6 considerations for 2025 cybersecurity investment decisions

Cybersecurity professionals may be concerned about the constantly shifting threat landscape. From the increased use of artificial intelligence (AI) by malicious actors to the expanding attack surface, cybersecurity risks evolve, and defenders need to mitigate them.

Despite a period of cybersecurity budget growth between 2021 and 2022, this growth has slowed in the last few years, meaning that cybersecurity leaders need to carefully consider how their purchases improve their current security and compliance posture.

To optimize the organization’s cybersecurity budget in 2025, leadership needs to consider the current landscape and what initiatives help them appropriately mitigate risk.

AI may be the Terminator for your credentials

The current AI models may not autonomously say in a deep and accented voice, “I’ll be back.” However, bad actors increasingly use AI models like ChatGPT to create deep fakes that improve their social engineering campaigns.

While the old zero trust motto used to be “trust but verify,” the modern adage is “trust nothing and no one.” As malicious actors leverage AI and Large Language Models (LLMs), the social engineering campaigns become more realistic, enabling attackers to mimic real-world people’s physical and digital presences.

For example, cybercriminals can easily feed content from a CEO’s social media profile into an AI then use a prompt to “write in the style of” the individual. With phishing emails sounding more legitimate, people struggle to distinguish real messages from fake ones.

With the latest White House Executive order aiming to increase US development opportunities in AI, American companies may be able to outpace some bad actors, but people can no longer trust their eyes and ears. And with the rise of less expensive yet competitive models like DeepSeek, malicious actors will be even more likely to incorporate these into social engineering campaigns.

As attackers often use social engineering and phishing to steal credentials, organizations need to have identity strategies that identify all users and understand their normal behavior. Without these capabilities, identifying anomalous activity arising from compromised credentials will be nearly impossible.

Sales of initial access methods expand attackers’ capabilities

Malicious actors will continue to focus on vulnerability exploitation as a primary method for gaining initial access. Once bad actors identify a vulnerability to exploit, they can use slightly different attack paths that begin with the initial security weakness.

When zooming out and looking at the cybercriminal ecosystem, the initial access problem makes even more sense. Across the dark web, cybercriminals increasingly focus on their own niche specialties. For example, initial access brokers (IAB) focus on gaining access to target systems then selling the access on the dark web or in Telegram channels. Whether they sell access related to vulnerabilities or stolen credentials, the ecosystem makes it easier for unsophisticated cybercriminals to deploy more sophisticated attacks.

For the medium and large organizations that attackers are more likely to target, risk mitigation strategies may include rotating passwords at a more frequent pace and wider scale.

Knowing who and what connects to networks remains critical

Identity is now – and will remain – the nucleus of security. While organizations may have insight into their human users and identities, they increasingly struggle with managing non-human identities, like service accounts.

Machines talking to machines and the identities used across applications have exploded to ten, or even twenty, times the number of human accounts. Recognizing this, malicious actors increasingly target machine-to-machine and application-to-machine identities as attack vectors.

The problem becomes more complicated as the environment obfuscates where these issues lie. Technology debt, clutter, and unclear access routes create additional opportunities for attackers. Malicious actors know they can take advantage of multiple access routes, especially across multi-cloud and hybrid infrastructures.

Some examples of ways that these service accounts can create risks include:

• Developers building in-house systems who create a security workaround
• Third-party vendors’ systems
• Legacy devices, accounts, and entitlements whose password policies haven’t been updated

Identifying and managing service accounts will be a key security risk mitigation strategy. Organizations need to define what these accounts can and cannot do, then enforce the policies as strictly as they would for a human admin account.

Compliance is still a must-have

Benjamin Franklin allegedly decreed that nothing in the world is certain except death and taxes. If he were around today, he would probably also include “and data protection regulations.”

Although some deregulation initiatives have appeared on the global landscape, cyber security is a different beast. Many legislative and regulatory bodies will continue to double down and ensure that companies protect consumer and employee information. The private sectors will remain on the front lines, protecting against cyber-attacks, and the compliance landscape will continue to require proof of those activities.

Organizations should invest in solutions that enable robust compliance documentation and can map across multiple laws, regulations, and frameworks.

Cyber risk insurers want better answers

In the business world, cyber insurance equals having someone else cover a security incident’s costs.

Over the last few years, cyber insurance providers have become more skeptical about what they should reimburse companies for and have updated their coverages and exclusions to be more aggressive. The requirements to even obtain insurance in the first place have become significantly more stringent. In this game of tug of war over who owns liability, organizations need to implement, maintain, and monitor security controls more effectively.

Insurance companies have become more sophisticated, with a better understanding of the tools that organizations should use. Where the question used to be “Do you have a PAM solution?”, it is now “How are you protecting privileged access and accounts from compromise?”

All organizations, but especially smaller companies, will face more difficult liability conversations.

To be approved for cyber liability insurance, organizations need to have answers to the increasingly specific questions that insurance underwriters ask and the continuous controls monitoring to support them.

Reducing friction for users improves security adoption

Organizations need to deploy more security products, create deeper security policies, and monitor their environment with more rigor, but each time they add a new control they create additional friction for the end users.

For example, organizations add new authentication factors before allowing users to sign into corporate devices, networks, and applications. Each system has different levels of granularity and access control. From the users at home to the nurses on the emergency room floor, logging into devices and applications takes more steps and consumes more time.

For each new security step, people will look for workarounds that make their lives easier, and often, those workarounds create security weaknesses.

Organizations need to look for solutions that reduce friction. As consumers and customers hold organizations accountable for protecting their sensitive information, companies need to implement solutions that help them strike the delicate balance between security and usability.

A crystal ball built on identity

While no one can really predict the future, the statistical rise of identity-based attacks over the last few years indicates that threat actors will continue to deploy these methodologies.

As organizations choose their cybersecurity investments for 2025, they should consider how to implement identity hygiene, processes for implementing, maintaining, and monitoring user access across complex environments, including those consisting of interconnected applications and large numbers of difficult-to-manage users, like service accounts.