Cybersecurity leaders always have a lot on their minds. What are the latest threats to their enterprises? What emerging technologies can bolster their defenses? How can they secure the necessary talent and the budget? What’s on the regulatory horizon?
As 2025 begins, InformationWeek spoke to four leaders in the cybersecurity space about some of the biggest issues on their minds.
AI-Fueled Threats and Defense
AI was on everyone’s lips in 2024, and there is every reason to expect that this technology boom will continue to be top of mind in 2025.
AI makes threat actors more prolific and sophisticated. They can use it to automate large-scale attacks. They can make phishing lures more convincing. Deepfake audio and video continue to improve, making them harder to spot. In 2024, scammers effectively manipulated a finance worker into paying them $25 million, thanks to a deepfake video conference.
The same powerful capabilities of AI are, of course, being applied on the defensive side. AI-driven automation, for example, speeds threat detection and frees up analysts’ time for more complex work.
But AI has myriad use cases. In addition to cybersecurity threats and defensive tools, this technology is being applied up and down the technology stack. Cybersecurity leaders must think about the security implications of AI throughout their enterprises.
“We are seeing a lot of projects moving [forward] and it sort of feels like security is … being asked to follow behind the business and reduce the risk after the fact,” says Patrick Sullivan, CTO, security strategy at Akamai Technologies, a cloud computing and security company.
Insider Threats
In 2024, KnowBe4 hired a North Korean hacker to fill an open IT position. The cybersecurity company recognized the insider threat early on, before the person was even onboarded. But this is not an isolated kind of threat.
Aggressor nation states will continue to use this kind of approach to infiltrate US companies and critical infrastructure providers, whether to steal intellectual property and data or to cause disruption to essential services.
“We’re really seeing a need now for advanced controls in that talent acquisition process and in our ongoing insider threat monitoring programs to be able to mitigate against these new kinds of attacks that are out there,” Sharon Chand, principal of cyber risk services at consulting firm Deloitte, asserts.
Escalating Geopolitical Tensions
The escalating geopolitical tensions across the world play out, in part, in the cybersecurity space. Nation state-backed threat actors and hacktivists target organizations in the US and across the world in the service of political goals.
The UK rang alarm bells regarding Russia’s ability to conduct cyber-warfare on British businesses, BBC reports. US Cyber Command warns of China’s ability to disrupt US critical infrastructure in the event that conflict erupts between the two countries, according to Reuters.
Disruptive Cyberattacks
This year is set to be a record for ransomware payments, and blockchain data platform Chainalysis points out that “big game hunting” is a big driver.
Sam Rubin, senior vice president of Unit 42 consulting and threat intelligence at cybersecurity company Palo Alto Networks, tells InformationWeek that attacks that cause crippling business disruption are on the rise.
“These disruptive attacks especially for large organizations that have a big role in the economy or in their market are becoming the target and a way for the threat actors to get very large multimillion-dollar pay days,” he explains.
Zero Day Vulnerabilities
In November, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and a number of their partners released a list of the top routinely exploited vulnerabilities in 2023. Of the 15 top common vulnerabilities and exposures (CVEs), 11 were zero days.
“Some of that is nation state actors. Some of that is ransomware operators. So, all adversary classes seem to be pivoting more toward zero days,” says Sullivan.
Third-Party Risks
In the summer of this past year, business at thousands of car dealerships was upended following two cyberattacks on a single software provider: CDK Global. The health care industry experienced a major disruption when Change Healthcare, a payment and claims provider, was hit with ransomware. The potential of another cyberattack with a massive ripple effect looms large in 2025.
“There’s just so much so much dependency on third parties among lots and lots of companies and different industries. And, I think there will be a large-scale attack on a company that impacts not only that company but those [that] depend on it,” says Ann Irvine, chief data and analytics officer at Resilience, a cybersecurity risk management company.
As enterprises incorporate more third parties into their supply chains, more web apps and APIs are exposed, Sullivan points out. “[Businesses need] to understand where those vulnerabilities emerge, prioritize them, and then have an efficient patching process to remediate,” he urges.
The Need for Integrated Security Platforms
The market for security platforms and tools is massive. If you can think of a security challenge, there are probably a host of vendors clamoring to serve up a solution. But there is a movement to consolidate those solutions.
“We’re seeing continued creativity of the bad actors coming into multiple different types of attack vectors, and historically, some of our defenses have been quite siloed in their ability to prevent [and] mitigate those kinds of attacks,” says Chand. “We’re seeing the need for enterprise clients to really think about integrated security platforms.”
Networking company Extreme Networks surveyed 200 CIOs and IT decision markers, and 88% reported a desire for a single integrated platform that includes AI, networking, and security.
Upskilling the Cyber Workforce
The cybersecurity challenge shortage is an ongoing concern. Consulting firm Gartner predicts that more than half of cyber incidents will stem from a lack of talent and human failure by 2025.
In addition to filling roles, enterprises are also tasked with the prospect of upskilling their current cybersecurity talent. As threats evolve, in no small part due to AI, cybersecurity workers need to be able to keep up.
And AI isn’t the only area where cybersecurity teams will need to sharpen their skills. “I do expect to see more and more attacks in that OT environment. So, we’re going to need more and more humans that are focused on understanding and mitigating those attacks in the enterprise,” says Chand.
A Maturing Cyber Insurance Industry
Insurance is a big consideration for enterprise leaders wrangling with the management of cybersecurity risk. S&P Global anticipates that cyber insurance rates will continue to increase and the terms and conditions for policies will tighten. The market research company predicts premiums will increase 15% to 20%, hitting $23 billion by the end of 2026.
Irvine points out that the cyber insurance space is still growing. As it matures, it has the opportunity to influence cybersecurity practices. “The insurance industry is just going to continue to mature and … demand good practices, which are good for their bottom line but also ultimately good for their customers,” she says.
The Spotlight on Security Leaders
CISOs are increasingly being looked to as strategic enterprise leaders. “The transition of the role is … out of the IT tower into the boardroom to speak the language of risk, to speak the language of business and to help be a driver for that enterprise,” says Rubin.
In Deloitte’s The Global Future of Cyber Survey, about one-third of respondents reported that CISO involvement in strategic conversations increased over the past year.
Boards and C-suites may be becoming more aware of the importance of cybersecurity, but there are personal liability concerns among CISOs. The 2024 Voice of the CISO report from cybersecurity company Proofpoint found that 66% of global CISOs are worried about their personal, financial, and legal liability.
In recent years, there have been examples that fuel those concerns. Joseph Sullivan, the former chief security officer of Uber, received probation and a fine for his role in a 2016 data breach. The Security and Exchange Commission (SEC) filed a lawsuit against SolarWinds and its CISO Timothy Brown over 2019 cyberattacks that impacted the US government. A judge dismissed most of the charges, but it does not completely erase the possibility of personal liability for CISOs.
A New Administration
As enterprise leaders consider the outlook for 2025, the incoming Trump administration is definitely a factor. A change in federal leadership means potential changes to regulation. Trump is also likely to make changes to CISA, and he has been vocal about his intentions to repeal the Biden administration’s AI executive order.
“I am paying attention to is this change in US federal government” says Irvine. “It really does matter, and things could change quite dramatically.”