The shifting security landscape: 2025 predictions and challenges

As the borderless threat ecosystem poses new challenges for companies and governments worldwide, CISA’s 2025-2026 International Plan aims to address this problem. CISA’s plan calls for integrated cyber defense across borders, addressing the complex, global cybersecurity challenges that businesses, governments and consumers face.

International collaboration across multiple sectors will be needed. Likewise, enterprise organizations must remain resilient and ready to tackle new threats and challenges in the coming year. The following three predictions for 2025 provide a glimpse of what’s to come:

AI, ‘Q-Day’ and compliance challenges

CISO’s key priorities for 2025 will include integrating new technologies and accommodating new trends while strengthening their organization’s security posture. Bad actors are continually seeking vulnerabilities or outdated code in software supply chains, networks and endpoints, looking for ways to exploit these weaknesses. Meanwhile, the proliferation of AI is poised to accelerate phishing scams, the use of deepfakes for social engineering, and automate more devastating malware attacks:

• Bad actors will leverage personal data & AI to launch more effective attacks: The National Public Data and MC2 breaches that took place in 2024 will enable cyber criminals to leverage far more personal data, combined with AI-generated “deepfakes,” to launch more realistic and effective phishing and spear phishing campaigns in 2025.

  Since the human element remains the most “hackable”, these attacks will likely lead to even more data breaches and/or compromise of control systems. When successful, spear phishing attacks can have devastating consequences, given the privileged access employees often have to sensitive data, financial transactions, and physical control systems.

Meanwhile, there are other, emerging challenges CISOs must consider, including the potential for encryption to no longer provide the layer of protection it now offers once quantum computing advances:

• With “Q Day” approaching, it’s time for organizations to start prepping: With the August release of NIST standards for post-quantum cryptography, it’s “go time” for organizations that haven’t yet started working on implementing the new standard. Full deployment will take time, and with some estimates of “Q-Day” (quantum computers’ ability to break current encryption standards) arriving within the next decade, organizations will need to lean in to avoid getting caught off-guard.

  Furthermore, enterprises and individuals will need to anticipate the data compromises based on the “harvest now, decrypt later” strategies of some adversaries and hostile nation states. We do not yet know the full impact of this scenario, but it could lead to a spike in ransomware, extortion, spear phishing and other attacks. Just because sensitive information from a previous incident was not publicly released, does not mean it could not happen in the future. Preparing for Q-Day in 2025 should be a top priority for CISOs for this very reason.

Finally, in 2025 CISOs will continue to struggle with compliance due the increasingly complex and inconsistent data protection and privacy laws, which vary from country-to-country and in the U.S., from state-to-state:

• Growing patchwork of U.S. data privacy laws will create new compliance burdens: The growing patchwork of data privacy regulations across the US, many of which are similar and overlap, will continue to increase compliance burdens on organizations that create, process, store, and transmit sensitive data in 2025.

  Since California’s passage of California Consumer Protection Act, later superseded by the California Privacy Rights Act, over 20 states have passed comprehensive privacy laws. Many of these have already been passed into law but will be taking effect on a rolling basis through 2026 and beyond.

  To overcome compliance paralysis, organizations will need to be highly organized and efficient. Mature governance (from the board on down), repeatable processes, and tools – including Governance, Risk & Compliance platforms – will be critical to minimize compliance-related risks.

Preparing for the future, with an eye on the past

Organizations’ strategic cybersecurity plan for 2025 should address both AI-driven and traditional threats by integrating proactive risk management, advanced threat detection, and adaptive response mechanisms. As business and public sector organizations gear up for more sophisticated and damaging cyber attacks and data breaches, they should embrace the most robust tools possible by leveraging AI and machine learning tools to monitor for anomalous behavior.

Organizations must prioritize fostering a culture of cybersecurity awareness, ensuring employees understand their role in protecting assets. CISOs should also continue to leverage external experts to ensure their organization is complying with relevant data privacy laws and regulations, while creating an incident response framework that remains essential to a comprehensive, future-resilient cybersecurity strategy.