When it comes to threats, today’s chief information security officers (CISOs) have their hands full. Between ransomware explosions, increasingly intricate AI-powered phishing scams, and a growing wave of insider risks, CISOs are fighting battles on every front. Yet, for all the noise in the threat landscape, the problems actually keeping security leaders up at night fall into two categories: Fundamental and existential. 

Fundamental risks are well-known, longstanding challenges that, despite the availability of increasingly advanced security solutions, continue to plague security teams across nearly every industry. For example, even though security professionals understand that weak passwords and compromised credentials are among the most common breach causes, the rate of multifactor authentication (MFA) adoption continues to lag. When basic security hygiene remains poor, the CISO has less time to function as a strategic business enabler and instead must spend their time putting out small-scale fires.   

Security leaders also face a more existential challenge: How modern software is built. Software today is highly interdependent and increasingly reliant on open-source code—and with a complex web of code repositories owned and maintained by individual (and often uncompensated) contributors, all it takes is one abandoned project, one security breach, or one faulty update to knock out thousands upon thousands of dependent systems.  

While new and unsettling threats are making headlines each day, the threats most likely to impact your company are the ones we already know about. That’s what’s keeping your CISO up at night. 

The Fundamental Risks: When Basics are not so Basic  

Whether it’s a lack of MFA, weak segmentation, or poor IAM practices, breach report after breach report continues to underscore the idea that businesses across nearly every industry still have a long way to go when it comes to security fundamentals. It’s not a question of education—security leaders know the value of solutions like MFA, for example—so why do so many organizations fail to implement these cybersecurity basics? And why do attackers continue to have success exploiting vulnerabilities that are already well understood? The answer often lies in misplaced confidence and constant distraction. 

The cybersecurity news cycle is ruthless. Every day, there is a torrent of “this system hacked, this vulnerability exposed, this data breach revealed, this new zero-day unveiled,” and those alarming headlines can often have a greater impact on business leaders than the more measured, fundamental advice offered by CISOs and risk teams. The problem with these headlines is that they’re often not as pressing as they sound. 

While quantum computers breaking encryption or AI creating new and novel attack vectors may sound more threatening than poor MFA coverage, lack of MFA is much more likely to negatively impact your business today. It’s important to reject the urge to “trend chase” and instead take cues from CISOs and other risk leaders who have a more complete understanding of immediate threats and how best to address them. Nothing keeps a CISO up at night more than the frustration of allocating resources to threats that are unlikely to impact them. 

Prioritizing security initiatives based on headlines creates dangerous blind spots. If resources are being spent defending against low-probability threats, they aren’t being spent on more fundamental protections—and attackers are always waiting to take advantage of those lapses. Risk and security experts understand that getting back to basics and emphasizing good cyber hygiene and cybersecurity fundamentals may not be exciting, but it provides the greatest ROI.  

Communicating that ROI to those on the business side isn’t always easy, but establishing Key Risk Indicators (KRIs) for essential controls like MFA adoption, user lifecycle management, vulnerability management, and network segmentation can help. KRIs act like a security hygiene dashboard, showing whether certain controls are truly effective and helping to illustrate positive change over time. For example, if your MFA coverage is only 85%, that signals a clear risk. Set ambitious thresholds — like 100% MFA coverage for all accounts — and monitor regularly. Any change, such as a new application rollout or system migration, should immediately highlight new potential dangers so the risk team can take action.  

The Existential Risks: A Rocky Software Supply Chain 

While mastering the fundamentals keeps your organization secure day to day, CISOs face another, more existential challenge. The interconnected nature of the modern software ecosystem — built atop stacks of open-source components and complex layers of interdependent libraries — is always a drumbeat risk in the background. It’s a threat that often flies under the radar until it’s too late.  

In a world where code is rarely written from scratch, applications are often built on the backs of open-source code from a wide range of interdependent libraries, often maintained by individuals or small nonprofit groups with limited resources and minimal oversight. With this fragile setup, all it takes is one compromised database, one flawed update, or one abandoned project to create a chain reaction of harmful consequences. With AI-written code and libraries, the problem only becomes more worrisome. When a vulnerability is found in a package that has a human maintainer, they feel the duty to fix those bugs and issue patches. With an AI-written library, where the source code was generated and now has little to no oversight, who’s to pick up that torch? And it’s not like AI doesn’t introduce vulnerable code; with the technology still maturing, it often does. This can quietly spread seemingly flawless but insecure code that no one feels responsible for fixing. 

While CISOs can’t rewrite the entire software ecosystem, what they can do is bring the same discipline to third-party and open-source risk management that they apply to internal controls. That starts with visibility, especially when it comes to third-party libraries and packages. By maintaining an accurate and continuously updated inventory of all components and their dependencies, CISOs can enforce patching and vulnerability management processes that enable them to respond quickly to bugs, breaches, vulnerabilities, and other potential challenges. With a clear understanding of their software supply chain, CISOs can also develop clear and effective internal processes for vetting and approving new packages. 

While the nature of modern development makes this risk difficult to eliminate, it is possible to significantly mitigate the threat by prioritizing visibility (knowing exactly which libraries and dependencies your software relies on) and investing in open-source security initiatives. 

The Risks That Actually Matter 

The cybersecurity landscape is relentless—and the current rate of change is unlikely to shift anytime soon. While splashy headlines soak up a lot of the attention, the things keeping CISOs awake at night usually look a little different. The fundamentals we often take for granted and the fragile systems our enterprises depend on aren’t always as secure as they seem, and accounting for that risk is critical. From basic hygiene like user lifecycle management and MFA coverage to the sprawling, interdependent web of open-source software, the threats are systemic and constantly evolving.  

CISOs who want to sleep easier need to treat these risks with discipline, measure and monitor controls, continuously refine strategies, and responsibly engage with the broader software ecosystem. These threats may be less exciting, but they are much more likely to impact today’s businesses—and applying data-driven oversight can help CISOs shift from a reactive posture to a proactive one, building security programs with the resilience to combat today’s most dangerous risks.