If cybersecurity concerns keep you up at night, you aren’t alone. At Kaseya Connect 2025, Kaseya CISO Jason Manar sat down with three cybersecurity leadership experts, Tim Youngblood, CISO-in-Residence, Astrix Security; Corey Ruthardt, President, Simpatico Systems; and Greg Sullivan, Founding Partner, CIOSO Global, to discuss their top cybersecurity concerns.
Here are the nine things that weigh most heavily on their minds:
1. Misalignment around risk prioritization
For Jason Manar, the root of many sleepless nights is misalignment — not just between security team members but also across the entire business. These gaps can lead to a cascade of bad cybersecurity consequences, including misjudging threats.
“If we’re misaligned, then we’re not adequately assessing, ranking and prioritizing the risk at hand,” Manar explained.
When boards, executive teams, IT leaders and security professionals aren’t on the same page about risk tolerance, threat prioritization and mitigation strategies, organizations are left vulnerable with blind spots that attackers can then exploit.
2. The enduring risk of the human element
Greg Sullivan pointed out a consistently troublesome weakness that has been at the top of many CISOs’ lists of worries over the years — users. For many CISOs, user behavior causes more stress than technical concerns, including vulnerabilities.
“It’s the human side of all of this that keeps us up at night,” commented Sullivan.
The Kaseya Cybersecurity Survey Report 2024 findings indicate that Sullivan is not alone in his insomnia: 45% of our survey respondents cited users as a top cybersecurity concern.
3. The uncertainty of user behavior and inherited risks
The panelists confirmed CISOs don’t worry just about what their security teams are doing to keep the business secure. They also worry about the habits and security practices of everyone in their clients’ organizations.
For managed service providers (MSPs) business owners like Corey Ruthardt, the dual responsibility of protecting their business while securing their customers can make onboarding particularly complex. Security is especially tricky for them when onboarding new clients. Each client’s unique needs, security practices and security maturity vary, leaving MSP businesses open to a host of unknown risks.
“You never really know when you come in what you’re going to have,” cautioned Ruthardt. “There could be all kinds of things unknown to you that you walk into.”
Ruthardt noted that new customers often bring misconfigured cloud environments, including unprotected interfaces, unmanaged identities and cross-platform vulnerabilities, prime entry points for attackers.
4. Managing AI’s double-edged sword
Concerns about the growing role of artificial intelligence (AI) in cybersecurity and cybercrime are also keeping CISOs awake at night.
The panelists expressed enthusiasm about the many potential benefits IT teams gain from using AI-enabled tools, such as reduced ticket times, automated phishing detection and streamlined security operations centers (SOCs).
“Leveraging AI to provide that level of support and address common issues that take up the most time is a huge benefit,” said Manar. “It allows agents to focus on more complex tasks by automatically handling the most frequent phishing scenarios, without the need for human involvement.”
Ruthardt added that for MSPs, the focus is on harnessing AI for practical solutions like automating repetitive tasks and improving efficiency. The trend toward AI-driven automation is accelerating rapidly, with growing industry investment. Ruthardt warned that by putting too much emphasis on AI tools and automations, IT professionals could lose sight of the importance of delivering a personalized customer experience.
“As an MSP, we’re all still professional services,” said Ruthardt. “We’re there to consult, to engage with customers and to create an experience that they’re going to like at the end of the day. And when we put so much emphasis on AI tools and automations, we lose a lot of that customer service aspect.”
On the other hand, Manar highlighted the benefits AI adoption brings to bad actors. For example, he noted that AI now enables attackers and malicious insiders to locate sensitive data far more quickly than in the past, turning what once required extensive searches into a simple prompt.
5. The growing pressure of data governance and compliance
The panelists agreed that for IT leaders to rest easy, compliance and data governance must be at the core of any security strategy — a challenge that is only growing in the age of AI. Ruthardt warned attendees that AI’s widespread appeal makes it likely that users and technicians will turn to these tools, even when doing so conflicts with security policies. This introduces new data management complexities.
“Employees are going to use AI whether they’re typing into ChatGPT on their phones or accessing tools on their computers, even if you blacklist certain platforms,” said Ruthardt. “As an MSP, you have to be extremely cautious about how data is handled across all systems. The moment data is entered into those third-party systems you lose visibility and control over it.”
Youngblood agreed, emphasizing that IT professionals should exercise caution when relying on agentic AI. This type of goal-driven, autonomous technology makes decisions and takes actions on a user’s behalf, completing tasks without continuous human oversight. While deploying AI “agents” to handle routine tasks can boost efficiency, it can also introduce unexpected compliance risks. He offered a thought-provoking example of just how easily it can happen.
“Imagine a U.S.-based AI agent says to an E.U.-based AI agent, ‘I’m trying to solve this business issue. I know you have access to this data. Can you give it to me?” Youngblood explained.
“Now, let’s say that data is stored in Germany. As soon as the U.S.-based agent pulls it into a U.S. data center, it’s just violated GDPR. The problem is that the agent doesn’t know anything about GDPR. That’s where things get dangerous.”
The panelists agreed that effective data governance is essential for navigating the ever-changing landscape of regulatory compliance that IT professionals face. They emphasized policies should be designed from the outset to include stringent data protection measures and clear protocols for ensuring required data erasure.
Ruthardt underscored the importance of meticulous compliance management, particularly for MSPs. He advises partnering with third-party experts to maintain compliance across diverse regulatory administrations.
“When it comes to regulatory compliance, the details aren’t optional, and without expert guidance, they’ll become your biggest risk,” said Ruthardt.
6. Emerging blind spots
Just like everyone else, CISOs lose sleep worrying about the future. The panel shared their thoughts about future challenges, exploring issues that attendees should prepare to address. Youngblood flagged an often-overlooked risk: non-human identities. Service accounts, APIs, OAuth tokens and app-to-app connections are just a few examples of the non-human identity risks embedded across modern environments.
“For every 1,000 employees, there are 40,000 non-human identities in your environment,” Youngblood shared, citing Gartner research.
Those identities can be major liabilities, as they often lack clear ownership and oversight. The panelists shared the sentiment that a lack of visibility into uncommon vulnerabilities makes them an increasingly attractive — and growing — attack vector for adversaries.
7. Known and unknown vulnerabilities
While others are counting sheep, CISOs are counting vulnerabilities. IT professionals can proactively mitigate many known vulnerabilities, and they must be diligent about tracking and remediating them quickly. However, just as many undiscovered vulnerabilities exist in the wild. This means IT leaders must maintain robust, future-ready defenses to avoid trouble, not to mention unpleasant meetings.
“The last person you want to be is the one who has to stand in front of the board and explain how you were successfully breached via a vulnerability that you didn’t know about, but someone else did,” advised Sullivan.
The panelists shared the view that third-party components are an often overlooked source of vulnerabilities. While IT professionals often have advanced tools to monitor vulnerabilities on their networks, they have limited visibility into the vulnerabilities that third-party components embed in their networks, which may result in dangerous openings for bad actors.
8. Readiness for trouble
The panelists agreed that CISOs who want to sleep well must be ready for the unexpected. To achieve that, they must invest in proactive security tools, such as advanced threat intelligence gathering and penetration testing. IT leaders must also ensure their teams exercise constant vigilance and maintain a high level of preparedness.
“Every morning you should be waking up in a state of being breached and figuring out where the breach is,” said Tim Youngblood.
The panelists shared the view that strong leadership is the key to success in a cyber crisis. They noted that in addition to being prepared, IT leaders must be ready to pivot at any moment during an emergency, when initial reports may be unreliable and preplanned strategies might need to be adjusted on the fly.
9. Increased need for collaboration
The roadmap to a good night’s sleep for security leaders centers on collaboration. The potential loss of resources like the National Vulnerability Database has propelled the wider discussion around communication and information sharing in the cybersecurity world to the forefront.
Sullivan noted that, unlike many IT teams, threat actors don’t operate in silos. The difficulty of overcoming the strong defenses businesses present today has fostered collaboration at scale across the cybercrime ecosystem. Defenders, however, have traditionally operated differently, with IT leaders often reluctant to share information, much to their detriment.
Sullivan stressed “We need to be learning from each other and sharing each other’s experiences or we have no chance, because we’re up against the most effective collaborators in the world.”
All of the panelists agreed that there is significant work to be done to solve the problem, and that work must be a priority for every cybersecurity leader.
The path forward: Leadership, vigilance and collaboration
Despite the daunting landscape, the panel closed on an encouraging note. Manar reminded the audience that every person in security, regardless of title, has a leadership role to play in protecting their organization and community, reinforcing the idea that collaboration and caution must be watchwords for defenders.
The panelists made it clear that the concerns keeping CISOs awake at night aren’t going away. However, by acting proactively, leveraging AI responsibly and working together, forward-thinking security leaders can overcome the challenge and set a strong course for the future.
