CISOs and their security chains of command appear to have significantly divergent views of their organization’s cyber security maturity and resilience.
According to a recent BitDefender report, CISOs expressed far greater confidence than mid-level security managers in their organization’s ability to manage risks as the attack surface grows (45% vs.19%). Meanwhile, Darktrace’s State of AI Cybersecurity report found that security practitioners are less confident than security executives about their organization’s capacity to fight AI-driven threats (49% vs. 62%).
“These differences in confidence are evidence of a disconnect between leaders and front-line practitioners. Those who are in the trenches understand what it is like to do battle with AI-powered adversaries on a daily basis, and clearly see where present-day solutions fall short,” the Darktrace report concludes.
Gunter Ollmann, CTO at pentest firm Cobalt, says such disconnects are common in security organizations and can lead to challenges when it comes to ensuring alignment on security priorities.
“There has long been a disconnect between those at the ‘sharp end’ who see the diversity of attacks against their organizations on a day-to-day basis versus those more removed from the coalface,” Ollmann says. “Frontline security workers are overwhelmed with alert fatigue and the continuous stress of a daily workload that never successfully concludes, which can make it harder to see the ‘bigger picture.’”
Meanwhile, security execs’ remove from daily cyber work can result in overlooked issues on the ground, says Nicolette Clarkin, a technical specialist at cybersecurity training platform SecureFlag.
“Executives typically rely on high-level reports and dashboards, whereas frontline practitioners see the day-to-day challenges, such as limitations in coverage, legacy systems, and alert fatigue — issues that rarely make it into boardroom discussions,” she says. “This disconnect can lead to a false sense of security at the top, causing underinvestment in areas such as secure development, threat modeling, or technical skills.”
“Our experience is that the mid-level managers are always more concerned about the state of their cyber posture as they are typically much closer to the tools that are deployed that make up their security framework,” says Larry Chinski, SVP of global IAM strategy at One Identity.
This security disconnect between CISOs and front-line security professionals creates a gap between perceived and actual readiness that can potentially lead to:
- Misplaced priorities: Investments often favor visibility and compliance over “core capabilities like detection engineering, incident response, and threat containment,” according to Santiago Pontiroli, lead security researcher at cybersecurity vendor Acronis TRU.
- Delayed adaptation: AI-driven threats demand faster, smarter defenses, but key upgrades (such as behavior-based analytics or automation) are often postponed due to underestimated risk, according to Pontiroli.
- Ineffective implementation: Security tools may be deployed without proper integration or training, limiting their impact and adding to operational noise.
“Business leaders often assume their policies and controls are sound simply because there haven’t been recent incidents, but front-line practitioners know better,” says David Brown, SVP for international business at network security management firm FireMon. “They see the technical debt, policy sprawl, and inconsistent configurations that accumulate over time.”
AI-driven threats often misunderstood
While executives tend to base their confidence on high-level compliance metrics or assurances from vendors, front-line professionals — security engineers and analysts — see the evolving and complex nature of AI-driven threats firsthand.
Recent industry research from Darktrace underlines this contrast, showing that “senior leaders often overestimate their organization’s readiness, while those on the ground remain far more cautious in their assessments,” says Paul Cragg, CTO at cyber risk management vendor NormCyber.
The rise of artificial intelligence allows adversaries to automate tasks that were once time-consuming and expensive, lowering the barrier to entry and increasing the likelihood of successful attacks.
“It is not surprising that front-line practitioners are often the first to recognize this shift, as they are the ones executives depend on to assess likelihood in the first place,” says Inti de Ceukelaire, chief hacker officer at crowdsourced cybersecurity firm Intigriti.
Attackers are already using generative AI to scale phishing, impersonation, and ransomware tactics. At the same time, a third of employees or more are using AI tools in secret, without visibility, policy, or protection in place.
“This ‘shadow AI’ trend drastically expands the threat landscape, because it introduces unmanaged tools and data flows that bypass traditional controls, especially when paired with outdated controls and siloed systems,” says Mike Riemer, senior vice president of the network security group at Ivanti.
AI threats are evolving so fast that traditional policies and risk assessments are failing to keep up. Leadership might feel reassured by regular updates, but front-line staff see a constantly shifting landscape that needs real-time attention, FireMon’s Brown warns.
Clashing perspectives on AI-related threats create blind spots where risk festers. When leadership believes security posture is stronger than it is, critical investments get deferred or misdirected.
“Organizations need to re-architect around least privilege, automate enforcement, and continuously validate controls,” Brown says. “If your policies are already hard to manage manually, AI-enabled threats will break them entirely.”
Visibility and context
Much of this disconnect stems from varying levels of visibility and context, because security posture is interpreted differently depending on an individual’s role within the organization, Rik Ferguson, VP of security intelligence at Forescout, told CSO.
“For example, a SOC analyst views one set of data, a security manager sees another, and the CISO sees something different again, each shaped by the tools, teams, and priorities relevant to their level within the organization,” Ferguson explains. “Every step introduces message distortion: Data is summarized, reshaped, or selectively highlighted based on perceived relevance or time pressures.”
This all results in different understandings of the same data, which can lead to misaligned priorities and assumptions about the organization’s actual security maturity and risk exposure.
Moreover, the CISO’s rise in prominence and repositioning for business leadership may also be adding to the disconnect, according to Adam Seamons, information security manager at GRC International Group.
“Many CISOs have shifted from being technical leads to business leaders. The problem is that in doing so, they can become distanced from the operational detail,” Seamons says. “This creates a kind of ‘translation gap’ between what executives think is happening and what’s actually going on at the coalface.”
Lack of shared metrics
Without a consistent, shared view of risk and posture, strategy becomes fragmented, leading to a slowdown in decision-making or over- or under-investment in specific areas, which in turn create blind spots that adversaries can exploit.
“Bridging this gap starts with improving the way security data is communicated and contextualized,” Forescout’s Ferguson advises. “Rather than passing filtered information up the chain, where key nuances can be lost, security tools should help present the same foundational data in role-relevant ways.”
For example, a SOC analyst needs technical granularity, whereas a CISO may need a high-level view linked to business impact.
“When tools can tailor context without altering meaning, they help avoid message distortion and improve shared understanding,” Ferguson says.
Other experts believe the gap in security awareness is improving because of a combination of better tools and improved communication.
“CISOs should be more involved with their team, communicate regularly, and continuously use advancements in technology with their teams to understand gaps in their security posture,” One Identity’s Chinski says. “We have seen a much deeper involvement by CISOs of late due to a much wider enterprise attack surface, so we believe these gaps will narrow significantly as they employ new tools for their security posture.”