2024 was a banner year for high-profile cybersecurity incidents. In May, Sean Atkinson, Chief Information Security Officer (CISO) at the Center for Internet Security, told me that 2024 was already on track to have “the most vulnerabilities ever identified in a single year.” The 2025 cybersecurity incident landscape isn’t likely to slow down.
With the stage set this year (more powerful tech, more critical information being shared, and swelling international tension), we expect 2025 to continue this unfortunate trend. With decades of experience working various roles in the IT security and compliance space, I’ve witnessed the evolution of cyberthreats firsthand. It’s more complicated than ever to remain compliant and stay secure at scale.
In this article, I’ll share my top ten security and compliance predictions that I believe will define 2025 across industries and around the world.
Table of Contents
- The 2025 Cybersecurity Landscape at a Glance
- The AI Arms Race Will Level-Up Attack & Defense
- A Regulatory Balancing Act Will Keep Everyone On Their Toes Across Industries
- The Zero Trust Shift Will See Real Investment
- The Quantum Threat Will Change the Game for Modern Encryption
- Ransomware Will Get More Targeted & More Personalized
- IoT Will Expand Your Attack Surfaces Faster than Ever
- Supply Chains Will Come Under Increased Scrutiny & Attack
- The Cyber Insurance Marketplace Will Hit its Stride
- The Cybersecurity Skill Gap Will Widen
- Resilience, Not Just Responsiveness, Will Set Up Organizations for Success
- How to Get & Stay Prepared for 2025 Cybersecurity & Compliance
The 2025 Cybersecurity Landscape at a Glance
In 2025, businesses and the digital technologies they use to stay ahead will have to evolve at a rapid pace. We predict 2025 in cybersecurity will be characterized by an increase in AI (for attack and defense), an accelerated shift toward zero trust security, and increasing attack surfaces with the expansion of the Internet of Things (IoT), among others.
An apparent ransomware attack on CDK Global that hit auto dealerships; the Snowflake breach exposed huge volumes of customer data; the faulty update in CrowdStrike that led to thousands of blue screens at airports around the world; even incidents with limited impact like the XZ Utils backdoor highlighted the growing risk posed to information technology across industries.
AI alone will have most businesses grappling with bigger questions than any year in recent memory — and that’s before considering the ways organizations are likely to expand their digital footprints to keep pace with global demand.
On top of those a never-ending barrage of cyber threats that are spawning faster and evolving in more complex ways than ever. To ward off an increasingly sophisticated community of threat actors, we’ll need to innovate faster than the speed of the threat landscape.
Back to topThe AI Arms Race Will Level-Up Attack & Defense
The lightspeed rise of artificial intelligence (AI) is transforming entire industries — and unfortunately, this includes the cybercrime industry.
They say you must “fight fire with fire” and we'll need to do just that to stay ahead of AI-powered attacks like highly targeted (spear) phishing emails, sophisticated malware, and large-scale reconnaissance efforts. Our methods need to be faster and capable of thwarting an AI-powered attack. I anticipate many organizations will invest heavily in AI-driven security solutions to maintain the upper hand over the cybercriminals that are making similar investments of their own.
Back to topA Regulatory Balancing Act Will Keep Everyone On Their Toes Across Industries
Governments around the world are continuously ramping up laws intended to protect the data and privacy of their citizens. With this goal, they must guide organizations toward best practices by establishing minimally acceptable standards of operation. This has resulted in large-scale complexity amidst a labyrinth of compliance standards that already exist today.
Noncompliance is not optional. Regulatory standards like DORA, GDPR, NIS2, CMMC 2.0, and Sarbanes-Oxley (SOX) compliance put companies at risk of huge fines and reputational damage.
Listen to my chat with Sean Atkinson, CISO at the Center for Internet Security, about the modern cybersecurity landscape and his opinion on how organizations can stay ahead:
Expectations aren’t going to lessen if data breaches and unplanned outages continue to occur. Much like AI itself, compliance will evolve to include more stringent requirements and stronger enforcement.
You can expect future measures to be more considerate of the complexity by aligning with-established frameworks like NIST and security best practice standards like CIS Benchmarks.
Back to topThe Zero Trust Shift Will See Real Investment
Zero trust is a simple philosophy: no user or device is inherently trustworthy. How many times have you opened a phishing test email link? With the ongoing blend of remote and onsite work, organizations will continue to enforce strict access controls and continuous authentication to reduce the attack surface.
Achieving zero trust security starts with a cultural shift and an investment in identity and access management (IAM) solutions — but I believe this is a worthwhile investment.
Back to topDownload our free white paper to learn how to enforce and automate zero trust security.
The Quantum Threat Will Change the Game for Modern Encryption
Quantum computers are super-powered computers that will be able to crack encryption algorithms that we currently use to protect sensitive information. Quantum technology may be in this position in as little as the next five years.
Cybercriminals are already involved in data hoarding, where they collect and store stolen data now for use in the future when the right technology or opportunity arises.
In 2025, we’ll need to use encryption methods that are resistant to potential future attacks from quantum computers as this threat will rapidly evolve.
Back to topRansomware Will Get More Targeted & More Personalized
I have no doubt that ransomware attacks will continue to plague organizations in 2025 — but with a more insidious twist. Smarter cybercriminals will employ advanced social engineering tactics to target specific individuals or organizations with highly personalized attacks.
It’s a given that AI will help with this effort, pulling information across the web to support ransomware. Security basics will continue to run defense: multi-factor authentication (MFA) configuration and enforcement, patch management, and employee training against human error.
Back to topIoT Will Expand Your Attack Surfaces Faster than Ever
The growth of IoT creates an enormous attack surface. Cybercriminals can exploit vulnerabilities in these devices to launch large-scale attacks, such as Distributed Denial of Service (DDoS attacks) or data breaches.
In 2025, organizations will need to boost IoT security with stronger configurations, regularly updated firmware, and segmented IoT networks away from critical systems if they want to avoid an all-too-common breach.
Back to topSupply Chains Will Come Under Increased Scrutiny & Attack
As I mentioned previously, the technology supply chain has begun to be more integral with regulatory oversight — and for good reason. Reliance on common solutions like CDK Global and CrowdStrike caused high profile outages in 2024, with the effects felt by thousands of organizations and their customers around the world. Vendors may have privileged access to a company’s digital vault of data and sensitive information.
In 2025, organizations will seek to improve resilience by stepping up their vigilance regarding their supply chain. I predict that they’ll be keeping a much closer eye on any weak spots in their vendors’ cyber policies and execution (directives and regulations like NIS2 call specifically for supply chain protections). Due diligence and zero trust are going to be key for handling any cyber threats 2025 has in store, and your supply chain isn’t exempt.
Back to topThe Cyber Insurance Marketplace Will Hit its Stride
The demand for cyber insurance is on the rise as companies try to reduce the financial damage from data breaches, ransomware attacks, and other cyber incidents. While cyber insurance can’t make you compliant or improve your reputation after a breach, it will provide some measure of financial comfort for organizations impacted by cybercrime.
Just as car insurers expect that keys won’t be left in the ignition, cyber insurers will also seek exemptions for their policyholders that do not demonstrate due diligence. There will be stricter policy expectations for basic security hygiene and limiting payouts to only those organizations that adhere to them to limit growing insurance losses.
Back to topThe Cybersecurity Skill Gap Will Widen
The cybersecurity industry continues to face a severe shortage of skilled professionals, which prevents organizations from effectively responding to emerging threats. This shortage gap will continue into 2025, leading to additional emphasis on ways to increase the efficiency and effectiveness of security and compliance activities through automation.
Back to topResilience, Not Just Responsiveness, Will Set Up Organizations for Success
As we put a bow on the final days of 2024, it's obvious that existing efforts to prevent cyberattacks aren't enough. Organizations must use every weapon in their arsenal to withstand attacks. But not everything that causes disruption is criminal: human error, flawed software updates, and poor practices throughout the technology stack can all result in devastating outages. This broad range of potential incidents requires creating a solid response plan, regularly practicing those plans, and investing in robust tooling to increase the agility of their cyber defenses.
But in 2025, it won’t be enough to just be responsive or prepared. Weathering 2025 cyberattacks and vulnerabilities will mean focusing on building resilient IT that can bounce back quickly after an incident. If you can’t revert configurations, rebuild systems, and restore access quickly, you’ll be stuck in a loop of waiting for the next thing to fix.
Back to topHow to Get & Stay Prepared for 2025 Cybersecurity & Compliance
A proactive and adaptive approach to security and compliance is going to be mandatory in 2025. With AI-driven solutions, prioritizing zero-trust principles, and increasing efficiency through automation, organizations can mitigate risks, improve resilience, and safeguard their digital assets.
I trust that 2024 has been a good year and hope 2025 brings peace and prosperity to you and your family. The team at Puppet feels blessed to have helped so many of you throughout the year with your infrastructure security and compliance requirements.
If your holiday ‘wish list’ still includes a platform that supports 24/7 security, you can learn more about Puppet’s Security Compliance Enforcement here: