10 cybersecurity predictions for 2025

1. CISOs step back from AI adoption

AI was all the rage in 2024, but don't expect adoption to continue as strong in 2025 -- at least not by security teams. In fact, Forrester Research expects adoption of GenAI for security use cases to see a 10% reduction in the coming year.

One barrier to adoption cited by the analyst firm's customer base is inadequate budget. Cody Scott, analyst at Forrester, said another reason adoptions rates will be deprioritized by CISOs is that customers aren't seeing the benefit for security and are frustrated with the current AI experience.

GenAI and AI models are touted for their ability to automate rote productivity tasks in security, Scott said, such as for reporting and analysis, but they aren't providing much incident response yet.

2. Pressure to place guardrails around GenAI and AI models

The continued adoption of AI across the enterprise will result in an industry push toward developing regulations around safe AI use, said Melinda Marks, practice director of cybersecurity at Informa TechTarget's Enterprise Strategy Group.

"Security teams want to be proactive and get ahead of AI usage because -- like any innovative technology -- it's easy to get out of control," Marks said.

Securing code developed with GenAI is critical to keeping applications and sensitive data protected. Security teams know this and want to make sure they are early to set guardrails, Marks added.

3. Prepare for the rise of initial access brokers

The Deloitte Cyber Threat Intelligence team said it had witnessed a rise in initial access brokers (IABs) -- a trend it expects to continue in 2025.

IABs are threat actors or threat groups who sell access into victim organizations' networks to malicious third-party customers. IABs specialize in breaking into networks, not conducting the end attacks -- ransomware, data exfiltration or other attacks -- themselves. Purchasing access into an organization lowers the barrier to entry for threat actors because it enables them to conduct attacks without necessarily needing technical knowledge.

October 2024 alone saw nearly 400 instances of IABs listing illegal access to companies on underground forums, said Clare Mohr, U.S. cyber intelligence lead at Deloitte. Expect to see more attack campaigns using IAB offerings in the future.

4. Reliance on MSPs and MSSPs increases

Organizations will invest more heavily in MSPs and managed security service providers (MSSPs) to improve security resilience in 2025, said Maxine Holt, research director of cybersecurity at Informa TechTarget's Omdia.

"Organizations don't have the in-house resources, the skills [or] the expertise," Holt said. One area she expects MSPs and MSSPs to especially help is managing nonhuman identities, which include servers, mobile devices, microservices and IoT devices, among others.

The growth of nonhuman identities expands the identity landscape -- Omdia found nonhuman identities currently outnumber human identities 50-to-1. "It's just not possible to do everything in-house for most organizations," Holt said.

5. Time for tech rationalization

Security teams are facing a tool overload -- most have more than 30 on average, according to Palo Alto Networks -- which can be more of a hinderance than a help.

Max Shier, CISO at managed services firm Optiv, said he expects CISOs in 2025 to conduct security tech rationalization -- the process of evaluating an organization's security stack to maximize value and eliminate redundancies and inefficiencies. Tech rationalization can help organizations address tool sprawl and cut costs.

To start, Shier recommended companies determine their use cases and examine product roadmaps as part of the request for proposal process, whether as new tools or signing renewal license agreements.

A few questions organizations need to answer include the following:

• Do these tools or platforms assist with data security in a way that's relevant to the organization?
• Are features the organization needs in the near future on the roadmap or still far off?
• How mature is the current security stack, and will these tools solidify it?

Don't expect a quick transition, Shier added. It could take three to five years to see a difference in number of tools, depending on license agreements.

6. Attackers show more patience before striking

Attackers aren't always in it for a quick hit. Some conduct long-gestating attacks, as evidenced by the Volt Typhoon attacks discovered in 2024. The Chinese nation-state threat group maintained persistent access to critical infrastructure targets for at least five years without taking action.

Expect more of these advanced persistent threats in 2025 and beyond, predicted Phil Lewis, senior vice president of market strategy and development at network security vendor Titania. Attackers will hack targets and remain dormant and undetected for extended periods of time, waiting until the time is right for attack.

These sophisticated attacks are difficult to detect and mitigate. Lewis said organizations should focus on cyber resilience over prevention because history has shown attackers won't be stopped all the time. He also recommended organizations implement microsegmentation to make lateral movement and data exfiltration more difficult for adversaries.

7. Rise in open source software attacks and legislation

The number of open source software attacks has grown rapidly, with supply chain management vendor Sonatype tracking more than half a million new malicious packages since November 2023.

The Open Source Security Foundation (OpenSSF), a community of software and security engineers, predicted open source software attacks will continue to rise in 2025.

Part of the challenge is developers aren't always trained in security, said Christopher Robinson, chief security architect at OpenSSF. And many organizations don't properly vet their applications, he added. Rather they just "blindly take in components" that could subject themselves and their customers to vulnerabilities.

To mitigate issues, Robinson recommended requesting vendors' software bills of material to understand the components of their software and conducting fuzzing, source code analysis and vulnerability scanning to assess software security. Companies and vendors should also report and share potential security issues to keep others and the open source community informed, he added.

As the number of open source supply chain attacks increases, expect regulations to follow. Robinson said OpenSSF is already working on open source regulation with the European Commission and has heard Japanese and Indian governments are considering similar legislation.

8. Lack of visibility across clouds hurts organizations

Cloud is commonplace in today's organizations. "I'll boldly claim a lot of customers have migrated to the cloud just to transition from Capex to Opex to better afford their infrastructure," said Jim Broome, CTO and president at MSP DirectDefense.

The migration to cloud has created visibility challenges for organizations that could hurt them in 2025, especially in multi-cloud environments. "Unfortunately, 99% of the time, organizations didn't move data from on-prem to the cloud right -- especially during the pandemic," Broome said. When the COVID-19 pandemic hit, employees were allowed to access and use sensitive data without much visibility and oversight by their organizations, and the problem was never fixed.

Organizations should work cloud security posture management into their budget to keep sensitive data across multiple clouds secure, Broome said. Stakeholders should also examine how secure the data within clouds is and consider adopting visibility and response capabilities, either from existing tools or platforms or new ones, he added.

9. Rise in vCISOs and CSO consultants

2025 might be the year CISOs choose virtual CISO (vCISO) or CSO consultant roles over full-time in-house roles.

"We've been hearing CISO is the 'chief scapegoat officer,' right?" said Jeffrey Wheatman, senior vice president and cyber-risk strategist at risk management vendor Black Kite. For example, SolarWinds CISO Tim Brown was named in the recent U.S. Securities and Exchange Commission's lawsuit against the vendor.

"They feel like they're not getting the support, or they're left holding the bag after a breach. Suddenly, they don't want the full-time deal anymore," Wheatman added.

Wheatman said many of his CISO and former CISO friends have recently begun looking into vCISO and CSO consultant roles.

VCISO is a popular option for organizations without the resources to hire a full-time CISO. Some organizations might also only need on-demand assistance, such as providing a yearly strategy at the beginning of the year and returning quarterly to assist as needed -- something a CSO consultant friend of Wheatman is currently doing.

10. AI agents become targets of compromise

AI agents are AI-enabled software that perform autonomous decision-making and actions. As advanced chatbots, these agents can help customers get answers to questions they would previously ask customer service or help desk employees, or they can manage workflows and perform research to create hypotheses and analysis.

As more organizations implement AI agents, expect threat actors to also target them, said Shimon Modi, vice president of product management at real-time risk detection vendor Dataminr.

In fact, some attackers are already using AI agents against the companies deploying them, often in the form of prompt injection attacks. For example, an AI agent was duped into quoting an absurdly low price for a Chevy truck, and another was tricked into transferring someone $47,000 in cryptocurrency. In 2025, threat actors might swindle AI agents into leaking sensitive data or resetting a user's password.

To protect AI agents against such attacks, Modi said organizations should apply conventional security and governance principles and adapt existing playbooks to incorporate AI security. For example, organizations can apply vulnerability assessments and testing to AI agents, as well as use data classification to control what data AI agents can access and thus which requests they can perform.

Kyle Johnson is technology editor for TechTarget Security.