It’s that time of year again where we look ahead into the coming year and try to “predict” what the major threats will be, where the regulatory landscape will take us, and what the major cybersecurity narratives will be. Reflecting back on lessons learned from 2024, it’s a crucial time to ensure we are prepared for the coming year and are aligned on key priorities and skills needed to meet the evolving threat landscape.
In speaking with some of the industry’s most influential thought leaders, as well as tapping into our own team’s expertise, we got a glimpse into what organizations and CISOs can expect in 2025. Take a look and see what everyone had to say!
Prediction: “The Expansion of the CISO Role Beyond Technical Expertise”
By: Reuven “Rubi” Aronashvili, Founder and CEO at CYE
Prediction: “CISOs Will be Impacted by DORA and Need to Pay Attention to This”
By: Ira Winkler, VP and Field CISO at CYE
Prediction: “2025 Will See an Inflection Point for CISOs”
By: Tim Brown, CISO at SolarWinds
Prediction: “Critical Infrastructure Rises to Top Target in 2025”
By: Deb Radcliff, Author of “Breaking Backbones: Information Is Power. Book I of the Hacker Trilogy”
Prediction: “2025 Brings an Emergence of Cyber Risk Quantification” (CRQ)
By: Andrew Braunberg, Principal Analyst at Omdia
#1: The Expansion of the CISO Role Beyond Technical Expertise
Reuven “Rubi” Aronashvili, Founder and CEO, CYE
A key area of focus for CISOs in 2025 will be personal accountability. Growing regulatory scrutiny may bring legal, financial, and reputational risks directly to CISOs, making this a pressing concern, as well as a business risk. Consequently, CISOs will be personally accountable and will need to have continuous clarity around their organization’s financial cyber risk exposure so that they can take decisive action. This clarity is critical for communicating with stakeholders and ensuring informed, proactive decision-making across the organization.
In essence, the CISO role will expand beyond technical expertise to encompass strategic leadership, regulatory adaptability, and continuous and clear communication to the board, executive team, customers, and investors when an incident occurs.
I also fully expect security budgets to increase in 2025, and this is because cyber threats continue to become more sophisticated and relentless. We’re seeing a surge in ransomware, supply chain breaches, and insider threats, and with hybrid work, IoT, and multi-cloud environments expanding our attack surface, we can’t afford to be complacent. In addition, new technology such as GenAI will have a tremendous impact on risk exposure, and this will have to be continuously managed in CISOs’ risk management programs.
In addition, budgets will increase because boards will give security greater priority. However, more funding will also come with more scrutiny, and CISOs will need to present security in terms of how it impacts the business to receive the budget that they need.
The good news, however, is that boards and executive teams understand this now more than ever. They realize that cybersecurity isn’t just an IT issue; it’s a core business risk.
#2: CISOs Will Be Impacted by DORA and Need to Pay Attention to This
Ira Winkler, VP and Field CISO at CYE and Author of “You CAN Stop Stupid: Stopping Losses from Accidental and Malicious Actions”
I’m going to take a pessimistic view. The reality is that companies that have previously looked at cybersecurity as an afterthought are not going to have the proverbial come to Jesus moment–they are going to look at a new regulation as just one of the new regulations.
I think what should happen is that if you are a CISO of a public company with regard to Securities and Exchange Commission (SEC) type of rules, you need to understand what are your responsibilities and how to cover your behind as best you can. Especially with new rules coming into play. If you are involved in a multinational organization, and depending on if you’re in finance in the European region, you’re going to be impacted by the Digital Operational Resilience Act (DORA) and you need to pay attention to this. However, let’s be honest, we’ve had regulations coming and going for the last decade with regard to cybersecurity. It’s not like there’s this one new regulation that’s going to change the world. It’s an incremental change. It’s going to be a new form of compliance and new check boxes that you have to go through.
You’re going to have new things come into play, and you’re going to have to know how these things are impacting you. You’re going to have a new checklist or develop a master checklist and ask yourself, “I have these regulations so where’s the overlap?” and “now what do I have to add that’s not in the overlap?” Well, depending on the size of your organization, you probably have a good governance, risk, and compliance (GRC) team already in place that handles a lot of this. Just like how a CISO has to be prepared to be able to show documentation that they did everything right. A CISO has to be prepared to say, look, I went ahead and if they put something on the website, here’s what I gave them. I didn’t tell them that we are the best organization in the world, or that we are immune from all incidents. I told them, we have this in play, and you need to just double check and protect yourself.
That being said, the SEC doesn’t broadly go after people. That’s a critical thing to understand. The SEC makes examples of people because they have a limited number of prosecutors, and they try to go in and go after people or organizations that they think will have the most impact on the rest of the industry. They are aiming to send a message. In sending a message, you want to make sure that it’s not going to be on me. And why is it not going to be on me? Because I did the best I could and documented everything, and there’s nothing in here that violates any law, as far as a reasonable person can tell you.
#3: 2025 Will Be an Inflection Point and Maturity Point for CISOs
Tim Brown, CISO of SolarWinds
In 2025, I see we are really at an inflection point. 2024 has really started to be a regulation year and 2025 is when we will figure out what kind of other rules might be in place and what they will mean. During this inflection and maturity, I see this as a place for the CISO role to mature and I think we have the opportunity to take advantage of that or just sit in the background. I think many are embracing it and are really going to become a more integral part of the company with the skills that are necessary to do so. I think this new-world CISO will really be about maturing with the role, people, and upskilling of employees across various areas. Overall, we will see more attention paid to cyber across the board. This is an important evolution in enhancing an organization’s security posture and capabilities.
#4: Critical Infrastructure Rises to Top Target in 2025
Deb Radcliff, Author of “Breaking Backbones: Information Is Power. Book I of the Hacker Trilogy”
War is going to create some unexpected challenges for IT systems, corporations, and critical infrastructure agencies. I believe a lot of the initial reconnaissance on our systems has been done already and threat actors are waiting to act when the time is right.
If cyber warfare happens, electronic warfare is going to follow. The question is who owns what and who has backdoors in what? Who has closed up their vulnerabilities in Domain Name Systems (DNS), Application Program Interfaces (APIs), cloud apps, etc.? I believe we have ghosts in our system waiting, watching, and probing and there may be a surprise attack in the next couple of years where they launch attacks on our public water systems, satellite systems, energy grids, etc. If you take a few of those down, then Winn Schwartau’s predictions about infowar will come to life. We have been sounding the alarm for years about critical infrastructure attacks, but I think we are much closer to that now than we have ever been.
In addition, we’re seeing attacks on infrastructure like we have never seen before, mostly out of China, Russia, and Iran. Take, for example, China’s recent attacks on the telecom industry. They are trying to get in and monitor all of our traffic. Specifically, they are trying to spy on their own nationals that are in different countries so that they can send hit men out for them and it’s really kind of scary. It’s mostly for information gathering, but what we are looking at is the systemic risk in our infrastructure.
They are going after routers and key elements that infrastructure agencies use to route traffic. I wrote in my book about this very scenario and in the book, they were using it to go after enemies of China. In the book, the attackers opened up all of these backdoors they had built into the networking hardware that ran the Internet. If you consider almost every tech we buy – whether it’s a Smartwatch, iPhone, or something else – it says it is assembled in China. A lot of this networking gear is from vendors sending parts of production, if not all of them, to China. I know because I have sat in the office of Cisco Systems, researching a big story on fake networking gear. These parts are being assembled in China, even down to the chips which can have backdoors, and you can’t scan chips for backdoors when you buy new hardware, right? So, we are looking at that becoming more of a risk in 2025 and we are just seeing the beginning of that now.
#5: 2025 Brings an Emergence of Cyber Risk Quantification (CRQ)
Andrew Braunberg, Principal Analyst at Omdia
Omdia expects 2025 to be an emergent year for the cyber risk quantification (CRQ) market. CRQ has been on a collision course with the proactive security market and particularly with exposure management solutions, which have emerged as platforms for managing operational cybersecurity risk management. CRQ vendors that have invested in attack surface and attack path management will be well positioned as these markets continue to overlap and increasingly compete for the same budget.
How Can Organizations Build Resilience for 2025?
As our experts and their trusty “crystal balls” have shared, high profile breaches and attacks on critical infrastructure are pushing boards to ask tough questions about breach preparedness, especially as the boards themselves are becoming more and more accountable. In addition, regulatory pressure is ramping up. Opening the lines of communication between CISOs and other cybersecurity experts and business leaders is one key way to help ensure compliance and a deeper understanding of these expectations.
Better communication between CISOs and boards means stronger alignment between cybersecurity and business strategy, more effective decision-making processes during incidents, and a more resilient organization overall. It’s not just about protecting the business—it’s about driving it forward, securely. Let’s work together as an industry to foster collaboration, foresight, and ethical practices to guarantee success in the year ahead.
Reach out to us on LinkedIn to share what you are seeing in your 2025 cyber crystal ball.
