In 2025, significant advancements in agentic artificial intelligence (AI) systems will drive new AI-based cyber defensives, driving new solutions to help organizations carry out specific goals, making decisions, and taking mitigation action with minimal human intervention.
However, as these agentic AI systems become integral to business operations, they will also expose organizations to new risks. Nicole Carignan, VP of strategic cyber AI at Darktrace, highlights that multi-agent AI systems, while offering unparalleled efficiency for complex tasks, will introduce vulnerabilities such as data breaches, prompt injections and data privacy risks.
[For more 2025 cybersecurity insights see: Cybersecurity regulations in 2025: Key insights from top industry experts and 2025 Forecast: AI to supercharge attacks, quantum threats grow, SaaS security woes and Identity Security in 2025: Defending against AI-driven cyberthreats and machine identity exploits]
CISOs will face growing challenges in managing "shadow AI," the unsanctioned deployment of generative AI tools by employees, creating governance headaches and data security risks. Akiba Saeedi, IBM’s VP of security product management, emphasizes that addressing these risks will require robust AI governance policies, workforce training, and automated detection measures.
Meanwhile, organizations will increasingly turn to generative AI to streamline software development, but experts like Tariq Shaukat, CEO of Sonar, warn that ensuring secure AI-generated code will remain a critical priority.
As AI transforms cybersecurity roles and tools, CISOs will step into leadership roles as architects of business resilience, balancing innovation with risk management. The future of cybersecurity will hinge on how effectively organizations leverage AI to enhance defenses while safeguarding against its disruptive potential.
SC Media heard from a host of cybersecurity experts on how AI will shape the year ahead in cybersecurity. What follows is the industry's collective best forecast on what lies ahead.
AI in cybersecurity and the workplace
Under scrutiny, AI will become an essential part of how we do business, says Patrick Joyce, Proofpoint global resident CISO:
A few years ago, cloud computing, mobile and zero-trust were just the buzzwords of the day, but now they are very much a part of the fabric of how organizations do business. AI technologies, and especially Generative AI, are being scrutinized more from a buyer’s perspective, with many considering them a third-party risk. CISOs are now in the hot seat and must try to get their hands around both the "risk vs. reward" and the materiality of risk when it comes to AI tools. CISOs are asking exactly how employees are using AI to understand where they may be putting sensitive information at risk. As a result, there will be increased scrutiny around how LLMs are powering AI tools. Just like food packaging labels (which first surfaced back in the '60s and '70s) tell us what ingredients are used in the creation of a food product, today’s CISOs will increasingly ask, “what’s in this AI tool, and how do we know it’s manufactured and secured correctly?
AI will drive down the cost of software, says Jason Meller, 1Password VP of product on build-over-buy CIOs:
As AI drives down the cost of building and maintaining customer software in 2025, more CIOs will rethink their vendor-first approach and instead, invest in talent to develop bespoke security solutions tailored precisely to their organization’s needs. Vendors will move away from complete security offerings in favor of more modular capabilities — think utility-based billing versus user-based billing, and more — made possible through APIs, webhooks, and other programmatic interfaces. The build-first CIO will have a unique opportunity to champion a transformation that positions IT as a value creator rather than a cost center, driving the organization forward into a future where it’s ready for anything.
A wave of AI agents will increase cyber resilience — and introduce new risks, says Arvind Nithrakashyap, Rubrik co-founder and CTO:
The emerging agentic AI market shows endless potential, especially for organizations that use the cloud to scale computing power and storage capacity to train and deploy complex AI models. CISOs focusing on cloud-first architectures will reap the benefits of increased productivity, better customer experiences, and more. Agentic AI also has the potential to help businesses keep their data and cloud apps more secure; imagine a future where AI agents automate threat detection while enhancing the speed of response and resilience.
However, if not implemented cautiously, agentic AI will also risk sensitive data in the cloud. As AI agents become more sophisticated and interconnected, they will likely lead to more security vulnerabilities and accidental data leaks. Savvy business and IT leaders will not let this hold them back from adopting agentic AI but rather drive them to establish guardrails, set up stringent data access policies, and clearly communicate organizational best practices.
Shadow AI will prove to be more common — and more — risky than we thought, says Akiba Saeedi, IBM VP of security product management:
Businesses have more and more generative AI models deployed across their systems each day, sometimes without their knowledge. In 2025, enterprises will truly see the scope of "shadow AI" — that is, unsanctioned AI models used by staff that aren’t properly governed. Shadow AI presents a major risk to data security, and businesses that successfully confront this issue in 2025 will use a mix of clear governance policies, comprehensive workforce training, and diligent detection and response.
This year will see the rise of agentic AI in API security, says Will Glazier, Cequence Security director of threat research:
With the growing use of agentic AI, where bots act autonomously on behalf of users, traditional methods of distinguishing malicious automated activity will become obsolete. Security systems will shift focus from detecting automation to predicting behavior and intent, introducing a new frontier of challenges in API security and bot management.
AI is already transforming the way developers work, streamlining processes and alleviating the repetitive nature of writing code, says Tariq Shaukat, Sonar CEO:
By 2027, 70% of professional developers will be using AI-powered coding tools. Google’s CEO recently said that already more than a quarter of all new code at Google is generated by AI. However, as adoption grows, a major challenge is emerging: code accountability. AI-generated code must undergo rigorous review to identify potential security vulnerabilities and quality issues early on — before they can lead to costly problems. Yet, the responsibility for ensuring this review often gets overlooked. In 2025, as AI tools become essential for developers, they'll need to take greater responsibility for code accountability. By integrating a "trust and verify" approach early in the Software Development Life Cycle, developers can save time and increase their capacity to tackle large-scale projects that drive business success. The same level of scrutiny applied to human-written code must be extended to AI-generated code. With human oversight embedded throughout the workflow, development teams can ensure that AI-driven code meets established quality and security standards.
Next year, we will see more executives and boards of directors put “software as a critical business asset” to the top of their agenda. When bad code costs organizations $2.41 trillion in the U.S. alone, it shouldn’t be a question anymore of how important software is to business, but how do we ensure it is a competitive differentiator and doesn’t put our business at risk? Organizations strive to protect their codebase against risks, yet often, the focus on code security tends to emerge later in the development lifecycle rather than as an initial investment in secure-by-design practices. I believe we will see the C-suite mindset shift to see software in a new strategic light and build software quality into the fabric of the way business is done. Especially as AI-generated software development continues to pick up steam, it is the responsibility of CEOs and boards to put mechanisms in place that uphold and maintain code quality and security during development. The future of digital business depends on it.
The age of "decision-making machines” through AI is here, says Ravi Ithal, Proofpoint group general manager, DSPM research and development, and product management:
Generative AI will move beyond content generation to become the decision-making engine behind countless business processes, from HR to marketing to DevOps. In 2025, AI will become an indispensable developers’ “apprentice,” doing everything from automating bug fixes, to testing and code optimization. The trend towards using AI-assisted development tools will accelerate in the next year, bridge skill gaps, reduce error rates, and help developers keep pace with the faster release cycles of DevOps. AI will also supercharge DevOps by predicting bottlenecks and preemptively suggesting optimizations. This will transform DevOps pipelines into “predictive production lines” and create workflows that fix issues before they impact production.
Enterprises will grapple with AI benefits and threats, says Mark Hughes, IBM global managing partner cybersecurity services:
As AI matures from proof-of-concept to wide-scale deployment, enterprises reap the benefits of productivity and efficiency gains, including automating security and compliance tasks to protect their data and assets. But organizations need to be aware of AI being used as a new tool or conduit for threat actors to breach long-standing security processes and protocols. Businesses need to adopt security frameworks, best practice recommendations and guardrails for AI and adapt quickly — to address both the benefits and risks associated with rapid AI advancements.
The future of work with AI will enhance human capabilities, says Itamar Golan, Prompt Security co-founder and CEO:
Contrary to widespread concerns, I don’t expect AI to eliminate jobs in 2025. Instead, it will serve as a powerful tool to enhance human capabilities. Agentic AI systems will work alongside humans, like in customer service, sales outreach, marketing content creation, software development and healthcare applications, among others. This means that very soon, 30% of our tedious and repetitive tasks will be automated, giving us more time to focus on creative, innovative and interesting pursuits.
I believe we will also see a significant shift as the multi-modality of AI becomes more mainstream (video, audio, etc.), as opposed to the majority of the use of AI which has been text-based. This creates new opportunities for human-AI collaboration.
AI will have a role in operations and cybersecurity, says John Heasman, CISO at Proof:
In 2025, we'll see AI as a core capability of operational roles in IT and cybersecurity, rather than a required skill, i.e., a Security Operations Center (SOC) analyst may operate a “team” of AI-based analysts (agents), rather than directly analyzing cases themselves. Their role is to sanity check the output, and pick up escalations.
Organizations will find huge inefficiencies in siloed AI projects. CEOs will struggle to answer questions from the board on total AI spend across the company. Cybersecurity teams will struggle to keep pace with the proliferation of new AI use cases, the data that they expose and who has access to these.
Organizations will first look to existing cross-functional facilitators, e.g., (Enterprise) Program Management, to align and streamline AI efforts company-wide. They will also spend on “AI consolidation” technologies that promise to automatically identify use of AI. Some companies will hire a CAIO but with a nebulous charter, many of these hires will be unsuccessful. “AI consultancy” will accelerate as many companies will be hesitant to hire a full-time CAIO. By the end of 2025, this may have morphed from a standard consultancy offering into a component of every project.
A leap in correctness of AI-generated code (i.e., being able to prove the code operates correctly in a semi-formal manner) will become the tipping point for adoption of code generation tools, previously considered too risky for many organizations.
Cybersecurity use of chatbots to shift to AI agents, says Harman Kaur, Tanium VP of AI:
By 2025, AI in cybersecurity will quickly move from chatbots to a more agent-driven approach. While chatbots offer value, agents represent a paradigm shift. Organizations leveraging automation will use agents for threat detection and autonomous responses. Additionally, agents will improve IT resource scalability and enhance cyber hygiene.
AI security liability and accountability will be in question, says Nick McKenzie, Bugcrowd CISO:
Organizations will continue to focus on securing all forms of AI for security vulnerabilities, bias, and data privacy. However, as organizations evolve, develop, and roll out agentic AI inline of core business processes (meaning that AI can make and act on its own informed business decisions autonomously), we’ll see more liability and accountability events publicly surface when ‘bad AI’ calls are made.
Investment budgets will decrease in “security mature” organizations for generic cyber asks: New security investment uplift budgets will start tapering off from previous years for pure-play control or capability tasks. Accountability spotlights will shine higher on CISOs for ROI expectations to do more with what you have and consolidate security product sets. For any new investment requests, justification needs now be strongly tied to compliance, business revenue, or customer enablement objectives.
SOCs will increasingly rely on machine learning and automation to handle the growing volume of data being collected from their networks, says Tom Marsland, Cloud Range VP of technology:
Automation of detection engineering will take center stage, freeing up human analysts for more complex tasks. AI will play a larger role in analyzing threat intelligence feeds and correlating threat data from various sources to your own network, providing more actionable and accurate insights. Collaboration and information sharing among organizations will increase, leading to more effective threat intelligence and a '"common defense" perimeter.
2025 will be the era of the AI engineer, and we’ll see the composition of security teams start to alter, says Alexis Wales, GitHub CISO:
Cybersecurity will continue to be an ongoing game of resilience, reassessment, and trust building, requiring organizations to maintain dynamic security programs.The good news is that the advent of AI is already reshaping how we think about and approach cybersecurity. AI tools are already being used on both offensive and defensive fronts. For defenders, it means technical barriers to entry are lowered and individuals without a deep security background can meaningfully contribute to security programs. By empowering more diverse individuals and skill sets, we can foster teams that approach problems more creatively around the shared mission of safeguarding businesses. Those who lean in and employ AI engineering will see a scaled advantage, operating as if they’re a team of 10 versus one.
We will see increased demand for prompt-engineering skills, says Sohail Iqbal, Veracode CISO:
As AI continues to learn and get smarter, the skills gap between what companies require and what jobseekers know will grow bigger. Many are concerned we are becoming over-reliant on AI to act as our security team. Because of this, GenAI prompt engineering skills will become essential for both developers and security teams in 2025 and beyond. We will see more prompt engineering roles pop up, reflecting an evolution of the traditional system engineering role. However, human skills, such as business acumen and process management, will still be vital for security and developer teams to operate successfully.
Agentic AI will require identity governance, says Alex Bovee, ConductorOne co-founder and CEO:
AI agents will run and operate within your organization just like humans. They’ll even begin to interact with other AI agents to accomplish their job. This means AI agents are going to look, feel, and act just like humans do in an organization. They’ll be added to HR systems, have their own permissions and access privileges, and will also need to be on-boarded and off-boarded from systems just like regular human users. This also means that AI agents can be attacked just like humans. AI agents will require identity governance and security best practices.
The year of AI agents and multi-agent systems, says Nicole Carignan, Darktrace VP of strategic cyber AI:
Following significant advances in generative AI in 2022 and 2023, throughout 2024 we saw significant focus on innovation and development of AI agents, which are autonomous AI systems that are designed to complete specific tasks. We predict 2025 is set to be the year of multi-agent systems (or “agent swarms”). That means we’ll see increasing use cases across businesses where teams of autonomous AI agents are working together to tackle more complex tasks than a single AI agent could alone. However, the rise of multi-agent systems, particularly in cybersecurity, is a double-edged sword.
The rising use of multi-agent systems will introduce new attack vectors and vulnerabilities that could be exploited if they aren’t secured properly from the start. Attacks that we see today impacting single agent systems, such as data poisoning, prompt injection, or social engineering to influence agent behavior, could all be vulnerabilities within a multi-agent system. But the impacts and harms of those vulnerabilities could be even bigger because of the increasing volume of connection points and interfaces that multi-agent systems have.
One benefit of AI agents is that they can discover other agents and communicate, collaborate and interact. Without clear and distinct communication boundaries and explicit permissions, this can be a huge risk to data privacy. These are not issues that traditional application testing alone can address.
Moreover, the stakes for these systems will be extremely high. Multi-agent systems are poised to make AI tools even more useful and productive for consumers, and as they increase adoption for critical daily tasks such as managing household finances, these systems will contain increasingly sensitive and valuable data.
That’s why robust security measures and data guardrails are required at the start to prevent these systems from being exploited and running amok.
Development and security teams will redirect their secure coding training budget toward auto-remediation, say Chris Wysopal, Veracode chief security evangelist and founder, Veracode:
Developers will learn less about secure coding because they’ll rely more on generative AI to remediate flaws automatically. This progression is analogous to the task of calling someone on the phone. While a few decades ago, we all needed to remember someone’s number to reach them, today all we need to do is tap a contact on our phone. For developers, the equivalent will be to produce secure code without learning how to code securely from scratch. Instead, they will adopt processes to find, test, and fix vulnerabilities automatically, meaning it won’t be as important to know about secure coding — or even to know if generative AI has learned how to write secure code.
The rise of security-focused AI models in 2025, says Danny Allan, Snyk CTO:
As enterprises increasingly adopt coding assistants and autonomous systems, security must move from an afterthought to a priority. In 2025, AI models trained on generic, high-volume data often suggest common but insecure solutions, leading to complex systems and vulnerabilities. To address this, businesses will shift to multi-model integrations that prioritize security by focusing on top performers with a track record of producing secure, efficient code. This will lead to the widespread adoption of fine-tuned AI models that not only drive productivity but also deliver robust, secure systems.
Empowering a workforce with AI-driven productivity, says Dr Stefan Leichenauer, SandboxAQ VP of engineering:
Companies will prioritize building AI expertise and developing intuitive internal tools to increase employee productivity across all functions. By hiring and collaborating with AI specialists, companies will seek to embed AI into daily operations and workflows, ensuring that every team has access to user-friendly and productivity-boosting AI tools. This approach will democratize AI across the company, creating an environment where employees at all levels can leverage AI for smarter decision-making, streamlined processes, and accelerated innovation.
Cybersecurity leadership, automation and the enterprise
2025 will see the rise of multi-disciplinary professionals as specialized roles fade, says Alastair Williams, Skybox Security VP of worldwide systems engineering:
In 2025, the role of the specialized cybersecurity practitioner will increasingly become obsolete. Organizations that once sought experts in specific areas, such as identity and access management or firewall configuration, will shift focus toward professionals who can address a broader range of security challenges. This change is driven by the growing complexity and interconnectedness of cyber threats. Companies will value adaptable cybersecurity professionals who can seamlessly navigate multiple domains.
Additionally, as automation and AI take over routine tasks and specialized functions, the demand for deep manual expertise in niche areas will diminish. With tools that can handle tasks like firewall configuration, basic threat detection, and system monitoring, cybersecurity professionals will have more time to focus on strategic, integrative problem-solving. This shift will move the emphasis away from narrow technical skills and toward holistic, multi-disciplinary capabilities.
Breach-related class action suits: CISOs no longer on the firing block, says Kevin Kirkwood, Exabeam CISO:
In the coming year, the role of the CISO will shift from being a point of blame to a strategic partner in managing and explaining breach-related incidents. In the last few years, we’ve seen CISOs face personal repercussions and complete blame after a cyberattack. But in the coming year, organizations will start to recognize the CISOs as 'Chief Explainers to attacks. Instead of taking blame for breaches, this role will need to articulate the nuances and complexity of a breach if one occurs, defensive strategies and decisions around risk management.
This shift reflects a broader understanding that cyber incidents often stem from systemic issues rather than individual failures. As a result, CISOs will work closely with legal and executive teams to address vulnerabilities, promote transparency, and guide the company’s cybersecurity posture, ensuring they are viewed as essential partners in resilience rather than liabilities.
The CISO will become the architect of business resilience, says Randy Barr, Cequence Security CISO:
In 2025, the role of the CISO will undergo its most dramatic transformation yet, evolving from cyber defense leader to architect of business resilience. This shift is fueled by escalating threats, complex regulations like DORA, and an urgent need to address cyber risk’s financial implications. With resilience now a business imperative, CISOs will be indispensable in the executive suite, translating cybersecurity investments into measurable impacts on continuity and revenue.
This year, CISOs will take on the dual responsibility of safeguarding against increasingly sophisticated adversaries while steering the organization’s resilience strategy. As proactive change agents, they’ll embed security into every facet of the business, champion resilience-based strategies, and foster a security-first culture that strengthens defenses without sacrificing growth. Balancing these demands will require CISOs to continually fortify security programs while anticipating emerging threats in real-time.
CIOs will drive sustainable digital transformation in 2025, says Bobby Cain, Schneider Electric’s North American CIO:
CIOs will drive sustainable digital transformation in 2025. Digital solutions are at the core of building resiliency and supporting a business’ sustainable transition. By implementing digital tools across the organization, companies can work towards their sustainability goals while also improving the bottom line. For example, embracing AI and data-driven decision-making will empower IT teams to speed up decision-making by unlocking valuable insights from data to progress sustainability goals.
The most important assets to a company are the people who comprise the workforce. CIOs will lean on their staff for input, clarity, and ongoing assessment to build a high-performance culture. Offering employees digital training and development programs in cutting-edge areas like AI will allow team members to build their skillsets, strengthen the organization’s technical talents and build the next generation of leaders.
Generative AI will redefine the boardroom, says Andy Byrne, Clari CEO:
In 2025, generative AI will reshape business strategy. Today, 99% of enterprises are integrating AI into their revenue processes — but the next leap is transformative. Picture AI models delivering real-time recommendations to navigate complex markets, optimize revenue flows, or counter economic headwinds.
Boardrooms will evolve from static reports to interactive, AI-powered solutions that simulate future scenarios with unmatched precision. Decisions will no longer rely on hindsight — they’ll be driven by AI’s ability to chart the smartest, most strategic paths forward.
Investment budgets will decrease in “security mature” organizations for generic cyber asks, says Nick McKenzie, Bugcrowd CISO:
New security investment uplift budgets will start tapering off from previous years for pure-play control or capability tasks. Accountability spotlights will shine higher on CISOs for ROI expectations to do more with what you have and consolidate security product sets. For any new investment requests, justification needs now be strongly tied to compliance, business revenue, or customer enablement objectives.
The rise of AI-powered attacks will force organizations to finally dismantle the barriers between network and security teams, says Mo Rosen, Skybox Security CEO:
2025 will be a watershed moment where the rise of AI-powered attacks forces organizations to finally dismantle the barriers between network and security teams. With more than half (55%) of security experts reporting they are concerned about the risk of a security incident due to a lack of collaboration between these critical functions, the need for integration has never been more urgent.
While the disconnect between these critical functions has long been a vulnerability, the escalating sophistication of AI-powered threats will make it impossible to ignore. Cybercriminals are increasingly leveraging AI and automation to launch highly adaptive attacks that traditional, siloed defenses simply can't handle. This new breed of threat will expose the critical weakness of disjointed security approaches, pushing organizations to the edge.
The consequences of inaction, including breaches inflicting crippling damage to infrastructure, data, and reputation, will become too dire to ignore. As a result of prioritizing this convergence, organizations will achieve a more integrated, collaborative approach that improves threat visibility, detection, and response times.
System uptime will lose priority as lines blur between SecOps and ITOps, says Will Ledesma, Adlumin senior director of MDR cybersecurity operations:
Historically, IT Operations and Security Operations have been managed separately. And for ITOps, maintaining service level agreements (SLAs) and ensuring uptime have been the main priority. Achieving “five 9s” — which is availability of services 99.999% of the time — has become the gold standard. But as lines blue between ITOps and SecOps, organizations are recognizing that keeping systems up at all costs may not always be the most important objective. We’re seeing security take a higher priority, which includes a growing willingness to intentionally isolate systems in the event of a cyberattack. To keep data safe and secure, this is the right thing to do. Risk exposure from a cyberattack, which could do irreparable harm if corporate or customer data is compromised, is much greater than the reputational damage that might be done from a minute disruption of service. We’re going to start to see more companies err on the side of security in order to ensure integrity and confidentiality with playbooks adding steps to take systems down at the first hint of an attack. Even though it may be a disruption to employees and customers, these protection actions are for the benefit of all invested parties. In the long run, the realization that they’d much rather deal with a temporary inconvenience versus having personal or proprietary information fall into the wrong hands will likely become the norm.
Increasing acceptance of cyber risks, says Simon Hodgkinson, Semperis strategic advisor:
Cybersecurity spend will continue to decline as a percentage of an organization’s revenue. While this is not a new trend, for security teams, it means even more pressure to do more with less. In addition, everyone has become desensitized to data breaches; this is a troubling phenomenon that will continue downstream to consumers. Cyber incidents are inevitable, and boards will continue to accept a certain degree of risk — with cyber just being one of many business risks. We may see this shift in attitude have an impact on the ransomware market, potentially with a ramp-up in destructive extortion attempts.
Small businesses will turn to managed security services, says Tyler Moffitt, OpenText Cybersecurity senior security analyst and community manager:
By 2025, managed security services will account for 40% of SMB cybersecurity spending. This shift will enable SMBs to leverage external expertise, bolstering their defenses with scalable and cost-effective solutions.
Automating cybersecurity will be key for SMBs in 2025. As attackers increasingly use AI to refine their methods, SMBs will adopt advanced AI-powered threat detection tools. These tools will help mitigate phishing, ransomware, and other evolving threats, enabling quicker and more accurate responses.
Cloud security and automation will drive the future of cybersecurity, says Adi Dubin, Skybox Security VP of product management:
In 2025, the focus on cloud security will intensify as organizations deepen their reliance on cloud infrastructure and adopt advanced tools to defend against increasingly sophisticated threats. At the same time, the shift toward proactive strategies — such as predictive threat modeling and risk management — will gain significant momentum, driving the need for greater expertise in automation, threat intelligence, and DevSecOps.
As network professionals are already spending up to 50% of their workweek on manual tasks, automation will become a key priority, helping to streamline processes and free up valuable resources. These trends, which have been growing steadily, will see broader adoption by 2025, underscoring the critical need for continuous upskilling in automation and other essential cybersecurity capabilities.
Vendor consolidation will increase, says Dave Gerry, Bugcrowd CEO:
In 2025, security vendor consolidation will accelerate in earnest. The operational inefficiencies that come with a fragmented security stack are hurting under-resourced security teams. Consolidating vendors reduces complexity and improves risk posture overall.
CISO and CTO partnership will grow in closeness and importance in 2025: Increased CISO involvement in AI safety and security—CISOs will own AI safety and security strategies in 2025. With the widespread adoption of AI systems, CISOs will be expected to defend and secure this new attack surface. CISOs must ensure that AI models are mapped out and mitigated properly.
The rise of unified cybersecurity platforms coming in 2025, says Marc Gaffan, Ionix CEO:
By 2025, the cybersecurity market will experience a significant shift toward unified security platforms that dissolve the traditional silos between on-premises, cloud and emerging technologies like AI. Organizations will increasingly adopt solutions that offer cross-environment visibility and management, enabling them to better assess and mitigate actual cyber risks. This convergence will lead to more efficient resource allocation and a more cohesive security posture across all technology stacks.
Shift from culnerability CVEs and CVSS scores to exploitability: The industry will move away from prioritizing vulnerabilities based solely on their CVSS scores and the like and will instead focus on their exploitability and potential business impact. By 2025, cybersecurity strategies will emphasize contextual risk assessment, combining vulnerability data with exposure insights to identify the most critical threats. This shift will lead to more effective remediation efforts, ensuring that security teams address issues that pose the greatest risk to the organization rather than being overwhelmed by sheer vulnerability counts.
Cyber resilience will consolidate MSPs as companies rely on fewer trusted vendors, says Andrew Costis, AttackIQ engineering manager of the Adversary Research Team"
As the threat landscape grows more intricate, companies in 2025 will pivot from traditional cybersecurity to a focus on resilience. In Europe, regulatory pressure from the Digital Operational Resilience Act (DORA) will drive organizations toward consolidating managed service providers (MSPs), relying on fewer, more trusted partners for streamlined security. While consolidation might simplify vendor management, it also creates new risks if those fewer providers are compromised. Firms that don’t balance vendor trust with diversified controls could find themselves vulnerable in a world where resilience is the ultimate test.
More CISOs will go virtual, says Richard Marcus, AuditBoard CISO:
In 2025, we'll see more CISOs ditching their full-time positions and moving toward the "virtual CISO" (vCISO) role as beleaguered CISOs move away from full-time positions in favor of consulting. CISOs who are already overworked, are now facing the threat of personal liability related to their jobs and looking for flexibility and the potential for making high consulting income. However, vCISOs can’t give the time and attention in-house leaders can, which may lead to performance declines. Contractors lack the deep knowledge of an organization’s culture and could feel less ownership and accountability. The pendulum will likely swing back in the future with CISOs opting to return to work as companies realize they need to create a better work environment for full-timers and give them a seat at the executive’s table.
Businesses will bid farewell to BYOD, says Robert Haist, TeamViewer CISO:
I predict an uptick in enterprises rolling back Bring Your Own Device (BYOD) policies and requiring work to be done only on corporate-owned devices. Back in 2009, when BYOD first became a trend, it started because executives wanted to access email and corporate information on their personal devices. It was never a strategic move from an average worker need or enterprise security perspective. With the need for enterprises to harden their security procedures — in the wake of constantly evolving and costly cyber threats — business leaders are now listening to CISOs who recommend a rollback to the nearly two-decade old BYOD trend.
Advice: CISOs will need to work closely with change management teams within businesses to educate leaders and all employees on why BYOD doesn’t make sense from a security perspective. While it will take time, it is critical in combating growing cyber threats.
In 2025, cybersecurity personnel will need a hybrid skill set, says Danny Brickman, Oasis Security CEO and co-founder:
The cybersecurity field will increasingly demand professionals who combine technical expertise with a strong understanding of business objectives. As the threat landscape grows more complex, organizations will prioritize candidates with a hybrid skill set—deep cybersecurity knowledge paired with expertise in risk management and regulatory compliance. This shift will be driven by the need for cybersecurity to be seamlessly integrated into broader enterprise strategies, shifting away from a siloed approach to one that aligns directly with overall business goals.
Risk quantification will be used to communicate cyber risk with the board, says Monica Landen, Diligent CISO:
Risk quantification will emerge as the strongest and most reliable tool for communicating cyber risk to your boardroom in 2025. Similar to how the insurance industry continuously improves risk assessment, security professionals must break down barriers and communicate how vulnerabilities in a tech stack can impact every part of the business. 2025 could be the year of more cross-organizational pollination to properly communicate cyber risks to the board. Security teams have historically been siloed, but if they can tie their challenges and successes to customer impact, sales pipeline, or product development, those barriers will deteriorate and the impact, positive or negative, of poor security will properly resonate with the board.
