resilience across the organisation.

The solution isn’t just more budget - it’s a culture shift. It’s about creating a security mindset throughout the organisation. Setbacks in cybersecurity are inevitable, there’s no perfect system. Cultivating awareness of potential risks, rather than instilling fear, allows the organisation to be better prepared for challenges ahead. Boards that engage in open dialogue about security priorities and risk appetite, rather than just approving budgets, help alleviate some of this burden from the CISO.

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.