Arvind Nithrakashyap, Co-Founder and CTO Rubrik

“The emerging agentic AI market shows endless potential, especially for organisations that use the cloud to scale computing power and storage capacity to train and deploy complex AI models. CISOs focusing on cloud-first architectures will reap the benefits of increased productivity, better customer experiences, and more. Agentic AI also has the potential to help businesses keep their data and cloud apps more secure; imagine a future where AI agents automate threat detection while enhancing the speed of response and resilience.

However, if not implemented cautiously, agentic AI will also risk sensitive data in the cloud. As AI agents become more sophisticated and interconnected, they will likely lead to more security vulnerabilities and accidental data leaks. Savvy business and IT leaders will not let this hold them back from adopting agentic AI but rather drive them to establish guardrails, set up stringent data access policies, and clearly communicate organisational best practices.”

Brad Jones, CISO, Snowflake

“Last year, there was a lot of talk about cybersecurity attacks at the container layer — the less-secured developer playgrounds. Now, attackers are moving up a layer to the machine learning infrastructure. I predict that we’ll start seeing patterns like attackers injecting themselves into different parts of the pipeline so that AI models provide incorrect answers, or even worse, reveal the information and data from which it was trained. There are real concerns in cybersecurity around threat actors poisoning large language models with vulnerabilities that can later be exploited.

Although AI will bring new attack vectors and defensive techniques, the cybersecurity field will rise to the occasion, as it always does. Organisations must establish a rigorous, formal approach to how advanced AI is operationalised. The tech may be new, but the basic concerns — data loss, reputational risk and legal liability — are well understood and the risks will be addressed.”

Glenn Chisholm, Chief Product Officer, Obsidian Security

“Historically, attackers gained initial access to networks through the endpoint; the sheer amount and diversity of these devices made them a prime target. But, that’s not where the data is anymore. I expect identities to represent an increasingly frequent point of attack as these threat actors evolve their efforts and attention to where the biggest payout is: the data within cloud-based SaaS and PaaS applications.

There have been more SaaS breaches in the last 6 months than the prior 2 years combined; and these compromises are generally identity-based attacks. With single sign-on (SSO), once an identity is compromised, attackers can use that one credential and its privileges to move laterally and access additional data through connected services. That is a massive haul, making every identity an attacker can obtain that much more valuable.

The key takeaway is that the next wave of threats will be targeted at SaaS identities, since they—combined with SSO—make lateral movement free.”

Peter Lees, Head of Solution Architecture APAC at SUSE

“2025 isn’t the year to hope for the best—it’s the year to prepare for the worst. Cyberattacks have become a relentless certainty with ransomware already accounting for 11% of all cyber incidents, and with the nation’s new Cyber Security Act mandating ransomware payment disclosures within 72 hours, the stakes have never been higher. Boards now face an unenviable balancing act—pay a ransom and risk reputational, governance, and financial damage, or refuse and grapple with operational paralysis.

In response, the nation’s Cyber Security Act, the new Cyber Incident Review Board (CIRB) looks to offer a glimmer of hope. These no-blame panels promise to turn hindsight into actionable foresight, dissecting breaches to uncover lessons that could reshape how we respond to cyber threats, meaning, we could see CIRB’s findings influence not just future national policy but also reshape how organisations strategise, mitigate risk, and recover.

For organisations however, this past year has sent a clear message: the dream of tech consolidation, betting it all on one provider, doesn’t just limit innovation—it raises costs, reduces productivity, and ultimately magnifies risk. We’ll see organisations shed the illusion of IT consolidation and embrace a best-of-breed approach with vendors at the big end of town forced to follow suit or be rapidly left behind. Flexible, open architectures allow businesses to sidestep sub-par solutions, perform at their best, and defend their operations with the right tools for them. This shift won’t just be about patching vulnerabilities—it’ll be about creating systems that thrive under pressure, adapt on demand, and bounce back stronger than ever.”

Dan Berte, Director of IoT Security, Bitdefender

“2025 will be a pivotal year for Internet of Things (IoT) security driven by multiple certification programs including the U.S. Cyber Trust Mark, CSA Verified, and EU RED addendum. These initiatives aim to help secure billions of IoT devices along with associated apps and platforms targeted by threat actors across homes, businesses, and critical infrastructure. A recent report found that an astounding 99 per cent of exploitation attempts on IoT devices use previously known and fixed vulnerabilities (CVEs).

While these initial efforts to establish security guidelines and basic requirements for IoT manufacturers are a significant step forward, it will take years—and multiple revisions—before they evolve into standards capable of addressing the full scale of today’s security challenges.

The private sector will play a critical role in this journey through policy workshops, collaboration with governments, and ongoing research, helping to set industry benchmarks that will complement formal security frameworks and standards.”

Shain Singh, Principal Security Architect, Office of the CTO, F5

“Business continuity and recovery are entering a bold new chapter, powered by automation, intelligence, and an urgent need to outpace evolving cyber threats. AI isn’t just revolutionising backup and restoration with lightning-fast precision—it’s also transforming the cybersecurity landscape. In 2025, we’ll see AI systems uncover zero-day vulnerabilities at breakneck speed. The catch? Attackers are using these same tools to automate exploit development, raising the stakes for organisations to adopt advanced defensive measures.

But that’s only the tip of the iceberg. As AI technologies like LLMs gain traction, ensuring their integrity will become paramount. From prompt injection attacks that manipulate AI inputs to model poisoning where attackers taint training data, the risks are as cutting-edge as the solutions they aim to undermine. Left unchecked, these threats could lead to harmful outputs, security bypasses, or even leaks of sensitive information.

To stay ahead, businesses must embrace cyber-resilient architectures, automated disaster recovery testing, and specialised tools to monitor and safeguard AI systems. New security standards tailored specifically for AI will also emerge, helping organisations navigate these uncharted waters. These measures won’t just minimise downtime—they’ll redefine resilience, turning threats into opportunities to innovate and adapt.”

Rajesh Ganesan, President of ManageEngine

“Managing cyber risk at all levels of the workforce—not restricting it to just the top organisational level—should be a priority for security leaders in 2025. This involves the democratisation of cybersecurity, making everyone in an organisation responsible for its defence. The benefits go beyond stronger security and increased resilience; they can lead to cost savings, better efficiency, and even innovation in security practices.

To make this work, organisations must move beyond traditional once-a-year training sessions. Continuous security engagement programs are essential, along with giving employees access to the right self-service tools and resources. This is crucial because the biggest challenge to democratising security is poorly equipped employees and ill-defined processes.”