3 cybersecurity predictions for 2025

Software as a service becomes service as software

Let me start this first prediction off by stating that I live three to five years in the future, and the end state of this prediction is that far out.

An excellent pair of articles from Foundation Capital -- "AI leads a service-as-software paradigm shift" and "A system of agents brings service-as-software to life" -- discuss how agent-based AI will transform SaaS into service-as-software businesses.

The articles are spot-on from a future perspective and include a framework to support the vision. SaaS took traditional on-premises software models and reworked them into an online-based deployment approach available on the internet. Service as software goes one step further and digitizes services traditionally executed by humans. Everything from sales processes to bug hunting and security assessment services will move to an agent-based model delivered on top of SaaS-based systems of record. There are a lot of nuances here; I recommend you read the articles to grasp the specifics of this transition spanning five-plus years.

So what does this have to do with 2025 predictions? In 2025, the path to service as software begins with the collection, centralization, normalization, deduplication and building of a record system for all unstructured data. The cybersecurity version of this is the broad data collection capabilities being built into five areas: endpoint security, cloud and application security, identity security, data security and security operations.

While the specific areas are debatable -- I'm still not sure which will dominate -- I don't think we'll ever get to the point where a single cybersecurity tool does everything. At the end of the day, the unification of systems of record for collecting broad data sets creates an environment where buyers will see a decrease in the number of tools they have to purchase to secure their environment as the platforms expand to embrace the value of the services being delivered.

AI won't take over cybersecurity in 2025. I don't even think we'll see that to any degree three years from now. But the path to AI- and agent-based cybersecurity is clear, and 2025 will begin the era where we learn about the centralization of cyberdata providing the first glimmer of hope into actually improving the day-to-day life of cybersecurity operations teams.

Agentic cybersecurity begins a slow ascent to reality

ChatGPT recently turned 2 years old. The emergence of this new technology demonstrated the primary usable value prop for generative AI, ushering in a new way to create and search.

So much has changed over the past two years, yet little has made its way to providing value for security leaders. We are still early in the AI lifecycle. Innovation in this space takes time; we're just starting to see security products with AI features that buyers are excited about. The problem with AI in cybersecurity is that we haven't been able to create a system of output that makes sense. Without the ability to fix issues faster, discover threats in near real time and break down silos between technologies, AI in cybersecurity is just another cool idea.

Enter AI agents

AI agents are autonomous agents that learn and perceive data about their environment -- in other words, they consume and build context. They can take complex tasks and break them down into manageable chunks, passing these smaller operational nodes off to dedicated execution agents. Agents are the enablement of action in the AI chain.

2025 will be the year agentic cybersecurity begins its slow ascent to reality. Many issues are causing headwinds for agentic cyber, making the adoption curve a long and windy uphill battle. Limiting factors for agentic cybersecurity adoption include the following:

• Data collection and ability to access usable context. Agentic cybersecurity requires knowledge of a broad set of data. That data set has only recently come together in cybersecurity data fabric offerings. Agentic cybersecurity requires threat data, vulnerability data and asset data be analyzed holistically and in context with each other. 2024 was the year this data collection approach became a reality, but there's still a long way to go before we can operationally support this new approach.
• Trust and acceptance of the results. Cybersecurity professionals are naturally skeptical of new things. They have been taught to question trust boundaries and ensure things operate as intended. Mistakes result in compromises. It will take time for cybersecurity leaders to accept the nondeterministic nature of AI in their technologies. Just as it takes time to trust a newly hired cyber analyst to make intelligence decisions when resolving issues, agentic AI will face a similar trust curve. This trust will grow in 2025 and demonstrate enough value to security leaders that 2026 will be set up for execution success.
• Regulation and compliance might create hurdles to advancement. This issue is tightly coupled with the previous bullet. If too many mistakes are made during the ramp phase of cyber AI, there is a real chance that regulators and compliance leaders get involved. If they can't trust security leaders and AI-backed security technologies not to make mistakes, they will build a framework that enforces a maximum level of risk acceptance. Hopefully, we won't see this happen too much in the wild, but if it does, 2025 is likely the year that it will come into play.

The year of automated remediation

I believe 2025 will finally be the year cybersecurity vendors realize their buyer demand has changed so much that they must completely rethink how they approach business and the products they bring to market. Many vendors will have to tear the house down to the studs and remodel completely to remain relevant in the future.

For example, companies such as Wiz, Oligo Security, OX Security, Contrast Security and others are recreating the definition of what it means to be an application security vendor. Cloud and security operations are being rethought by Palo Alto Networks, CrowdStrike, Wiz, Trend Micro and others. Innovation is required to remain competitive and to enable security teams to be successful.

The old way of doing business won't work in five years. It won't be possible for cybersecurity companies to offer a few different scanners or incrementally perform slightly better than the competition and expect to win. They must have a complete platform offering.

Last-generation technologies all focus on vulnerability discovery, and most don't provide any understanding of asset, threat and infrastructure context. This updated context is required to make smarter decisions in prioritization, as well as creating automation that actually gets things fixed. Security can't just throw issues over the wall any longer. Cybersecurity as a business must provide real value and do it with an eye on operationalizing the output in novel ways dictated by modern user experiences.

2025 is the year automated remediation based on broad context and a deep understanding of user needs become a reality. Cybersecurity leaders are looking to mitigate risk, and automated remediation is a requirement to get there. Our industry has spent the last two decades focused on finding more issues, and we have reached a point of diminishing returns. In 2025, we will see a drastic shift to getting things fixed faster and more accurately. Automation is the only way to solve the high volume of issues we've built up and handle the backlog of work that needs to be accomplished.

2025 is the start of something special

2025 will mark a cybersecurity turning point. We stand at the edge of a mountain of change, and if we look up to the snowy peak, we can see a flag that needs planting. Massive data collection, AI analysis, automated remediation and cyber agents of execution all point toward a new approach to actually fixing the problems that cybersecurity has been unable to eliminate for the last two decades.

It won't all be fixed in 2025, but the year will mark the time in which we laid the foundation for a better approach to cybersecurity. And in the next 10 years, I expect us to build on top of that foundation, making real progress toward a more secure cyber landscape.

I wish each of you a wonderful remainder of 2024 and a highly successful and secure 2025.

Tyler Shields is a principal analyst at Informa TechTarget's Enterprise Strategy Group. He has more than 25 years of experience in cybersecurity technologies and markets, with emphasis on vulnerability management, risk analysis, threat identification and offensive security technologies.

Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.