Threats have been more sophisticated, unpredictable and harder to pin down. Attackers don't just exploit technical weaknesses – they target human behavior, organizational blind spots, and even regulatory loopholes. From spear phishing and deepfake fraud to misinformation generated by artificial intelligence (AI), cyber criminals are using emerging technologies to launch attacks with precision and ease. This means the old playbook of relying solely on technical defenses isn't enough anymore.
Organizations need a shift in mindset: prioritizing secure human behaviours, leveraging technologies like GenAI, and addressing business risks as much as external threats. The scope of cyber security is not just tech-savvy but also human-centric.
CISOs need to also consider the following trends for their security strategies for the near future.
The Rising Cost of Malinformation
In 2024, one of the more subtle yet critical challenges that emerged was the rise of malinformation – deliberate misinformation aimed at manipulating and destabilizing. Battling misinformation and reputational threats is becoming a top-line issue for all. By 2028, organizations will spend over $500 billion annually addressing malinformation, with impacts felt across marketing and cyber security budgets alike.
Deepfake fraud, social engineering, and AI-driven scams are driving the need for enterprise-wide programs led by CISOs. Companies must prioritize investments in resilience measures such as chaos engineering to prepare for these challenges.
Zero-trust principles under pressure
Zero-trust has become a cyber security cornerstonebut its application has limits. By 2026, 75% of organizations will exclude legacy systems and operational environments from zero-trust strategies due to their unique constraints.
Adapting zero-trust principles to non-IT systems, like production lines or older platforms, will be critical for organizations looking to expand their defenses while maintaining operational efficiency.
Shifting responsibilities for CISOs
Cyber security leaders are facing increased accountability. By 2027, two-thirds of Global 100 companies will extend directors' and officers' insurance to their cyber security leaders, reflecting heightened scrutiny on their roles. Clarifying the CISO role and aligning it with regulatory expectations is vital to manage these risks effectively.
Merging insider risk and data security
Insider threats remain a significant challenge, particularly in an era of remote and hybrid work. By 2027, 70% of organizations will combine data loss prevention and insider risk management with identity and access systems. This integrated approach will help businesses better identify and mitigate potential threats while simplifying their security frameworks.
GenAI: A quiet revolution
GenAI is set to make a practical but measured impact on cybersecurity operations. By 2028, AI-driven solutions will allow 50% of entry-level cybersecurity roles to be filled without requiring specialized education, helping organizations bridge talent shortages. In addition, organizations integrating GenAI into employee training programs and security workflows could see up to a 40% reduction in employee-driven incidents by 2026. While GenAI offers promising tools for improving efficiency and education, it should be viewed as a complement to, not a replacement for, broader security strategies.
Decentralizing application security
As low-code and no-code tools grow in popularityapplication security is moving closer to the teams building the software. By 2027, 30% of organizations will empower non-technical professionals to manage aspects of app security, supported by new roles like “application security product managers. Providing these teams with the right resources and training will be essential to maintaining robust security practices in a more decentralized environment.
Navigating the Hurdles
2024 underscored the growing personal and legal stakes for cyber security leaders. As the threat landscape evolves, the lessons of 2024 underline the critical need for organizations to be agile, innovative, and human-focused in their strategies. While the potential of GenAI is undeniable, its success will hinge on careful governance and targeted use. At the same time, the growing impact of threats like malinformation and personal liability underscores the need for new tools, strategies, and insurance protections.
Ultimately, cyber security in 2025 will require security and risk management leaders to act decisively and collaboratively. Those who embrace this complexity and prioritize building secure behaviors within their teams will be the ones who stay ahead and succeed in 2025.
Deepti Gopal is director analyst at Gartner.