A new research report from Nagomi Security has revealed that, over the past six months, nearly three quarters (73%) of US CISOs have reported a significant cyber incident. The 2025 CISO Pressure Index emphasises how continuous widespread breaches and rising internal strain are reshaping the Chief Information Security Officer (CISO) role.

Nagomi’s 2025 CISO Pressure Index is based on a quantitative survey of 100 US-based CISOs across major industries.

Interestingly, the most consistent pressure isn’t coming from attackers, it’s coming from inside the organisation. According to the data, 87% of CISOs say pressure in their role has increased over the past year. Two-thirds report feeling burned out weekly or daily, and 40% considered leaving their role altogether.

Board expectations, shrinking resources, and tool fatigue are also factors causing additional strain. Notably, 42% of CISOs say expectations from boards and executives are now their greatest source of stress, more than the threats themselves. Most oversee sprawling tool stacks, with 65% managing 20 or more security tools, yet 58% say incidents occurred even though those tools were in place.

What’s more, CISOs face personal accountability when it comes to breaches. Worryingly, 17% say they always feel personally blamed for security incidents, regardless of root cause, and 39% say they often feel blamed – even when incidents fall outside their direct control. If a breach were to occur, 90% say their role may be at risk to some degree. Such pressured environments create the perfect place for burnout to thrive.

We know that AI has introduced new security risks and challenges, but the report notes that it’s also becoming a cost-cutting directive: 82% of CISOs say they’re under pressure to reduce staff using AI. The result is a widening gap between responsibility and control.

Emanuel Salmona, co-founder and CEO of Nagomi Security, said: “CISOs are managing nonstop risk with limited support and even less time. They’re expected to be strategic leaders and first responders all at once. The best way to support them is to share accountability across the business, make outcomes clearer, and give them the space to focus on what actually reduces risk.”

Finally, Nagomi is launching a new docuseries entitled Holding the Line, which features in-depth conversations with security leaders about the personal and professional toll of the role. The series dives into how the job is evolving, where pressure is coming from, and what needs to change.

The post Nearly Three-Quarters of US CISOs Faced Significant Cyber Incident in the Past Six Months, Research Finds appeared first on IT Security Guru.

New research by ISACA has found that over a third (39%) of European IT and cybersecurity professionals report that their organisation is experiencing more cybersecurity attacks than this time last year.

Yet despite this rising wave of attacks, confidence in organisational readiness remains low, with only 38% of professionals stating they are completely confident in their organisation’s ability to detect and respond effectively.

As attacks continue to increase in scale and scope, the pressure on professionals is also growing, with nearly two-thirds (65%) identifying the increasingly complex threat landscape as a major stress factor.

While budgets and staffing show some progress, the report found that the pace is not fast enough to ease pressure on professionals. Over half (58%) of those surveyed report that their organisation remains understaffed, only a modest improvement of three percentage points compared to last year. Budgets tell a similar story of slow progress – while over half (54%) of professionals say their organisation is underfunded, this has improved slightly from 58% in 2024.

While incremental gains suggest that organisations are beginning to prioritise cybersecurity, progress still lags behind the demands of the threat landscape, and professionals on the front line are feeling this pressure. 

More than two-thirds (68%) say their job is more stressful now than it was five years ago, a figure which remains unchanged from last year. Within workplaces, organisations are failing to give professionals the support they need to manage stress. Over half (54%) report unrealistic expectations or excessive workloads, 48% highlight poor work-life balance, and more than a third (36%) say their teams lack the right skills or training.

 Alarmingly, more than one in five organisations (22%) have still taken no action to address or prevent employee burnout, leaving professionals to manage growing responsibilities with limited support. 

Chris Dimitriadis, Chief Global Strategy Officer at ISACA, said: “Over the past year, the public has seen first-hand just how impactful cyberattacks can be, with high-profile breaches devastating businesses and dominating headlines. At the same time, the overall volume of attacks is rising, with almost two in five organisations experiencing more incidents than a year ago.

“While organisations are starting to acknowledge the problem and take steps to address long-standing issues in budgets and staffing, the pace of change is still far too slow. The reality is that cyber criminals are moving faster than most organisations can respond. Now is the time to invest in investing in a more holistically trained cybersecurity workforce, an investment towards customer trust and in gaining competitive advantages, not just a reactive move following an incident.”

More than half of organisations (52%) are struggling to retain qualified cybersecurity professionals, according to those professionals familiar with hiring within their organisations. Entry-level roles are particularly difficult to fill; nearly one in five organisations (19%) have open positions that do not require experience, a degree or credentials, yet almost half (45%) say it still takes three to six months to hire at this level.

Part of the challenge lies in narrow hiring expectations. While just over half of respondents (55%) view a university degree as important for candidates, far more place value on professional credentials (84%) or hands-on training (73%). Expanding recruitment pathways and offering training opportunities for those without conventional backgrounds could help organisations grow their pipeline of talent.

 Dimitriadis added: “To build resilience and keep pace with the evolving threat landscape, we must widen the pathways into cybersecurity. By valuing hands-on training, professional credentials and transferable skills, organisations can strengthen their teams and ease the pressure on overstretched professionals. But recruitment is only the start; continuous training and upskilling are critical. That is how we move from slow, incremental change to real progress, reducing stress and building long-term protection.”

Even as staffing and skills shortages persist, cybersecurity teams are increasingly at the forefront of AI governance and implementation. More than half of European professionals (51%) say they have helped develop their organisation’s AI governance framework – up sharply from 36% last year – while 46% are now directly involved in AI implementation (up from 27%). 

Beyond governance, AI is already embedded in day-to-day operations, with top uses including threat detection (29%), endpoint security (28%) and routine task automation (27%). These findings point to the accelerating pace of AI adoption and the urgent need for stronger AI security legislation and continuous upskilling, particularly as Europe advances the EU AI Act and NIS2, and the UK prepares forthcoming AI legislation.

The post Research Finds Budgets, Staffing and Skills Fail to Keep Pace with Rising Cyber Threats appeared first on IT Security Guru.

Cybersecurity distributor Brigantia and The Zensory, the popular wellbeing and productivity platform dedicated to transforming work habits, have been working together for a whole year now. The partnership set out with a hefty aim: to tackle one of the biggest threats in cybersecurity – human error. No small feat. Reporting on the success of the past year, Brigantia revealed that 94% of its users reported improved calmness and 82% reported better focus when using The Zensory.

By empowering users to stay calm and focused under pressure, the partnership fosters a stronger, more security-conscious mindset among MSPs and their customers. This not only helps MSPs drive staff retention and stand out in a crowded market – but also enables their customers to build safer, more resilient teams from the inside out.

Building on their established partnership with KnowBe4, the security awareness training platform, Brigantia integrated The Zensory to enhance end-user focus, resilience and reduce human risk.

CEO & Founder of The Zensory, Jasmine Eskenzi said: “Partnering with Brigantia has been a true game-changer. Together, we’ve brought something genuinely innovative to the channel, helping teams tackle burnout, distraction, and stress before they impact performance. Brigantia’s network and expertise have enabled us to deliver powerful, scientifically-backed interventions to the people who need them most. The results so far speak for themselves, with significant improvements in focus, wellbeing, and resilience across the modern workplace, and this is just the beginning.

Stress is one of the biggest root causes of human error, directly affecting performance and cybersecurity posture. That’s why we’re tackling human risk at its source, supporting people to perform at their best while building a more focused, secure workforce. The Zensory has been purpose built alongside a board of leading professionals, including esteemed PhD doctors, professors and technologists. We’re incredibly excited to expand our impact even further for the frontline of modern work: from cybersecurity teams to overachievers and brilliant neurodivergent minds. The next chapter together will be even bigger.”

Available as a standard feature for Brigantia’s KnowBe4 Managed Service users, The Zensory has been proven to:

• Reduce phishing and human error incidents by up to 70%
• Improve employee well-being and reduce burnout
• Offer greater client retention and differentiation for MSPs
• Address 22 of the 33 susceptibility factors to social engineering
• Improve employee wellbeing in 98% of individuals
• Improve focus and attention in 97% of individuals 

Brigantia’s Product Team Director, Robert Hall, said: “The integration of The Zensory into our KnowBe4 offering is more than a feature – it’s a mindset shift. By encouraging calm, focused teams, we’re helping organisations build stronger human firewalls and reduce risk where it matters most. The results we’ve seen are incredible. It’s also a key differentiator for our clients, offering something truly cutting edge and innovative, which in turn helps our partners secure deals and makes security tools even more impactful for end users.”

The post The Future of Human Risk Management: The Zensory and Brigantia Partnership A Year On appeared first on IT Security Guru.

Recently, I had the pleasure of speaking with Inda Sahota, the dynamic and deeply empathetic force behind cybersecurity awareness at Fresenius Group. What struck me most wasn’t just her deep understanding of human-centric security, it was how naturally she bridges the gap between personal values and professional practice.

Inda brings her whole self into her work: her empathy, intuition, and a grounding in values passed down from her parents, progressive thinkers and first generation Punjabi Indian immigrants to the UK. They instilled in her and her sisters a quiet but powerful sense of agency. When cultural voices around them suggested that girls were somehow less capable than boys, her father would respond with a deceptively simple challenge:

“But you can eat, can’t you?”

His way of creating initial confusion sparked critical thinking, and a gentle dismantling of limiting beliefs that, if left unchecked, could have developed into lifelong insecurities.

Our conversation got us thinking about the intersection of critical thinking, values-based education, self-efficacy, and digital mindfulness, especially in a world where we are exposed to online manipulation on a daily basis.

From Awareness to Agency

In security awareness design, we often focus on rules: don’t click this, don’t trust that, don’t reuse your password. But what if we focused instead on values? On presence. And on the cultivation of agency and critical thinking, the kind that Inda’s father nurtured in her from a young age? Psychologist Albert Bandura’s concept of self-efficacy, the belief in one’s capacity to act in the face of challenges, is central here (Bandura, 1977). Research shows that self-efficacy is a strong predictor of behaviour change, and it has been linked to improving cybersecurity awareness attitude, knowledge, and behaviour (Arachchilage & Love, 2014; Zainal et al., 2021).

As Inda put it:
“Resilience is like water. You need to be able to flow.

In other words, we need to prepare, not just protect, our people. Whether we’re speaking to employees, children, or our broader communities, we need to teach them how to adapt fluidly, not just obey. How to stay present, not just paranoid. “This is about more than cybersecurity,” Inda notes. “It’s about helping people reclaim their agency in a world designed to exploit their attention and emotions. This fluid resilience allows individuals to:

• Recognise when they’re being emotionally manipulated
• Pause before responding to urgent digital demands
• Stay centred when algorithms try to steal their attention
• Respond with intention, rather than react impulsively

Presence vs. Performance: The Cost of Multitasking

One of the biggest threats to cybersecurity by the way, isn’t malware. It’s human error, often linked to distraction, overwhelm and media multitasking. And attention is one of our most compromised assets. Studies show that frequent multitasking reduces cognitive control, impairs memory, and increases difficulty in impulse control  (Ophir, 2009; Baumgartner, 2014). And people who engage in high media multitasking engage in riskier cybersecurity behaviours compared to the low multitaskers (Hadlington & Murphy, 2018).

This fragmentation of attention doesn’t just make us less productive, it makes us more vulnerable. Scammers, phishers, and social engineers exploit us best when we’re rushed, distracted, over-stimulated or overwhelmed without realising. As a result, mindfulness becomes a cybersecurity imperative, not just a wellness buzzword.

Habits that Shape the Mind

Digital hygiene, like brushing your teeth, only becomes effective when it’s habitual. But forming habits, particularly in high-distraction environments, requires deliberate design. If we want people to pause before clicking a link or question a seemingly friendly DM, we need to design cues and rewards that reinforce critical thinking. This is where digital mindfulness practices can play a critical role in training the brain.

What Inda’s father modeled for her was a form of cognitive scaffolding. He didn’t control her environment or scare her into obedience. Instead, he provided intuitive frameworks for situational self-awareness, such as: “Have eyes at the back of your head.”

This is a powerful metaphor for living with conscious awareness and for being both vigilant and empowered. And those are precisely the qualities we need to foster in our digital citizens. So how can we apply this to our digital spaces?

Here are 5 practical ways to build digital resilience starting today

1. Question, Don’t Lecture

Instead of explaining all the dangers of the internet, ask questions that help think critically:

• “What do you notice about how you feel after scrolling for an hour?”
• “What is the intent behind this narrative, article or social media post?”
• “What emotions are triggered by the narrative?”

2. Build Self-Efficacy Through Practice

Research by Dr. BJ Fogg at Stanford’s Behavior Design Lab shows that lasting behavioral change happens through tiny habits that feel easy to do. In the digital realm, this might mean:

• Pause for three seconds before clicking on links
• Creating simple rituals around device usage – i.e. no screens at meals, or in bedroom
• Play critical thinking games, illusions and logic riddles
• Phishing tests and “spot the phish” or “spot the deepfake” games

The key is making these practices feel natural rather than imposed. Creating safe opportunities for people to practice digital decision-making and learning from mistakes also helps building self-efficacy.

3. Model Mindful Technology Use

We learn more from what we observe than what we’re told. You can model mindful technology use by:

• Putting devices away during conversations
• Thinking out loud when you encounter suspicious emails
• Demonstrating how you fact-check information before sharing
• Try the 5-minute rule. Tell yourself: “If I still need to check this in 5 minutes, I will.” This pattern interrupt helps break unhealthy autopilot impulses.

4. Develop Emotional Regulation Skills

Social media platforms and cybercriminals alike exploit our emotional responses to drive behaviour. They create artificial urgency, leverage fear of missing out, and use variable reward schedules that mirror addictive behaviours. Training should show how to recognise when one is being emotionally manipulated by technology. Simple practices like taking three deep breaths before responding can activate the prefrontal cortex and reduce reactive behaviour.

5, Create an emotionally safe environment 

People need to feel psychologically safe to slow down. Create environments where questioning is welcomed, where “Let me verify this first” is praised, not criticised. When it’s okay to ask “Does this seem right to you?” without fear of looking incompetent, people actually become more vigilant, not less.

Bringing the Being into the Human

One of Inda’s most poetic expressions stayed with me:
“We need to bring the human back into the being, and the being into the human.”

What if we saw our intuition and self-awareness as cybersecurity superpowers? What if we cultivated presence alongside password hygiene? We might just build a digital culture where security isn’t only about understanding the risks, but about knowing ourselves.

The post Bringing the Human Back into Cybersecurity: What Values-Based Education Teaches Us About Digital Mindfulness appeared first on IT Security Guru.