Start the year with security predictions, and make the best cybersecurity decisions for you and your organization. Dive into the predictions below and discover what the experts in the field foresee coming for security in the new year.
Risk Predictions
Comprehensive Third-party Risk Management in Business Continuity
Third-party risk will dominate business continuity planning as companies rely more heavily not just on SaaS and cloud providers but also on a complex web of APIs, partner integrations, supply chains, and third-party code. This intricate network means that disruptions from any single vendor—or even a single integration—will have ripple effects across operations, potentially impacting entire supply chains and revenue. To mitigate these risks, proactive, real-time monitoring of all third-party interactions will be critical, with companies demanding full transparency and accountability on performance and recovery plans from all their critical vendors and partners. – Mehdi Daoudi, CEO at Catchpoint
Permanent Hybrid Workforce Security
Many observers thought there would be a big return wave when everyone goes back into the office, but that is not happening. Hybrid work is here to stay, whether at big, midsize, or small companies. That poses a real challenge for IT teams to manage endpoint devices and ensure that everyone has a consistent experience no matter where they are working. – Doug Murray, CEO at Auvik
Introducing New Risks With A Wave of AI Agents
The emerging agentic AI market shows endless potential, especially for organizations that use the cloud to scale computing power and storage capacity to train and deploy complex AI models. CISOs focusing on cloud-first architectures will reap the benefits of increased productivity, better customer experiences, and more. Agentic AI also has the potential to help businesses keep their data and cloud apps more secure; imagine a future where AI agents automate threat detection while enhancing the speed of response and resilience.
However, if not implemented cautiously, agentic AI will also risk sensitive data in the cloud. As AI agents become more sophisticated and interconnected, they will likely lead to more security vulnerabilities and accidental data leaks. Savvy business and IT leaders will not let this hold them back from adopting agentic AI but rather drive them to establish guardrails, set up stringent data access policies, and clearly communicate organizational best practices. – Arvind Nithrakashyap, Co-Founder and CTO of cybersecurity at Rubrik
Software Architecture Complexity Will Challenge Security Posture Control
With AI and code generation becoming core to software development, we’re on the verge of unprecedented architectural complexity that will make traditional security posture control nearly impossible. By 2025, new forms of malware and open-source codebase vulnerabilities will emerge, and attackers will leverage AI to craft advanced, evasive malware. – Idan Plotnik, co-founder and CEO at Apiiro
Increased Importance of Browser Security
The browser is predicted to become even more central as a business application. As the browser evolves into the main interface for application delivery, securing browser access will become critical. This includes monitoring and managing browser activities to ensure they are secure from potential threats, making the browser a key point of focus for IT security efforts. – Marcel Calef, America Field CTO at ControlUp
Personalized Extortion Scams Will Become a Growing Threat
The rise of personalized extortion scams, where cybercriminals research their victims using publicly available information, will redefine social engineering attacks. These schemes will use family names, relationships, or past events to create tailored threats, such as claims of unpaid debts or fabricated legal issues, pressuring victims into immediate payment via cryptocurrency. As cybercriminals adopt increasingly sophisticated techniques to exploit personal data, individuals and organizations must strengthen digital hygiene and educate themselves on recognizing and responding to these high-pressure, emotionally charged scams. – Alex Quilici, CEO at YouMail
The MFA Funeral March
Let’s stop pretending – MFA is joining passwords in the security graveyard. While organizations desperately cling to their multi-factor security blanket, sophisticated threats are already walking right through these digital door locks like they’re made of tissue paper. The checkbox mentality of MFA is now officially more dangerous than helpful. – Ameesh Divatia, CEO of Baffle
Social Engineering Attacks Will Become More Sophisticated
Malicious actors will bombard organizations with highly effective spear phishing, business email compromise campaigns, deepfake voice and video calls, and other attacks, fueled by information taken from massive corporate data leaks and social media and analyzed and correlated using new technologies. To reduce risk, organizations should require identity verification of all individuals participating in financial transactions using strategies like tokens, authenticators or secret codewords. – Ilia Sotnikov, Security Strategist at Netwrix
AI Proliferation Means API Security Must become a CISO Priority in 2025
APIs form the backbone of nearly every generative AI application, from the apps we use daily to workplace tools and AI-powered assistants, every industry is touched. But as these APIs fuel innovation and business efficiency, they also open the door to increasingly sophisticated cyberattacks. This should leave enterprise IT leaders and risk professionals concerned, especially as cybersecurity increasingly becomes a board-level issue. In fact, the stakes are high: Gartner states that API breaches result in 10 times more leaked data than the average security breach. This underscores a critical reality —today’s security frameworks are no longer adequate to protect against the rapidly expanding attack landscape that AI is ushering in. To stay ahead of these growing threats, organizations must critically evaluate the intersection of their cybersecurity strategy and API deployment and identify gaps. – Rupesh Choski, SVP & General Manager, Application Security at Akamai
Regulation Predictions
Federal Cybersecurity Regulations
I believe that in late Q1 or Q2, 2025, an industry trade group will file suit to challenge key Federal cybersecurity regulations. My guess is it will start with the SEC’s proposed amendments to Regulation SCI. Cybersecurity regulations created under the umbrella of the Gramm-Leach-Bliey Act are at risk as well. Healthcare cybersecurity regulations tied to reimbursements under the authority of the Centers for Medicare and Medicaid Services (CMS) are another set of regulations that may be targeted.
A federal judge will grant an injunction that stops updates to Regulation SCI. The SEC’s position is given minimal weight by the court, substituting its own expertise and judgment over the law and factual issues, overruling the SEC and striking down the proposed rule. After 3-5 years of appeals, the issue makes its way to SCOTUS and the judgment is affirmed and the proposed rule is dead.
In addition, perhaps Congress responds by passing a clear set of laws that creates even more regulations and then IT and Security teams have to scramble to comply. Meanwhile, life continues for IT and Security teams who are already overwhelmed and simply want a clear set of rules. – Ed Bailey, Senior Technical Evangelist at Cribl
Security Budget Predictions
Security Resiliency Budgets
In the past year, we have witnessed ransomware attacks increase in sophistication, persistence, and frequency across industries, without an end in sight. Looking ahead, we should expect bad actors to continue ransomware campaigns and cyber attacks that often stifle a company’s ability to continue operating effectively. Today’s organizations are faced with two options: regularly evaluate the ability to defend against cyber attacks or risk losing business-sensitive information.
Moving forward, one of the highest business imperatives across organizations will be strengthening incident response and recovery. IT budgets have been traditionally calculated on economic efficiency when things are normal. To ensure business continuity, it’s important to budget for resiliency when something goes wrong. Strengthening cybersecurity principles and continuing to test them throughout the year allows leaders to trust that their practices are solid, robust, and capable of defending against emerging threats and bad actors looking to prey on vulnerabilities.
In 2025, we should expect business leaders to recognize that though it is not always possible to prevent a cyberattack, having a fully tested plan in place can be one of their most important assets. Organizations will work to better protect and recover their information and systems in the face of cyber events – in turn, minimizing the impact of an attack and facilitating a swift recovery. – Dale “Dr. Z” Zabriskie, Field CISO at Cohesity.
Investment Budgets Will Decrease in “Security Mature” Organizations for Generic Cyber Asks
New security investment uplift budgets will start tapering off from previous years for pure-play control or capability tasks. Accountability spotlights will shine higher on CISOs for ROI expectations to do more with what you have and consolidate security product sets. For any new investment requests, justification needs now be strongly tied to compliance, business revenue, or customer enablement objectives. – Nick McKenzie, Chief Information and Security Officer at Bugcrowd
Cybersecurity Evolution: Quantification of Risk & Tool Consolidation
CISOs will continue to struggle to quantify and articulate financial risks to fellow executives and board members.
Outcome-based value drivers have become increasingly disconnected from the license models of many security software tools. Many point solutions will face “rationalization” exercises in 2025 as cybersecurity teams look for opportunities to consolidate to providers with flexible commercial terms and multi-function platforms. Legacy companies will face scrutiny from years of underinvestment and exploitative pricing models.
We will begin to see renewed exploration of novel and more efficient ways of accomplishing critical tasks. Tool consolidation will increase as CISOs look to minimize the amount of third parties they manage and remove complexities around integration. – Andy Grolnick, CEO of Graylog
Cyber Resiliency Will Dominate Managed Services Conversations
As cybersecurity threats grow more sophisticated, the demand for comprehensive cyber resiliency strategies will skyrocket. Managed backup services will no longer be limited to operational recovery; they will evolve to include advanced disaster recovery and cyber recovery capabilities. MSPs will integrate tools that enable rapid restoration from ransomware attacks and ensure the integrity of critical systems. Customers will prioritize services that secure their data while reducing downtime during incidents, solidifying cyber resiliency as an essential managed services offering. – George Carter, Senior Vice President, Professional Services at Verinext
More Security News
