SECURITY PRIORITIES 2025

INTRODUCTION

Analyst Perspective

Safeguarding against current threats while preparing for emerging ones has evolved the security threat landscape.

The past year saw various emerging opportunities and challenges continue to evolve the cybersecurity threat landscape. Many technology trends were adopted, which helped security leaders better protect their organizations, but they added associated risks, which exacerbated organizations’ risk exposure. Organizations were at a crossroads of leveraging innovative capabilities to get ahead of the Exponential IT curve while addressing and responding to various business disruptors. The advent of artificial intelligence (AI) over the past few years has opened a plethora of opportunities for organizations to stay competitive within their industries through efficient implementation of the technology to boost productivity and create value-driven strategies. However, threat actors also looked to capitalize on the technology for their own motivation and expanded their attack vector, which had organizations assessing the security of both leveraging and protecting against AI. This not only expanded the threat landscape but also attributed to the increased cost of a data breach, which rose by 10% from last year to USD 4.88M (“Cost of a Data Breach,” IBM, 2024). It is the largest increase since the pandemic and demonstrates the growing impact of security on organizations. Ransomware, another well-known attack vector, still appears to be the top threat for over 90% of industries (Verizon Business, 2024), which reflects its advanced capabilities as it becomes more prevalent through ransomware-as-a-service (RaaS) or extortion attacks. With over 80% of organizations compromised by at least one attack over the past 12 months, it is important to address the drivers for the increased incidents and understand what measures could be implemented to respond to the evolving threat landscape (CyberEdge, 2024).

In this year’s priorities report, we highlight five important security priorities security leaders should focus on for the upcoming year. We address the implications of these priorities, the benefits of adopting them, and the potential risks of not implementing them as part of your security strategy. We present applicable use cases where organizations adopted these priorities and the impact it had on their security program. We also discuss actionable next steps organizations should implement to spearhead the initiatives for each priority and provide resources to support the development of their strategy. Having these priorities in mind will ensure you are addressing the most pressing matters in cybersecurity through appropriate planning and execution to respond to threats and build a resilient cybersecurity program.

Ahmad Jowhar

Research Analyst, Security & Privacy
Info-Tech Research Group

INTRODUCTION

Methodology

The security priorities were formulated through a multifaceted approach to ensure the most important security priorities are addressed.

Our security priorities for 2025 were derived through a comprehensive assessment of our annual Future of IT Survey, which asks IT decision-makers about their responses to emerging IT trends and how their organizations are addressing the opportunities, risks, and implications of emerging technology. Additional interviews were conducted with security experts to learn about their priorities, the current measures they have in place, and what areas they need guidance on.

FUTURE OF IT 2025 SURVEY

The Future of IT 2025 Survey was conducted between May and June 2024. The online survey received 970 responses from IT decision-makers across a broad range of industries and regions, with a focus on North America. Almost six out of ten respondents hold director-level seniority or higher. Each chart included in the report will specify the sample size received for the specific question or respondent group.

PRIORITIES INTERVIEW

In-depth interviews were conducted with IT leaders between August and October 2024 to collect insights on priority-making and agenda-setting for 2025. In total, 20 interviews with security subject matter experts were completed, with interviewees from industries such as healthcare, government, and higher education. The interviewees are from various continents and countries and have extensive security experience.

INTRODUCTION

Cybersecurity is a continuing disruptor to the business

Cybersecurity implications can impact various business factors.

Cybersecurity has continued to be a major business disruptor to organizations. With the increase in the number of organizations impacted by cybersecurity incidents, stakeholders of all levels are concerned about security risks and implications and the measures their organization has in place to respond to these incidents. It is why cybersecurity incidents was one of the top three factors expected to disrupt the business within the next 12 months in this year’s Future of IT Survey (n=694). Even though it was behind talent shortage and AI, cybersecurity incidents continues to be a top concern year over year for IT leaders. The increase in well-known cybersecurity incidents such as ransomware and identity-based attacks, coupled with the advent of sophisticated capabilities from emerging technologies, showcases the severe implications of cybersecurity incidents as an ongoing threat to the business. With less than 50% of organizations identifying their cybersecurity program as “extremely advanced,” it’s evident that many organizations would have challenges keeping up with the evolving threat landscape (Splunk, 2024).

Although cybersecurity incidents was the third most disruptive factor to the business, cybersecurity impacts all other business disruptors. The talent shortage in cybersecurity is a reflection of the growing global IT talent shortage affecting various industries. The need to ensure the safety and security of AI technology while also defending against threat actors who leverage its capabilities further expands the impact of AI on the business. Various government-enacted regulations have been developed in response to the growing cybersecurity threat and use of AI, which resulted in organizations struggling to keep pace with changing demands. Changing customer behavior is also impacted by customers’ digital trust in organizations to secure their data and protect their reputation from any security risks. The updates to certain cybersecurity frameworks such as NIST’s CSF 2.0 has organizations working toward adhering to best practices. The advent of quantum computing and the risk of post-quantum cryptography showcases the impact of other emerging technologies besides AI and how organizations can respond and prepare for the post-quantum era. Even the ability to stay competitive within an industry relies on a mature security program to enable business growth and innovation. Cybersecurity can be disruptive to various factors impacting the business, and improving an organization’s security posture would have a profound effect on addressing the many business disruptors it’s challenged by.

INTRODUCTION

IT spending is increasing, but where is it being invested?

Cybersecurity has been the top investment priority for many years.

As organizations continue to innovate through technological capabilities to grow and stay competitive, the spending on technology also needs to increase to meet demand. Many organizations agree, with over 75% indicating a spending increase to their IT budget for next year (Future of IT 2025 Survey, 2024). Furthermore, with over a quarter indicating an increase of more than 10% in spending, many organizations understand the importance of significant investment into their IT operations to drive business growth and meet customer demand. Security spending has also seen an increase over the past few years to respond to the threat landscape and industry changes. It has been found to outpace IT spend and annual revenue growth, with security as a percentage of IT spend increasing to 13% this past year, compared to 8% in 2020 (IANS Research, 2024). This could be attributed to many factors, such as an increased presence of cybersecurity experts sitting on the board, with 60% of organizations having at least one board of director member with cybersecurity experience (CyberEdge, 2024). It is evident that organizations are taking a proactive approach to address security challenges and increase their resources to efficiently respond to threats.

As 85% of organizations increased their cybersecurity budget in 2024, it is not surprising to continue to see cybersecurity solutions as the top investment priority in 2025 (PwC, 2024). Even with the advent of emerging technologies and improved capabilities of AI and cloud computing, cybersecurity is still at the forefront of IT leaders’ spending priorities to strengthen their security posture and support the business’ strategic goals. Furthermore, with only 8% of respondents from our Future of IT 2025 Survey indicating a decrease in investment into cybersecurity solutions, it is clear that for organizations to continuously improve and stay ahead of the technology curve, substantial investments in cybersecurity will need to be made. Improvements to their security posture would be eminent, and the increased return on their security investments will demonstrate the benefits of the solution. At a time when threat actors are becoming more sophisticated through the efficient development of attack vectors and support from state sponsors, organizations should prepare to efficiently increase their investment in cybersecurity to defend against today’s adversaries while preparing to protect against tomorrow’s threats.

INTRODUCTION

Year of regulations and standards

New regulations and standards enacted due to emerging technologies and their security implications.

2024 can be remembered for many events that had an impact on society. From the various democratic elections that saw over four billion people vote to the 2024 Summer Olympics, which saw Paris as the host for the first time in 100 years. Many of these events had security implications that influenced their preparation and required ensuring the safety and security of individuals. However, 2024 can also be known by many security experts as the year of regulations and standards, with various countries and regulatory boards announcing new or revised regulations to promote improvement to an organization’s or country’s security posture. Both security and business leaders welcomed the enhanced security rules, which provide improved safeguard measures to address evolving threats. With 60% of executives attributing proper cyber and privacy regulations to effectively reducing risks, it is evident that these regulations and standards will help guide the cybersecurity improvement strategies for organizations while reducing their financial and reputational risks (World Economic Forum, 2024).

GOVERNMENT-ENACTED REGULATIONS AND BILLS

The US National Strategy: Along with the executive order on improving the nation’s cybersecurity enacted in 2021, the US government has developed a US National Cybersecurity Strategy, which will promote the “safe and secure digital ecosystem for all Americans.” Since its release in 2023, many of the strategies have gone into force this past year, which includes enhancing incident response plans and process, defending against ransomware, and preparing for the post-quantum future.

Canada’s Bill C-26: Canada’s Bill C-26 aims to improve the cybersecurity posture of critical industries, such as transportation and financial institutions, and the services and systems that are crucial for telecommunication services. This act includes mandates for organizations to implement a cybersecurity program that meets the standards of the Critical Cyber Systems Protection Act (CCSPA) and develop appropriate risk mitigation steps to reduce supply chain risks.

European Union’s NIS2: This past October marked the deadline for EU member states to enact the Network and Information Security (NIS) Directive 2 into applicable national law. This directive was enacted in early 2023 and was developed to strengthen cybersecurity capabilities around critical infrastructure.

REGULATORY STANDARDS

NIST CSF 2.0 Framework: NIST’s Cybersecurity Framework (CSF) provides guidance to organizations on proactively managing their cybersecurity risks. The changes to the previous framework include an introduction to the “Govern” function, which includes categories such as cybersecurity supply chain risk management, the refinement of categories, and the addition of new subcategories such as strategic opportunities.

INTRODUCTION

Training that goes beyond cybersecurity

Diversified training has been optimal to defend against an evolving threat landscape.

Investments in cybersecurity include not only the implementation of the right security solutions but also effective training and development that will equip your last line of defense with the confidence that they can protect your organization against adversaries. With the increase in cybersecurity talent shortages, exploring different approaches to meet your organization’s cybersecurity demands will enhance your employees’ security awareness, promote proactive security response, and improve the overall security culture through training and development. Addressing the security staffing shortage will also reduce the risk of cybersecurity incidents and their associated cost. In fact, investments in employee training was the top factor that reduced the average cost of a data breach, while a security skills shortage was the top factor that increased the cost of a data breach (“Cost of Data Breach,” IBM, 2024). This inverse relationship showcases the impact of effective security training to not only address the security staff and skills gap but also reduce your organization’s risk exposure, including any financial and reputational implications.

Employee training and development also extends into improving their AI knowledge and skill set to effectively leverage the technology and its capabilities to drive business growth and innovation. Future-proofing your IT workforce with essential AI competencies will ensure your organization possesses appropriate business and technical skills to support the responsible, reliable, and effective adoption of AI. Coupling cybersecurity with AI training would build resilience in your organization’s security posture, as you will possess the necessary AI skills to proactively assist your cybersecurity operations. Understanding AI from a security lens would also foster the responsible use of AI with appropriate governance that incorporates the security and privacy of AI technologies. With over 60% of organizations anticipating AI will have a significant positive impact on cybersecurity, it is important to ensure applicable training and development is provided to both domains, which will help you stay ahead of the curve, reduce your risk exposure, and proactively defend against the threats of emerging technologies.

Breached organizations who were experiencing security staffing shortage

53%

“Cost of Data Breach,” IBM 2024

FEATURED TRAINING

Cybersecurity Workforce Development Program

FEATURED TRAINING

Artificial Intelligence Workforce Development Program

INTRODUCTION

Moving from trends to priorities

Understand the security priorities by analyzing both how security leaders respond to trends in general and how specific security leaders responded in the context of their organization.

SECURITY PRIORITIES 2025

01

Operationalize AI Security

02

Strengthen Your Identity & Access Management Program

03

Build a Resilient Vendor Security Management Practice

04

Defend Against Deepfakes

05

Prepare for a Post-Quantum Era

Safeguarding your organization by preparing to respond to the growing cybersecurity challenges.

PRIORITY 01

OPERATIONALIZE AI SECURITY

Implement the right guardrails to help AI yield its potential.

• Establish a responsible AI governance structure
• Ensure the security and privacy risks of AI technologies are assessed
• Develop a plan to address and mitigate the risks of AI technologies