1. Prediction: The increasing use of AI will not alter the basics of cybersecurity strategies  

“While several enterprises are looking for the next best AI solution in an effort to fight fire with fire, I am reminded of the famous Alphonse Karr quote, “The more things change, the more they stay the same.” As such, a better question is, “What do businesses stand to lose (i.e. what is the value at risk) from AI abuse and misuse?” And what portion of this risk can be addressed with current security capabilities? For example, is securing an AI agent from threats like spoofing, tampering, information disclosure, denial of service, escalation of privileges, actually novel? Does it require new investments to stand up a dedicated “AI” security stack? Similarly, consider that AI models consist of open source and first party code deployed on-premises, in the cloud, or both. Infrastructure, software pipeline, and supply chain security practices still apply. So again, the question is, do we really need a complete security rethink?  

My recommendation is that security teams proactively address these evolving threats by developing robust threat models and establishing guardrails—essentially “secure by default” solutions. Ultimately, the key challenge lies in balancing the desire for rapid digital transformation with the imperative of safeguarding enterprise assets against potential AI-related abuses.” 

2. Prediction: The ‘human factor’ will be key to guarding against the increase in hackers leveraging AI for offensive attacks 

“AI will enable bad actors to do what they have always done, but just faster. Just like defenders, they will use AI to automate software development and expedite the analysis of reams of data to discover plausible vulnerabilities and select and execute exploits. 

One critical area for improvement lies in addressing human vulnerabilities, often referred to as “layer 8” in cybersecurity. Since humans are easily spoofed, it’s essential to implement stronger forms of multi-factor authentication and privileged access management. These measures can help mitigate risks associated with social engineering and wire fraud, which are likely to increase as attackers utilize AI for more sophisticated tactics.” 

3. Prediction: In the next five years, AI-driven cybersecurity will enhance operational efficiency for defenders, but the human element will remain crucial in interpreting data and making decisions. 

“Over the next five years, we can expect significant improvements in operational and capital efficiency for defenders, as AI continues to automate routine tasks and streamline processes. This will free security practitioners to focus on more complex challenges, particularly those involving “irreducible uncertainty”—situations where the risk cannot be fully understood through empirical data. 

As the deterministic aspects of cybersecurity are automated, the role of experts will increasingly shift toward decision-making in uncertain scenarios. AI will aid in modeling these risks, but the effectiveness of these models will heavily depend on the expertise and assumptions of the security professionals using them. This means that while AI will enhance analytical capabilities, the human element will remain critical in interpreting data and making informed choices among plausible alternatives. Security professionals will continue to play a vital role in navigating complexities and uncertainties, underscoring the importance of their expertise in the evolving landscape of AI-driven cybersecurity.” 

4. Prediction: Automation and orchestration will grow in importance in 2025 to centralize risk telemetry across cloud, endpoints, and IoT devices.

“Landing all your risk telemetry into one place will become common. Many organizations are already aggregating IT, OT and cloud-native risk data into security data lakes, including asset state and changes over time, along with threat and vulnerability intelligence. Note that telemetry consumption is not the same as risk measurement. At a minimum, assets must be normalized, and scores must be rationalized. From there, automation will enable organizations to measure operational efficiency in controlling attack surfaces and implement “policy-as-code” using AI copilots. AI-driven tools will drive down risk in both a capital and operationally efficient manner.” 

5. Prediction: Cyber risk quantification (CRQ) will be a core organizational practice for most CISOs in the next five years 

“Measuring risk is a core capability, not a product. As cybersecurity maturity grows, the integration of financial metrics with technical security data will become critical.  The industry calls this “CRQ” but I call it cybersecurity risk management. You can’t extract quantitative measurement from the broader domain of cybersecurity risk management – they are one and the same. The good news is that the majority of CISOs will have CRQ capabilities in 2025 – in part or wholly integrated into their cybersecurity risk management programs.” 

 6. Prediction: The relationship between CISOs, the C-suite, and boards will evolve toward more strategic collaboration, driven by a focus on economic and operational efficiency 

“The CISO that focuses on economic and operational efficiency will be fast friends with business focused leaders. The modern CISO will see risk management as minimizing business impact without breaking the bank. It’s that simple in theory. In practice, the CISO must do this in a structured manner that is explainable to business stakeholders and executable by operators, which goes back to measurement as a career skill and core security capability. Clear, measurable communication will be essential, allowing CISOs to translate complex security strategies into actionable insights for business leaders. In short, our relationship with business folks who are focused on winning will be improved to the extent we adopt the right concepts, objects and methods of measurement. This approach will foster stronger partnerships with the C-suite, enhancing decision-making and driving business outcomes while managing cyber risk effectively.”