As 2024 comes to a close and we reach the midpoint of a decade that might generously be described as having so far been 'turbulent'I'd like to inject a note of positivity regarding the outlook for the second half of the 2020s.
Before you dismiss me as naive or irrationally optimistic, please hear me out. I'm not claiming that the cyber security threats facing CISOs and their teams aren't extremely problematic. On the contrary, threat actors are adopting AI to mount more complex and sophisticated attacksThis is a trend we can expect to continue in the second half of the 2020s.
But this is exactly why we cyber security professionals cannot afford to be immobilized by fear, uncertainty and doubt. To borrow a line from the Frank Herbert sci-fi epic Dune,Fear is the mind killerAnd the broader business community must avoid paralysis too. What's clear is, the nature of today's threat landscape demands a united front.
To help allay fear, cyber security professionals can create a robust plan and a playbook of strategies that we can be confident will serve us well. With that in mind, I'd like to propose that CISOs and their teams focus on continuing to build three key attributes in 2025 and beyond: innovation, insight and influence.
Innovation is vital
Innovation is a vital element of the CISO playbook for 2025 and beyond. In the next five years, all analysis points to an escalation of cyber security threats driven by artificial intelligence (AI), and I firmly believe we must fight fire with fire. In other words, just as malicious actors have been quick to master and weaponise AI to conduct their attacks, AI can help cyber security teams build robust defenses.
Cyber criminals are already using AI to automate attacks, to identify vulnerabilities in corporate systems, and to create attacks that are more likely to evade detection. In response, cyber security teams should be using AI to proactively patch any points of weakness, to spot suspicious anomalies in traffic flows and user behaviours, and to stop them in their tracks. AI provides the bridge between security data and actionable knowledge at scale.
In short, smart cyber security teams will get AI working for themThey will tap into its analytical powers and automation capabilities to craft proactive and adaptive strategies that reduce their reliance on traditional rules-based detection and manual effort.
insight matters
Insight matters because we need to recognize and acknowledge that cyber threats are changing. Ransomware, phishing, zero-day exploits haven't gone away – but increasingly, cyber security teams must also consider their approach to deepfake attacks, based on fraudulent but highly convincing images and multimedia files purporting to relate to real people.
The use of deepfakes by malicious actors is on the rise. In February 2024, Hong Kong police authorities reported that a finance worker at a multinational firm was tricked into paying out $25m to fraudsters who use deepfake technology to pose as the company's own chief financial officer in a video conference call. The firm was later revealed to be engineering giant Arup.
In May, Mark Read, the CEO of the world's largest advertising company WPP, became the target of an elaborate deepfake scamin which fraudsters created a WhatsApp account with a publicly available image of Read and used it to set up a Microsoft Teams meeting that appeared to be with him and another senior WPP executive. In this case, the attempt to solicit money and personal data was unsuccessful.
Other firms will be targeted, as the underlying technology becomes more accessible and affordable for threat actors. According to IT market analyst company Gartnerby 2026, almost one-third of organizations (30%) will consider their current authentication or digital ID tooling inadequate to fight deepfakes.
With that in mind, during 2025, IT security teams must step up and play an instrumental role in helping to counter this kind of sophisticated social engineering attack, by educating executives and employees on the risk, training them to spot deepfakes, and putting advanced AI. and machine learning capabilities to work on identifying and deterring them.
Security influencers
Ultimately, CISOs must continue to engage more broadly with the business to understand its priorities. The CISO's expertise and opinions must directly impact business strategy and they are important interlocutors in boardroom discussions about organizational risk.
Today's CISO is more frequently involved in strategic conversations and needs a sound understanding of overall business priorities in order to build programs that manage risk exposure effectively. In short, the role is expanding significantly as cyber attacks become an ever-more complex and prominent part of the overall enterprise risk picture.
This trend will see CISOs working more closely than ever with other senior executives, including those involved in overseeing finance, legal, HR and operations, as well as with those at the very top of the corporate hierarchy. A recent survey from Deloitte Globalfor example, shows that one in five businesses worldwide now has the CISO report directly to the CEO, rather than the chief information officer.
According to the report's authors: “Today CISOs are not only protectors against outside threats, but key players helping their organization find success by integrating cyber considerations into the strategic decision-making process.”
I couldn't agree more. Innovation, insight and influence are just three elements of my own strategy for 2025 and beyond – others include inclusivity and imagination – but I believe they will go a long way in helping us to face the future with determination and a positive mindset.