Cybersecurity leaders at all times have so much on their minds. What are the most recent threats to their enterprises? What rising applied sciences can bolster their defenses? How can they safe the required expertise and the finances? What’s on the regulatory horizon?
As 2025 begins, InformationWeek spoke to 4 leaders within the cybersecurity house about a few of the greatest points on their minds.
AI-Fueled Threats and Protection
AI was on everybody’s lips in 2024, and there may be each purpose to count on that this expertise increase will proceed to be prime of thoughts in 2025.
AI makes menace actors extra prolific and complex. They’ll use it to automate large-scale assaults. They’ll make phishing lures extra convincing. Deepfake audio and video proceed to enhance, making them more durable to identify. In 2024, scammers successfully manipulated a finance employee into paying them $25 million, due to a deepfake video convention.
The identical highly effective capabilities of AI are, in fact, being utilized on the defensive aspect. AI-driven automation, for instance, speeds menace detection and frees up analysts’ time for extra advanced work.
However AI has myriad use instances. Along with cybersecurity threats and defensive instruments, this expertise is being utilized up and down the expertise stack. Cybersecurity leaders should take into consideration the safety implications of AI all through their enterprises.
“We’re seeing numerous initiatives transferring [forward] and it kind of appears like safety is … being requested to comply with behind the enterprise and cut back the chance after the very fact,” says Patrick Sullivan, CTO, safety technique at Akamai Technologies, a cloud computing and safety firm.
Insider Threats
In 2024, KnowBe4 hired a North Korean hacker to fill an open IT place. The cybersecurity firm acknowledged the insider menace early on, earlier than the particular person was even onboarded. However this isn’t an remoted sort of menace.
Aggressor nation states will proceed to make use of this type of method to infiltrate US corporations and significant infrastructure suppliers, whether or not to steal mental property and information or to trigger disruption to important providers.
“We’re actually seeing a necessity now for superior controls in that expertise acquisition course of and in our ongoing insider menace monitoring packages to have the ability to mitigate in opposition to these new sorts of assaults which might be on the market,” Sharon Chand, principal of cyber threat providers at consulting agency Deloitte, asserts.
Escalating Geopolitical Tensions
The escalating geopolitical tensions internationally play out, partially, within the cybersecurity house. Nation state-backed threat actors and hacktivists goal organizations within the US and internationally within the service of political objectives.
The UK rang alarm bells relating to Russia’s ability to conduct cyber-warfare on British companies, BBC studies. US Cyber Command warns of China’s ability to disrupt US critical infrastructure within the occasion that battle erupts between the 2 international locations, in line with Reuters.
Disruptive Cyberattacks
This yr is ready to be a report for ransomware funds, and blockchain information platform Chainalysis factors out that “big game hunting” is an enormous driver.
Sam Rubin, senior vp of Unit 42 consulting and menace intelligence at cybersecurity firm Palo Alto Networks, tells InformationWeek that assaults that trigger crippling enterprise disruption are on the rise.
“These disruptive assaults particularly for giant organizations which have an enormous position within the economic system or of their market have gotten the goal and a manner for the menace actors to get very massive multimillion-dollar pay days,” he explains.
Zero Day Vulnerabilities
In November, the Cybersecurity and Infrastructure Safety Company (CISA), the Nationwide Safety Company (NSA), and numerous their companions launched a listing of the top routinely exploited vulnerabilities in 2023. Of the 15 prime frequent vulnerabilities and exposures (CVEs), 11 had been zero days.
“A few of that’s nation state actors. A few of that’s ransomware operators. So, all adversary lessons appear to be pivoting extra towards zero days,” says Sullivan.
Third-Occasion Dangers
In the summertime of this previous yr, enterprise at 1000’s of automobile dealerships was upended following two cyberattacks on a single software provider: CDK World. The well being care trade skilled a serious disruption when Change Healthcare, a cost and claims supplier, was hit with ransomware. The potential of one other cyberattack with a large ripple impact looms massive in 2025.
“There’s simply a lot a lot dependency on third events amongst heaps and plenty of corporations and totally different industries. And, I feel there will likely be a large-scale assault on an organization that impacts not solely that firm however these [that] rely on it,” says Ann Irvine, chief information and analytics officer at Resilience, a cybersecurity threat administration firm.
As enterprises incorporate extra third events into their provide chains, extra internet apps and APIs are uncovered, Sullivan factors out. “[Businesses need] to know the place these vulnerabilities emerge, prioritize them, after which have an environment friendly patching course of to remediate,” he urges.
The Want for Built-in Safety Platforms
The marketplace for safety platforms and instruments is huge. For those who can consider a safety problem, there are most likely a number of distributors clamoring to serve up an answer. However there’s a motion to consolidate these options.
“We’re seeing continued creativity of the dangerous actors coming into a number of various kinds of assault vectors, and traditionally, a few of our defenses have been fairly siloed of their potential to forestall [and] mitigate these sorts of assaults,” says Chand. “We’re seeing the necessity for enterprise shoppers to essentially take into consideration built-in safety platforms.”
Networking firm Excessive Networks surveyed 200 CIOs and IT decision markers, and 88% reported a need for a single built-in platform that features AI, networking, and safety.
Upskilling the Cyber Workforce
The cybersecurity problem scarcity is an ongoing concern. Consulting agency Gartner predicts that greater than half of cyber incidents will stem from a lack of talent and human failure by 2025.
Along with filling roles, enterprises are additionally tasked with the prospect of upskilling their present cybersecurity expertise. As threats evolve, in no small half as a consequence of AI, cybersecurity staff want to have the ability to sustain.
And AI isn’t the one space the place cybersecurity groups might want to sharpen their expertise. “I do count on to see an increasing number of assaults in that OT surroundings. So, we’ll want an increasing number of people which might be centered on understanding and mitigating these assaults within the enterprise,” says Chand.
A Maturing Cyber Insurance coverage Business
Insurance coverage is an enormous consideration for enterprise leaders wrangling with the administration of cybersecurity threat. S&P World anticipates that cyber insurance rates will continue to increase and the phrases and circumstances for insurance policies will tighten. The market analysis firm predicts premiums will enhance 15% to twenty%, hitting $23 billion by the tip of 2026.
Irvine factors out that the cyber insurance coverage house remains to be rising. Because it matures, it has the chance to affect cybersecurity practices. “The insurance coverage trade is simply going to proceed to mature and … demand good practices, that are good for his or her backside line but in addition in the end good for his or her prospects,” she says.
The Highlight on Safety Leaders
CISOs are more and more being regarded to as strategic enterprise leaders. “The transition of the position is … out of the IT tower into the boardroom to talk the language of threat, to talk the language of enterprise and to assist be a driver for that enterprise,” says Rubin.
In Deloitte’s The Global Future of Cyber Survey, about one-third of respondents reported that CISO involvement in strategic conversations elevated over the previous yr.
Boards and C-suites could also be changing into extra conscious of the significance of cybersecurity, however there are private legal responsibility issues amongst CISOs. The 2024 Voice of the CISO report from cybersecurity firm Proofpoint discovered that 66% of worldwide CISOs are fearful about their personal, financial, and legal liability.
Lately, there have been examples that gas these issues. Joseph Sullivan, the former chief security officer of Uber, obtained probation and a superb for his position in a 2016 information breach. The Safety and Trade Fee (SEC) filed a lawsuit in opposition to SolarWinds and its CISO Timothy Brown over 2019 cyberattacks that impacted the US authorities. A judge dismissed most of the charges, however it doesn’t fully erase the opportunity of private legal responsibility for CISOs.
A New Administration
As enterprise leaders contemplate the outlook for 2025, the incoming Trump administration is certainly an element. A change in federal management means potential modifications to regulation. Trump can also be prone to make modifications to CISA, and he has been vocal about his intentions to repeal the Biden administration’s AI government order.
“I’m being attentive to is this modification in US federal authorities” says Irvine. “It actually does matter, and issues might change fairly dramatically.”