In 2025, there will be a shift in cybersecurity focus as companies examine how they address the operational demands involving the ever-present threats from bad actors.ย Many companies will renew their emphasis on organizational resilience and prioritize it over third-party software. They will strengthen their in-house security frameworks to withstand threats.
Minimizing external dependencies for cybersecurity resilience will represent an elevated ownership model requiring new levels of automationโand not all AI-related. I expect to see in-house security teams adopt automated workflows to help them streamline their threat detection, incident response, and vulnerability management procedures. The new level of automation will help alleviate overworked security teams.
I also see vulnerability exploitation persisting as an ever-present attack vector. Because of this, companies will place a greater emphasis on asset management, pay more attention to CVEs, and timely patching. Companies will decrease their tolerance for unpatched systems and pivot to a rapid remediation policy to mitigate risks.
Finally, in 2025, we will witness an expansion in company-wide cybersecurity awareness, which will yield more training programs and leadership engagement. There will be a much-needed top-down cybersecurity awareness culture that will stimulate all corporate levels to be diligent and mindful of their daily routines. This trend will integrate cybersecurity awareness into every aspect of the organization and daily routines.
In 2025 organizations will need to know as much about their own operations as the threat actors can (and do) know about us, this raises the level of interest in tools and operations that deliver new levels of telemetry.
With all this data weโll need new and innovative ways in which to understand it, leading to the application of AI and ML in our cybersecurity work. It means new levels of vulnerability visibility, more efficient tools for asset and patch management, but also more awareness of threat actor activity aligned to our organization – either by characteristics or our organizations (size, geography, industry, etc.) or defensibility of our organizations (external facing vulnerabilities, social engineering training, as examples).
2025 should be the Year of the SBOM (Software Bill of Materials).ย We MUST know as much about our own software – AND all third party software we deploy on our own behalf – as we do about our endpoints, servers and VMs.ย Developed software is also laced with vulnerabilities we must manage.ย We need SBOM tools to shine a light on those vulnerabilities, and we need plans to either remediate those vulnerabilities against a policy or understand how to put in place compensating controls so we can tolerate them before we can get to a full remediation. And itโs also time to go deeper on e-mail security (the last line of defense in social engineering protection) by layering capabilities beyond those offered by the e-mail providers.
The good news is we are seeing MUCH MORE executive level support for cybersecurity awareness and investment.ย I am seeing top executives getting personally involved in cyber communications and even going so far as to engage directly with individuals who raise our risk levels through their lack of cyber awareness.ย We can look forward to a much lower tolerance level for employees and third parties who do not align with our maturing cybersecurity policies in the future.
