Based on my past experiences in implementing ISMS as an Information security Manager, I would rate the following as the biggest five challenges
1. Attitude or the prevailing culture:
The responsibility of implementing and ensuring security automatically qualifies one as "not so friendly" for computerisation and IT services. The top management(c-level) want you to implement and drive the policies and strategies but general employees who are end users of the various IT assets want minimum barriers and maximum convenience.
You end up sandwiched between both the parties hating you as you are not listening to them. It takes time and considerable effort to change attitude and culture for better cyber security health although it is worth the effort. Surmounting such attitudes and changing the culture is the biggest challenge.
2. Technology as a solution:
Every medical problem does not have a medicine. Even if there are medicines available, they may not treat you completely. You do not rule out the side effects of the medicines though advances are being made everyday.
Similarly technology alone is not a complete security solution. Just the other day we heard of google getting affected due to redundant network path failures simultaneously.
The ultimate success and efficacy of any security program will always be due to people, procedures and processes in conjunction with technology.
Most management and end users still perceive technology and products as the magic bullet. Breaking this myth is the next biggest challenge.
3. Incorrect priorities:
CIA which stands for Confidentiality, Integrity and Availability is not clearly understood. Every functional organisation and every department needs to understand which one element is more important than the other two or one. Giving equal priority to all the three aspects may hamper the work output and operations and would lead to unnecessary friction. Security professionals need to understand this and should advise accordingly.
4. Under Staffing:
The next biggest challenge is of under staffing. Though the situation in IT per say has improved to some extent, the situation in security remains grim. Senior management needs to appreciate this and provide sufficient staff to overlook information security.
5. Skill Retention:
The last of the five challenges in my opinion is of skill retention or continuity of job for lower level of Information security staff who are actually responsible to translate the policies and decisions into actions. Insufficient skill and under staffing not only increase the implementation gaps but also increase the stress level of the IT security staff.