The first week of the year is an odd one. People stumble out of their holiday fog and warm up their work muscles. The faster you can get initiatives underway, the more time you’ll have for implementation and the sooner you’ll see results.
Where do you focus your efforts so you can motivate your team and get everyone pulling in the same direction?
You’ll need to address the emerging trends and persistent challenges of last year, plus new factors expected to impact cybersecurity in 2025. Frank Vukovits, Chief Security Scientist at Delinea, and I recently discussed the outlook for 2025 in the 401 Access Denied Podcast (scroll down to watch the video.)
Below are the top expectations that will define 2025, along with recommendations on how you can address them.
AI has lowered the bar for cybercriminals
Thanks to AI, phishing emails and translations are now so realistic-looking they can even fool the trained eye. Deep fakes, sometimes supported by state-sponsored hackers, are modifying images to look like a stolen identity, then using that identity to steal intellectual property. There’s so much recorded audio and video out there that it’s not difficult to create a virtual simulation of an actual person.
To do: Validating that people actually are who they say they are through identity assurance tactics like MFA is more important than ever.
Ransomware defense takes more than backup and recovery
Last year, we saw the shift from traditional, encryption-based ransomware to extortion, with attackers gaining credentials and then threatening to disclose information or sell it on to other criminals. As the value of cryptocurrency increases, we’ll continue to see criminals laundering it in exchanges with access brokers and other parts of the ransomware supply chain.
To do: Securely managing credentials and keeping access to least privileges remain foundational ransomware protection strategies.
AI governance for users, both human and non-human
Do you have a statement of responsible use for AI? Consider the human identities that are using AI scripts and models and make sure that only authorized people have access. Also remember that AI is adding to the explosion of non-human identities, with APIs and scripts running in the background that also need to be protected.
To do: Maintain and inventory of all AI agents, their access, and dependencies, just as you would for all machine and service accounts. Develop a responsible use of AI statement for your company to address how AI is used, including the use of customer data and training of AI models.
Changing compliance requirements
Compliance requirements change frequently and 2025 will be no exception:
- The Digital Operational Resilience Act (DORA) will take effect in January, with binding requirements for data encryption.
- PCI 4.0 will be required in April and must be fully considered during a PCI DSS assessment.
- Cybersecurity Maturity Model Certification (CMMC) will become mandatory for U.S. Department of Defense contractors, meaning they will need to achieve a specific CMMC compliance level to be eligible for new contracts.
- Five new U.S. states are implementing data privacy laws in 2025, bringing the total to 18 state privacy laws.
To do: Assess how well you align with changing regulations. Even if you’re not bound by legal requirements, they provide a best practice framework for cybersecurity and risk management. Most compliance frameworks share common requirements for identity security, including authorization, authentication, and governance. If you are looking for a place to start, the new NIST Cybersecurity Framework (CFS) 2.0 guidelines are a great resource.
Solution consolidation vs. belt and suspenders
Enterprises have multiple technology tool stacks across multiple clouds and SaaS applications and end up with too many differences in security controls. The goal for 2025 is to reduce complexity. Nirvana is consistent security controls across IT environments.
Many believe we’ll see vendor consolidation and a reduction in redundant or unused technology. Why pay for more than one tool that does the same thing? However, we’re also seeing worries about availability, which is encouraging people to purchase multiple solutions that solve the same use case, for layers of defense.
For sure, IT and security teams will see further integration of their job roles and responsibilities, which means solutions need to support multiple users across horizontal use cases. Identity security platforms will break down siloes across IAM controls, authorization, and risk management.
To do: Make sure any cybersecurity solution you purchase is easy to use and open to integration and orchestration.
Handling stress and burnout are just as important as buying the next software
We all know that there are not enough cybersecurity professionals to keep up with the threat actors. Plus, many are getting burnt out from long hours and fighting battles. Automation can help us do more with less, but it can’t solve all problems. For the past few years, we’d said that our industry needs to focus on mental health—this is the year to actually do it.
To do: Check out organizations like Cybermindz and Sober in Cyber. Take care of your people and yourself in the new year.
Onward for a productive and cyber-safe 2025!
Transform your cybersecurity team into a business enabler
