lose-lose
We're stuck between a rock and a hard place.
Legacy systems suffer from being built at a time when code dev and testing tools were not as sophisticated, and the perceived (if any) external threats were not given much thought, plus systems were not connected to external environments in such accessible ways. Simpler times.
Now, systems are abstracted into so many layers, both from technology stack and business responsibility levels; dev tools come from multiple sources, on local and cloud environments divided into layers of services, containers, orchestration and physical or software edge devices, spread across different commercial organisations that don't and can't have an intimate, holistic approach to development and testing, except to share, often iffy, API specs... and we're surprised when the whole lot leaks like a sieve.
Who'd be a CISO?
The fundamental role of the person in charge of business information security is there to develop a robust plan for business continuity and recovery that kicks in WHEN a system is breached. Anyone taking on the role on the basis that their skills and leadership will make their organisation's systems impervious to infiltration is very misguided.
We've worked so hard to be 'clever' with dev pipelines, frameworks and bolt-it-together architectures that we've lost the ability to understand, own and test the creations we make.
The solution? Get systems and services back to minimum viable stack so that the end-end design can be understood and owned by the development team. What shape this takes is a big discussion..maybe start by considering on-prem or co-located physical hardware and then work outwards, software and hardware-wise, as much as you believe is possible, necessary and safe, so that you can own and audit the beast you are creating. And then write your recovery plan from the start point of your secured data repository (backups) and the business needs, not the technology that's just let you down.
Of course, you could always commission a solution from an established market practitioner on the basis that you haven't, and don't, need a clue about what's going on under there hood provided you're as happy as can be with the functional spec you are served, safe in the knowledge that when things go tits up it's someone else's job to sort it out, and you escape the front of the incoming storm when your business grinds to a halt. With a bit ofuck, the company you engage to provide your solution developed it as described above so they have an easier time getting you going again.
Slate and chalks all around then!?