What CISOs are most worried about now (and why investors should care)

More than 90% of breaches still begin with people, not tech. Attackers are evolving their tactics fast – moving beyond the inbox to encrypted apps, mobile, collaboration platforms, and even voice calls. CISOs know this. And that rapid evolution is a serious concern.

A September 2025 report from Dune shows just how wide the readiness gap has become. Researchers asked CISOs about the emerging threats that are redefining cyber risk; and the findings show that while security teams continue to simulate email-based phishing, attackers are already thriving in channels that most organisations don’t monitor or train against. 

We want to look at this from an investor point of view – because it holds clues about where cybersecurity spend is heading. 

The rise of multi-channel social engineering

Email remains a top concern for CISOs (85%). But phishing today is AI-personalised, persistent, and happening across multiple stages. AI-crafted emails drive three times more interaction than traditional ones; and of those who do click, 30% go on to submit MFA credentials. 

But the bigger story we see in the Dune report is how fast attackers are shifting elsewhere. Sixty-four percent of organisations saw attacks via encrypted or informal channels in the past year, but 0% of CISOs run simulations there, and only 6% express high confidence in users spotting them. Collaboration platforms like Slack and Teams are just as exposed: 91% don’t simulate attacks there, even though attackers are exploiting IT or helpdesk pretexts in those channels.

Lee Whatford (CISO at Domino’s Pizza) voiced this fear during a panel discussion at Black Hat MEA 2024: “One of the big things for me is the articulation of risk to the business…my top level biggest worry is that I haven’t actually found the exposure points across the business.” 

And those blind spots are exactly what attackers are exploiting.

Mobile and voice are the weakest links 

The readiness gap is most significant on mobile. Of the CISOs surveyed by Dune, 71% rank smishing among their top concerns – but only 27% simulate it. Likewise, 59% are worried about vishing, yet just 15% run simulations. Users respond faster on phones; often on unmanaged devices; and with less scrutiny. And that makes exploitation much easier. 

In that panel discussion with Whatford, Les Correia (Executive Director - Global Head of Application Security at Estée Lauder Companies) warned that cultural context plays a role here: “People work differently. You have to think about social engineering, and context. Like here [in Saudi Arabia], people are really warm…a threat actor could use that to get more information.” 

That warmth, played out over a quick voice call or WhatsApp message, becomes a vector.

Why CISOs feel unprepared

The data from Dune shows a security culture gap as much as a technology one.

• Training isn’t personalised: 91% of CISOs agree content should be tailored by role and behaviour, but only 18% are doing both.
• Tooling confidence is low: just 12% believe their awareness platform is sufficient; average effectiveness against multi-channel attacks scored only 2.38/5.
• Operational barriers persist: 36% struggle to measure user-level risk, 32% lack staff or time, and 26% are constrained by legacy tools.

As Alex Attumalil (Global CISO, Under Armour) said during the BHMEA panel, “Cyber awareness shouldn’t be a check mark. It should be continuous. We know that people aren’t trying to do bad things…but they may not know what the right thing is.”

That acknowledgement is important. The user layer isn’t (usually) malicious, but it is breaking under the strain of new attack techniques.

Case study: Scattered Spider

The threat group Scattered Spider (aka UNC3944/Octo Tempest) is a good example of this danger, and features in Dune’s research. They blend encrypted messaging, SMS, collaboration tools, and deepfake voice to social engineer helpdesks and contractors. The results: over USD $1 billion in estimated losses, 71 million records exposed, and more than 100 confirmed breaches across Fortune 500 companies.

This is what the ‘externally initiated insider risk’ looks like: attackers manipulating staff into becoming the access vector. And it’s exactly the kind of scenario that keeps CISOs awake at night. 

So where do CISOs want to go next? 

Encouragingly, security leaders aren’t resigned to defeat. Their top priorities right now are:

• Risk-based controls that adapt in real time (29%)
• Behaviour-personalised training and content (26%)

We need to move from static compliance tick-boxes to dynamic, behaviour-driven programmes that identify who’s vulnerable, why, and intervene before compromise.

What this means for cybersecurity investors 

For investors, this can be taken as a sign that the market is tilting towards companies that…

• Provide multi-channel visibility and simulation across email, SMS, voice, collaboration, and encrypted apps.
• Deliver user-level risk scoring and connect it to adaptive controls.
• Tackle the training personalisation gap – tailoring by role, behaviour, and cultural context.
• Build privacy-aware telemetry for encrypted and collaboration platforms, where today’s visibility is near zero.

So investors should press vendors on whether they can measure reductions not just in click rates, but in full compromise chains (like MFA submission after a click). Because that’s the metric CISOs (and their boards) will care about.

CISOs at Black Hat MEA spoke candidly about what keeps them awake at night: blind spots, accountability, and culture. The Dune report puts numbers to those fears. Together, they show a security landscape where the user layer is now the primary attack surface – and where investors who back companies that close these gaps can both strengthen enterprises and unlock strong growth.