Why CISOs Are Struggling—And How Integrated Risk Management (IRM) Is the Answer

CISOFinancial Services
Written By Samantha "Sam" Jones

The financial services industry is grappling with an escalating crisis: cybersecurity leaders are overburdened, under-supported, and increasingly at risk—both professionally and personally. The rollout of the European Digital Operational Resilience Act (DORA) and similar regulations has not only forced firms to overhaul their IT supply chains but has also driven nearly 80% of Chief Information Security Officers (CISOs) to report mental health impacts.

A recent survey from Rubrik and BRR Research underscores the severity of the issue. Nearly half of UK financial organizations have spent over €1 million in the past two years to comply with DORA and other Prudential Regulation Authority (PRA) mandates, yet ransomware remains the leading cyber threat. Meanwhile, a growing number of security leaders are questioning whether the cost—financial, operational, and emotional—is sustainable. Worse still, the regulatory burden is accompanied by personal liability risks. DORA allows countries to impose not only financial penalties but also criminal sanctions, including imprisonment. The immense pressure is driving 23% of CISOs to consider leaving finance for less regulated industries, creating a talent retention crisis that financial firms can ill afford.

Despite these challenges, there is a way forward. Financial institutions must move beyond compliance-driven approaches and adopt a more strategic, integrated model for managing cyber risk. Integrated Risk Management (IRM) offers a structured, business-aligned approach that not only enhances cybersecurity but also alleviates the burden on CISOs.

The Growing Burden on CISOs

CISOs today are navigating an unsustainable landscape. Compliance obligations are multiplying, cyber threats are evolving, and yet many security leaders feel isolated in their struggles. According to the Rubrik survey, the key pressures on CISOs include:

  • Escalating Compliance Costs: Nearly 50% of UK financial firms spent over €1 million in the past two years on compliance, yet threats like ransomware persist.

  • Data Sprawl and Supply Chain Risks: Seven out of ten CISOs cite data sprawl as a significant challenge, making it difficult to locate and secure critical information. Under DORA, security leaders are accountable for third-party resilience, yet they often lack direct control over supplier backup plans and risk assessments.

  • Disconnected Leadership: While boards acknowledge the importance of resilience, 80% of CISOs say their budgets do not align with their board’s stated regulatory priorities. Without financial support, security teams are being asked to do more with less.

  • Personal Liability Risks: DORA introduces criminal penalties, including potential imprisonment, for non-compliance. CISOs are now personally accountable for cybersecurity failures beyond their direct control, adding immense psychological stress.

  • Mental Health Strain: Almost 80% of CISOs report mental health impacts due to regulatory demands. The constant pressure to prevent an inevitable breach, combined with lack of leadership support, is driving some security professionals to consider leaving the industry altogether.

Given these challenges, a reactive, compliance-first approach is no longer sufficient. Financial institutions must take a proactive, risk-based approach—one that aligns security efforts with overall business strategy.

How Integrated Risk Management (IRM) Can Provide Relief

Integrated Risk Management (IRM) provides a holistic, strategic approach to managing cybersecurity, compliance, and operational resilience. Unlike traditional GRC (Governance, Risk, and Compliance) models that focus narrowly on regulatory checklists, IRM aligns cybersecurity efforts with enterprise-wide risk management strategies, ensuring resilience without unnecessary financial strain.

Key Benefits of IRM for CISOs and Financial Institutions

  1. Aligns Cybersecurity with Business Strategy

    • IRM helps CISOs move beyond compliance-driven decision-making by linking cybersecurity initiatives directly to business objectives. This ensures security programs receive appropriate funding and are recognized as business enablers, not cost centers.

  2. Optimizes Compliance and Reduces Regulatory Risk

    • By integrating automated compliance tracking, risk assessments, and real-time reporting, IRM streamlines adherence to DORA, PRA, and other regulatory requirements. This reduces the manual burden on security teams and minimizes non-compliance risks, including potential fines or criminal penalties.

  3. Strengthens Third-Party and Supply Chain Risk Management

    • Given that 19% of CISOs cite third-party compromise as a top threat, IRM provides tools for continuous vendor risk monitoring, contractual safeguards, and real-time assessments of supplier security posture.

  4. Enhances Resilience Through Continuous Monitoring and Incident Response

    • IRM frameworks integrate real-time risk intelligence, cyber threat analytics, and attack simulations to help organizations stay ahead of evolving threats. This allows CISOs to move from reactive defense to proactive risk mitigation.

  5. Reduces Stress and Burnout for Security Leaders

    • The personal toll on CISOs is unsustainable. IRM centralizes risk data, streamlines reporting, and provides leadership with clear, actionable insights, reducing the pressure on security teams. Instead of struggling to justify their budgets, CISOs can demonstrate measurable risk reduction and ROI on cybersecurity investments.

A Call to Action: IRM as a Critical Business Imperative

The message from frontline security leaders is clear: regulatory compliance alone is not enough. Financial institutions must shift from reactive, siloed risk management to an integrated, strategic approach. IRM enables firms to:

✅ Bridge the gap between cybersecurity and business strategy

✅ Reduce compliance costs and manual workload

✅ Enhance operational resilience and threat intelligence

✅ Improve third-party risk oversight

✅ Alleviate mental health strain on security leaders

DORA and PRA requirements will continue to evolve, and the cybersecurity landscape will only grow more complex. Organizations that embrace IRM as a fundamental business strategy—rather than just a compliance requirement—will be best positioned to thrive in this new era of digital risk. For CISOs and financial institutions alike, the choice is clear: evolve or remain trapped in an unsustainable cycle of compliance-driven risk management.

References

1. Smart, Victor. “DORA Takes Toll on CISOs’ Mental Health.” BRR Research, January 27, 2025.

2. Rubrik. Cyber Security Regulations Are Breaking the Bank for UK Financial Service Organizations. Press Release, January 16, 2025.

3. Rubrik Zero Labs & Wakefield Research. CISO Stress Report 2025: The Cost of Cybersecurity Compliance in Financial Services. December 2024.

4. Green Raven. Cybersecurity Leadership and Mental Health Report. December 2024.

Samantha "Sam" Jones

Samantha “Sam” Jones is a seasoned technology market analyst, specializing in integrated risk management and adept at uncovering market insights through advanced analytical tools. Passionate about sustainable business practices and emerging technologies, she enjoys staying at the forefront of the industry by participating in community tech events and exploring new trends.

Previous

The CISO Storm: Why the Role Must Evolve into the Chief Digital Risk Officer
Next

Why ERM and GRC Are Failing—And How IRM Can Fix It