icon-carat-right menu search cmu-wordmark

13 Cybersecurity Predictions for 2025

Headshot of Greg Touhill.

It’s that time of year when we reflect on the past year and eagerly look forward in anticipation of great blessings and successes to come. Last year, I shared a list of the top skills that CISOs would need in 2024. This year, I’m going to not only rely on my decades of experience as an information technology and cybersecurity senior executive and what I’ve learned leading the SEI’s CERT Division (one of the first organizations dedicated to cyber research and response), but I’m also going to channel the spirit of the nearby Punxsutawney Phil, that famous prognosticating Pennsylvania groundhog, to look into 2025 and forecast what we will likely reflect upon at the end of this year.

  1. The cyber poverty line increases. I define the cyber poverty line as the amount of investment required for an enterprise to fulfill the cybersecurity requirements spelled out in NIST SP 800-171. Numerous entities have tried to define a discrete dollar value that identifies the threshold of this so-called “poverty line,” yet there is no agreement on a precise figure. Nevertheless, there appears to be consensus that the costs associated with combating increasingly sophisticated cyber threats continue to rise. Small and medium-sized businesses (SMBs) are at a significant disadvantage and face increasing risks.
  2. Managed Security Service Providers (MSSPs) ascend to new heights. Given increasing cybersecurity costs, MSSPs will increasingly be seen as an attractive, cost-effective option, particularly for fiscally constrained SMBs desperate to reduce their cyber risk exposure. This will drive growth in the MSSP market yet might mask some customer cyber risk elements. MSSP offerings generally present black box capabilities with terms and conditions withholding the risk insights provided by traditional security controls such as independent third-party audits, pentesting, and red teaming.
  3. Artificial intelligence for cyber (AI4Cyber) continues to fail to meet needs and expectations. I’m not alone in having waited for well over two decades for Santa to deliver an effective, efficient, intuitive, secure, and affordable artificial intelligence capability I can use to defeat cyber attackers, referred to as AI4Cyber. While some claim progress has been made in the marketplace with certain capabilities, a holistic solution that meets my criteria remains on my holiday wish list in December 2025 and regrettably will probably remain there for a couple more years. Sadly, attackers are already using AI to great advantage, most notably in phishing attacks ( See Fig 5 in https://arxiv.org/pdf/2412.00586.), so I have elevated AI4Cyber to the top of my 2025 holiday wish list.
  4. Cybersecurity for AI systems (Cyber4AI) remains deficient. AI capabilities are awesome, yet I’m finding that most of the AI capabilities being developed are focused on just getting them to work and into the marketplace as soon as possible. We need to do a much better job of incorporating cybersecurity best practices and secure-by-design principles into the creation, operation, and sustainment of AI systems. The AI Security and Incident Response Team (AISIRT)[ii] here at the Software Engineering Institute has discovered numerous material weaknesses and flaws in AI capabilities resulting in vulnerabilities that can be leveraged by hostile entities. AI vulnerabilities are cyber vulnerabilities, and the list of reported vulnerabilities continue to grow. Software engineers are trained to incorporate secure-by-design principles into their work. But neural-network models, including generative AI and LLMs, bring along a wide range of additional kinds of weaknesses and vulnerabilities, and for many of these it is a struggle to develop effective remediations. Until the AI community is able to develop AI-appropriate secure-by-design best practices to augment the secure-by-design practices already familiar to software engineers, I believe we’ll see preventable cyber incidents affecting AI capabilities in 2025.
  5. Ransomware criminal activity continues to feast on the cyber poor. Cyber criminals have been feasting on those who operate below the cyber poverty line. I expect they’ll grow fatter in 2025 as vulnerable entities, especially SMBs, small to mid-sized local governments, educational institutions, and non-profit organizations, struggle to maintain effective security controls in a hotly contested cyber environment where ransomware poses a potent threat with lucrative returns on investment for attackers.
  6. Virtual private networks (VPNs) remain juicy targets for nation states and cyber criminal groups. VPNs are often considered synonymous with secure remote access, much as Xerox has become synonymous with photocopying. VPNs arrived in the marketplace in the late 1990s around the same time as PalmPilots. While I have a PalmPilot on static display in my office, I don’t see a lot of people using one anymore because better products provide more effective, efficient, and secure capabilities. In the CERT Division, we continue to see numerous cyber incidents associated with compromised VPNs. 2025 is a good time to upgrade your secure remote access to more modern, software-defined technologies such as software-defined perimeters.
  7. The Balkanization of privacy laws and cyber regulations further increases the costs of doing business. The explosion of privacy and cyber laws and regulations has driven legal and compliance costs up in most businesses. Maddeningly, well-intentioned government entities have failed to harmonize their efforts into a cogent, unambiguous, singular, authoritative compendium of best practices. Until international, national, state, and local governments reach agreement, it’s reasonable to expect that your legal and compliance teams will maintain a level of heft that will add additional cost that “bytes” into your bottom line.
  8. Cyber supply chain insights remain stuck in a pea-soup fog of opacity. Most companies don’t know where their software comes from or who created it, and they can’t quantify their software risk exposure. Software fuels everything in our complex social, economic, and national security infrastructures, yet we don’t have sufficient insights into the cyber risk associated with our software. Examples are plentiful, such as the Unified Extensible Firmware Interface (UEFI) software[iii] that boots up our computers, our exquisite AI models and systems, and our financial and medical services; virtually every aspect of modern society relies on software whose data provenance is increasingly complex, opaque, and ignored. We’ve also seen cyber incidents via attacks against third-party software and software-enabled service providers such as SolarWinds and BeyondTrust. I suspect we’ll see copycat attacks in 2025—perhaps we’ll even be fortunate enough to detect them in time to thwart them.
  9. No end to the cyber workforce shortage. ICS2 has shone a spotlight on the growing cyber workforce gaps across the globe for many years, with many governments and companies creating grandiose plans on how to educate and train more people for the vacant positions. While these plans continue to introduce more people into the cyber-related professions, we have yet to declare victory, and pronouncements of significant progress are specious at best. Perhaps a lack of substantive progress in addressing the gaps during 2025 will inspire a relook as to whether we are treating symptoms and not developing a cure. The best strategy to solve this vexing problem seems to be to prioritize investments to produce better software-enabled products that are secure by design; are easy to install, configure, and operate; and require fewer high-skilled people to maintain.
  10. Secure by design starts to emerge as a market differentiator? I am hopeful that 2025 will see purveyors of software-reliant products and services, and their customers, recognize the intrinsic value of secure-by-design principles as validated by trusted, independent third parties as a positive market differentiator. The demand signal continues to grow as exemplified by the U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) requirement for its suppliers[iv]. Nobody’s perfect, yet if a company can prove through a trusted, independent third party that it followed secure-by-design best practices in the development, fielding, and sustainment of their products and services, that could prove to be a powerful market differentiator that likely would be rewarded in the marketplace.
  11. The merger and acquisition (M&A) market heats up. The latter part of 2024 saw the tide rolling in for M&As of various cyber, data center, data brokerage, analytics, and AI companies by businesses eager to capitalize on the latest digital transformation punctuated by recent and anticipated advances in AI capabilities. In 2025, I expect the M&A market will significantly grow as established technology companies will energetically seek to acquire new and best-of-breed technologies, and other large companies will seek to transform their business through targeted, strategic acquisitions.
  12. Location will accelerate value. The old real estate cliche “Location, location, location” will have a powerful influence on the development of companies that seek to gain and maintain market share in today’s digital environment. For example, the explosive growth in demand for AI-fueled capabilities requires powerful, modern data centers. Data centers need access to cheap and plentiful water (for cooling), power, and communications as well as talented and well-trained information technology technicians and highly skilled personnel in trades like electricians; physical plant operations and security; heating, ventilation, and air conditioning. Similarly, my network of friends and interactions with my students indicate that the precious cyber workforce (which I believe includes traditional information technology, cybersecurity, AI, and data analytic personnel) aren’t motivated solely by money when choosing where and for whom they want to work. They are attracted by areas that boast vibrant cultures, terrific quality of life, affordable high-speed internet access, and a low cost of living. Areas, such as the so-called Rust Belt, can create their own renaissance in 2025 by investing wisely to attract the companies and technical workforce to spark a transformation and revitalization of their economies. The competition for these valuable companies and precious workforce is already underway, and those who act quickly will emerge victorious.
  13. Work from anywhere (WFA) will be a potent recruiting and retention tool. WFA is not a panacea, nor is it a good fit for every role in every organization. Nevertheless, it is an attractive perquisite to attract and retain talent. I’m familiar with several organizations in North America, Europe, and Oceania that expect their employees to be on site for three to five days a week for several months of the year, yet they offer their employees flexible WFA options during designated periods. Successful WFA policies must be based on a zero trust security strategy that goes well beyond technical architectures; zero trust principles must extend to personnel security, physical security, business processes and culture, and technology. Secure remote access, using the latest software-defined technologies, is essential. Virtual presence is literal absence, so before anyone is hired, face-to-face interviews must be conducted, references followed up, background investigations conducted, and a regular cadence of on-site, in-the-office, home days defined as a requirement for employment. Clear and unambiguous rules for what work can and cannot be accomplished when working outside of the physical corporate walls must be defined, acknowledged by the employee, and regularly audited. When you set clear expectations for in-person requirements and offer a generous and effective WFA option, you can be a market leader that can attract and retain the highest quality talent.

In reading this article, I hope you didn’t see your own shadow and shiver at the thought of a prolonged cyber winter during 2025. Rather, I hope this article provokes some introspection about the power and potential of existing and emerging technologies; the importance of incorporating secure by design into your products, services, and processes; how you can posture yourself and your organization for success; and how you can find and seize opportunities to make positive transformations that make the world a better place.

If you think I missed something or want to learn more, please feel free to reach out with suggestions by contacting me at info@sei.cmu.edu or check out our research at sei.cmu.edu.

Additional Resources

Read the blog post The Top 10 Skills CISOs Need in 2024.

Get updates on our latest work.

Each week, our researchers write about the latest in software engineering, cybersecurity and artificial intelligence. Sign up to get the latest post sent to your inbox the day it's published.

Subscribe Get our RSS feed