From the Noughties to Now: How Are CISOs Coping with Change?

I’ve been writing about cybersecurity for over 20 years now. Ouch. It honestly doesn’t feel like that long. But has the technology landscape really changed that much?

Casting a look over some articles from 2005, there’s certainly some continuity there. But you have to peer pretty closely to find it. This doesn’t just make me feel old. It’s had a major impact on those working at the coal face.

For CISOs, the past two decades has seen a gradual ratcheting up of corporate pressure, responsibility and scrutiny. But it’s important for all of us that they continue to rise to today’s formidable challenges.

Back in the day

The first problem with trawling this far back into history is finding the actual content. Even the Wayback Machine has been unable to locate my early work for IT Week, aside from this ill-fated blog. Fortunately, some other publications from back then are still online. They reveal a few common themes.

Spyware was also a significant enterprise IT challenge back then, albeit mainly for desktops rather than the mobile security threat it is today. Big-name data breaches dominated headlines. The most significant in 2005 was probably CardSystems Solutions, which spilled unencrypted details on over 40 million cards. It showed that traditional perimeter-based approaches to cyber defence were fatally flawed. Call it an early start to the “zero trust” era.

Other long-running trends also coalesced in 2005. Phishing was maturing to the point where threat actors could build pretty convincing lookalike websites. And ransomware was taking its first tentative steps — in the form of screen-locking variants aimed mainly at consumers. Trojans were starting to cause problems, as were botnets. Weak passwords were, as ever, a massive security risk.

Security’s getting tougher

Yet in many more ways, things are much changed today — particularly the size of the cybercrime economy and the typical corporate attack surface. Both have exploded thanks to technological innovation. Network defenders in 2026 are faced with a fragmented ecosystem of remote working devices, hybrid and multi-clouds, APIs, dev environments, OT kit and extensive supply chains including multiple SaaS vendors.

All of which has created a highly distributed, porous attack surface, populated by employees less willing to toe the corporate IT line. And more prepared to use unmanaged tools to get their jobs done. To say security teams are on the backfoot is an understatement. According to reports back then, the security community published around 40 new vulnerabilities per week. Now the figure is over 900.

This puts more power into the hands of our adversaries. Cybercrime is now a multitrillion-pound industry fuelled by anonymous crypto payments, easy-to-use prepackaged services for ransomware, phishing and exploits, and a sophisticated supply chain of professionalised actors. Meanwhile, nation states actors are becoming more unpredictable. And more likely to outsource their work to the private sector or criminal underworld.

We haven’t even mentioned AI. It’s both expanding the attack surface and providing hackers with new opportunities to accelerate and improve their own capabilities. Fortunately, new tools can also help defensive teams. But it’s a world away from 2005, when machine learning was used in fairly limited ways to detect spam and improve behavioural analysis.

Buckle up

These changes have helped to propel the CISO role into the spotlight. No longer part of the IT function reporting to the CIO, it’s now a critical risk management role vital to the success of the business. That’s why 82% of CISOs reportedly now interact with their CEO daily and 83% participate in board meetings. They’re expected to grasp not just technical details, but also be fluent in financial and business risk.

Yet with greater power and responsibility comes extra scrutiny and stress. Over half (54%) of CISOs are concerned about personal liability in the event of a breach. And nearly three-quarters (72%) are taking out personal indemnity insurance to protect against potential litigation. Burnout, self-medication and excessive hours are not uncommon.

Onwards and upwards

So what does the future hold? It’s good news that cybersecurity is the fastest-growing IT occupation in the UK, having expanded its ranks by 194% since 2021. But it’s still nowhere near the level we need given the huge demand for industry pros. And, anecdotally, finding candidates with the right combination of tech, business and people skills remains a challenge. It’s clear from the CISO roundtables I sit in on that many in the industry still find it tough to communicate in non-tech speak.

I’m not as worried about this as I should be. After all, if more technologists could write, I may be out of a job. But it’s also true that better comms skills mean boards would be better informed. And cyber functions better run.

This is more important than it seems. Twenty years ago no one would have dreamt that cyber attacks could disrupt the NHS, cause chaos at our airports, and cost the national economy billions. But that’s the world we live in now. And in the fight against threat actors, we need our best people on the front lines.

So while we could all probably do with a dose of mid-noughties chill, optimism and economic prosperity in our lives right now, there’s no going back. For CISOs, journalists, PRs and anyone else connected to the industry, the only way is forward.