On the Precipice: Security Leadership In Need of a Hard Reset

As pressure mounts across enterprise, security leadership is at a crossroads. We explore why only business-aligned, high-impact teams will endure, and how only a hard reset will redefine what security leadership must become.

Hard times are hitting across many regions of the world – economically, politically, and operationally – and they will rock enterprise. Security teams with a strong bridge to the business will hold ground. Those isolated in outdated practices will struggle to survive.

28 March, 2025 / Matt Kent

Budgets will be cut. Certain roles will go

Especially those no longer fit for the future. Lines will need to be redrawn across team structures and functions.

Some CISOs will lose their jobs – not because they lacked ability, but because they won’t be seen as the right type of CISO for this new world. The same is true for mid-senior managers. Those unable to shift mindset, rethink delivery models, or align their teams to evolving business priorities will find themselves outpaced – and out of place.

Leadership under pressure is not only here to stay – it's set to intensify.

CISOs who aren’t deeply connected to the shifting dynamics of their organisations – not just technically competent but strategically aligned – will find themselves out of their depth. Any new CISO stepping in will need to immediately align security to fast-moving, high-impact business decisions. There won’t be time to warm up. This is a lead now or get left behind environment.

The old playbook won’t survive what's coming.

Security functions will find themselves needing to review everything – from their people to their processes to their value model.

Leaders will need to:

• Remove dead weight - both in terms of roles that no longer support the new direction, and outdated, underperforming controls tied to legacy decisions and sunk cost thinking

• Tackle underperformance directly - identifying team members, functions, or delivery areas that consistently fail to meet expectations, delay execution, or add friction instead of value

• Rebuild practices - replacing slow, inherited processes with ones designed for speed, transparency, and measurable business impact, rooted in today’s realities rather than legacy expectations

• Redefine - what kind of security the business needs next

Security teams will need to lead the conversation on risk in cost-cutting. If they’re not in the room when decisions are made, they won’t be seen as part of the solution – and will increasingly be viewed as overhead.

Boards want security leaders with a clear compass.

Leaders who can direct change, make fast calls, and withstand pressure. This will require independent thinking, strong data instincts, and a refusal to sit back while others define the agenda.

This moment shares DNA with the early ’90s: global instability, economic pressure, and a shift to leaner, faster organisations. The difference now, is that everything moves faster – and security sits at a more strategic crossroads than before.

The leaders who will thrive will:

• Put the business first in every decision

• Act with urgency, and aren’t afraid to cut what no longer serves the mission

• Prioritise quality of data over quantity

We’re entering a phase where there is no delay between geopolitical decisions and enterprise-level impact. Policy decisions made by governments today will trigger business responses tomorrow. If security doesn’t demonstrate its value clearly, it risks being deprioritised – or even overlooked.

What does this mean for security teams?

1. Significant and immediate change is coming - Teams must adapt structures, priorities, and operating models now. This shift is grounded in inevitability, not hypotheticals.

2. Business risk is now the priority - Compliance still matters, but business risk will become the dominant driver. Security must be able to respond to it with relevance, agility, and measurable impact.

3. Efficiency is now a critical capability - Teams must deliver fast, effective, high-value outcomes. Anything slow or unclear will come under pressure. Agility isn’t optional – it’s expected.

4. Security must become a consultative force - Internal consulting is now a core function.

   Security must embed itself within frontline business units and align delivery to the changing business environment in real time.

5. Specialists must broaden their scope - Deep technical skills are still important, but they must sit within a wider business context. All team members will need to understand value, agility, and alignment.

6. Leadership must challenge with evidence - Decisions need to be supported with strong reporting, grounded in real-time, cross-domain risk data. Leaders can’t rely on instinct. They’ll need visibility into IT, human, and operational risk – and the ability to communicate it upstream with speed and clarity.

Final Thought

Essential initiatives will survive. Anything that looks expensive, slow, or misaligned will be cut. Security leaders clinging to legacy programmes or defending old ways of working will lose pace – and influence.

The ones who stay relevant will already be doing the hard things: stripping back what doesn’t serve, embedding into the business, and unlocking the full potential of their people.

A hard reset isn’t just about clearing out what’s broken – it’s about reclaiming control and realigning around what matters. It’s an opportunity to reshape security for the future, by redefining capabilities and delivery models that serve the speed, complexity, and reality of modern business.

Author: Matt Kent is Director of Learning & Development at GRC-X, and formerly with the Information Security Forum. With a track record in pioneering GRC training and professional development, he regularly contributes as a thought leader, international congress speaker, and panelist on the future of security leadership.