Top cyber security trends that will impact this year

The US Department of Defense recently hosted an international exchange on shaping cyber security workforce, following the publication of its 2023 strategy to align the department's efforts to identify, recruit, develop, and retain a data-literate and technology-adept cyber workforce. These actions, among similar developments globally, provide insights into some of the challenges that CISOs and cyber security teams will face in the coming years.

In practice, 2025 is likely to see growing importance of and demand for CISOs. The growing threat of global and regional political instability, paired with the increasing capabilities of violent extremist organisations and crime groups seeking to cause harm, means that access to data will become a key component of global power for both state and non-state actors – all of which will require greater vigilance from cyber teams.

Another trend driving cyber threats is the technological arms race. Driven by advances in quantum computing and artificial intelligence, the race between cyber exploiters and victims has further intensified. Cyber security and AI are now bipartisan national security issues and crucial components of America’s competitive advantage. Simultaneously, increasing tools and incentives for cyber criminals and advanced persistent threats (APTs) will continue to raise the stakes for private sector firms. The rise of zero-day attacks only further highlights the evolving tactics of cyber adversaries, and CISOs must remain vigilant to protect their organizations.

This is set against a shift in current political landscape in the US, with the incoming administration potentially marking a significant change in the cyber security demands on firms as they seek to reduce red tape.

Here’s a look at the top cyber security trends that will shape 2025 and beyond.

1. Navigating SEC cyber security disclosure rules

In 2024, new SEC cyber security disclosure rules led to a significant increase in the public reporting of incidents. However, the often-vague nature of these disclosures and their limited detail on impact left investors seeking greater clarity.

While the incoming administration may consider rescinding these requirements to reduce regulatory burdens, it is more likely that the current status quo will persist through 2025. CISOs should take a proactive approach by analysing disclosures made in 2024 to understand how they were received and pre-plan the level of disclosure their organisation is prepared to make. This will help mitigate risks and ensure transparency while complying with existing requirements.

2. Understanding AI’s complex role

Artificial intelligence will remain a focal point for cyber security teams in 2025. AI’s adversarial uses, as highlighted by the FBI at RSA in 2024, include creating undetectable malware, automating reconnaissance, and executing deepfake scams. Simultaneously, organisations are pursuing the ‘AI dream’ to unlock significant business benefits, often without fully considering security implications.

To ensure safe usage of AI technology, CISOs must engage at the planning stages of adoption to ensure security is integrated rather than treated as an afterthought. Boards now expect clear strategies to address AI-related risks, including sophisticated phishing and social engineering attacks enabled by AI.

CISOs must balance fostering innovation with maintaining robust security measures. They can do this by investing heavily in protecting their digital systems, physical assets and workforce from adversaries. By implementing software solutions capable of detecting cyber threats, restricting access to buildings, and safeguarding sensitive employee information – CISOs can take the necessary steps to fortify their defences.

3. Strengthening security culture to mitigate human error

Despite technological advancements, human actions – whether through unintentional errors or deliberate breaches – remain a primary cause of security incidents. In fact, up to 95% of successful security attacks result from human error.

As technical solutions alone are insufficient to protect organisations, fostering a robust security culture becomes essential. Embedding security awareness and proactive behaviours into the organisational culture ensures that every employee understands their role in safeguarding sensitive information and digital assets. This human-centric approach provides a vital first line of defence, empowering individuals to act as security champions and take a proactive role in mitigating associated risks.

4. Adapting to AI regulations

State-level AI regulations in the US will present significant challenges for CISOs in 2025. States such as Colorado, California, and Utah have already passed private-sector AI rules with varying effective dates, creating a complex compliance landscape. The absence of a pre-emptive federal approach means that organisations must navigate a patchwork of reporting, assessment, and governance requirements.

Fortunately, frameworks like NIST’s AI RMF and ISO 42001 offer a common foundation for compliance, enabling organisations to demonstrate their commitment to ethical and secure AI practices. Preparing for these requirements, along with global mandates such as the EU AI Act, will be a critical focus for cyber security teams in the coming year.

5. Preparing for post-quantum cryptography

The release of NIST’s post-quantum encryption tools marks a pivotal moment for cyber security planning.

The “harvest now, decrypt later” strategy employed by adversaries underscores the urgency of transitioning to post-quantum cryptography. Organisations must define multiyear strategies to implement these new standards to safeguard sensitive data against future quantum threats. Early adopters of post-quantum cryptography demonstrate not only technical readiness but also a commitment to customer data protection. CISOs who act decisively in 2025 will position their organisations as leaders in cyber security resilience.

As we look ahead to 2025, the challenges facing CISOs, and cyber security teams are complex and multifaceted. From navigating SEC disclosure requirements and managing AI-related risks to strengthening security culture and preparing for post-quantum threats, proactive planning and strategic action are essential.

By staying ahead of these trends, organisations can strengthen their defences, protect critical assets, and maintain trust in an increasingly interconnected and digital era.

This article was first published in Information Week.