2025 SECURITY TREND REPORT

Future-Proof the CISO

Analyst Perspective

“Artificial intelligence was going to transform IT in 1974. And in 1985. And again in 1997. And 2011.

We’ve been talking about quantum computing and forecasting the subsequent death of encryption since 1981.

The Internet of Things is over ten years old, and we’ve been predicting ransomware in our refrigerators every year since.

Security professionals love to prognosticate. However, without a structured approach for assessing the probabilities of potential scenarios, such soothsaying does little to help chief information security officers prepare for the future. Info-Tech’s 2025 Security Trend Report uses scenario analysis to present a likely outlook for cybersecurity in the year 2025 to future-proof the CISO.” (Kevin Peuhkurinen, Director, Research – Security, Info-Tech Research Group)

Introduction

New information technologies will introduce new threats. Responding to these threats will require new security skills. The scarcity of these skills will drive security leaders to embrace yet newer technologies in an attempt to fill the gap. Security failures will drive governments to introduce new regulations, further increasing the demands on already strained security teams.

To meet these challenges, the future-proofed CISO needs the best data available. The 2025 Security Trend Report synthesizes input from industry leaders and subjects it to structured scenario analysis using Info-Tech methodologies to present probable scenarios with practical recommendations.

Future-Proofing the CISO

Learn about emerging threats

Learn about new threats that will impact the business and social environment. These are shifts that change the way we interact with technology. The future-proofed CISO must learn about them and foresee the impact they will have. This report explores threats that will have a profound impact on the business and social environment in the next several years.

Adopt emerging technology, but beware the hype

This report highlights emerging technologies that can help future-proof the CISO. However, the hype around these technologies threatens to overpromise and underdeliver. We provide scenario analyses for these technologies to help security teams separate fact from fiction and make informed decisions on how to leverage emerging security tech.

Grow by delivering on outcomes

New threats and new technologies will require new security skills. Unfortunately, the security skills gap is already large and growing. The future-proofed CISO needs to understand how to deliver on required security outcomes in a changing environment without an army of security analysts at their command.

Learn About Emerging Threats

Synthetic Media In Cybersecurity in a Post-Truth World, we describe the enormous emerging security, political, social, and technological challenges associated with synthetic video and audio. Deepfake and related technologies have already been used to augment social engineering attacks, and they threaten to do much more.

Cloud Misconfigurations Cloud computing may prove to be the greatest disruptor of traditional information technology yet seen. However, the rush to the cloud could be the undoing of many companies. In Cloud First, Security Third?, we look at the significant challenges facing security teams as their businesses chase their place in the sky.

5G-Enabled IoT 5G networking has the capability of actually improving cybersecurity. However, before we can take advantage of it, we need to face hard facts about IoT security as our cars, thermostats, and manufacturing robots move to the edge. When IoT Met 5G explores the road ahead for this important new technology.

Adapt to Emerging Trends

New Regulations In the new business world, the only certainties are taxes and compliance obligations. Drowning in Regulations looks at how new cybersecurity and privacy laws and regulations will drive changes to all organizations and what that means to security teams.

Security AI In Security Team 2.0, we look at the ever- growing chasm in cybersecurity skills. Faced with new threats, new technologies, and new compliance obligations, security leaders will need to make hard decisions. If you can’t hire people, can you replace them with robots?

Cybersecurity in a Post-Truth World

When seeing isn’t believing

Critical Uncertainties

Innovation in AI-based social engineering attacks

Social engineering attacks are certain to remain a threat over the next five years. The introduction of machine learning and artificial intelligence will be a force multiplier for this threat, as we have already seen with the use of deepfake to augment traditional business compromise email attacks.

However, the real danger is that AI will become a true disruptor, allowing innovative criminals to invent entirely new social engineering attacks for which we have no defenses.

Effectiveness of detection and prevention controls

Governments and industries are profoundly concerned with the implications of deepfake and related technologies for good reasons that include but go far beyond cybersecurity. They are investing significant sums of money to fund detection tools. Fortunately, any progress that is made on this problem should benefit cybersecurity.

Nevertheless, detection is a huge challenge and there is plenty of uncertainty about how effective these tools will prove. Deepfake algorithms will almost definitely continue to improve, and it will become harder and harder to determine with absolute confidence whether any particular video or audio is real or fake.

“How are we going to believe anything anymore that we see? To me that’s a real threat to our democracy.” (Hany Farid, Professor, University of California, Berkeley, source: the wall street journal, 2018)

Probable Scenario

“The weaponization of deepfakes and synthetic media is influencing the cybersecurity landscape, enhancing traditional cyber threats and enabling entirely new attack vectors.” (Giorgio Patrini, Founder, CEO, and Chief Scientist, DeepTrace, source: DeepTrace, 2019)

The most probable 2025 scenario for Cybersecurity in a Post-Truth World is that improvements in real-time deepfake and related technologies will significantly outpace detection efforts.

Vast sums have already been spent by governments and industry to develop detection technologies, and this investment will very likely increase considerably. However, the technical problem of deepfake improvement is currently smaller than that of detection; small improvements in synthetic media will require exponentially larger improvements in detection to counter.

Even when or if effective detection controls are developed, there will be huge challenges with deployment. Potential victims can be exposed to synthetic media through many different vectors, and ensuring that detection controls protect all vectors will be a significant undertaking.

Over the longer term, raised awareness of the threat among the general populace may prove to be the most effective defense. However, this is unlikely to occur before 2025.

Recommendations and Resources

Recommendations:

1. Organizations of all sizes should assess their exposure to AI-enabled social engineering attacks.
   • Variations on existing social engineering attacks, especially business compromise emails and ransomware delivery, should be expected to emerge first.
   • Synthetic voice attacks against call centers, even those that use voice biometrics for authentication, are very likely by 2025.
   • Other critical business transaction points should be assessed for their vulnerability to deepfake technologies.
2. Additional authentication procedures should be considered to mitigate identified vulnerabilities. These should be augmented with the inclusion of deepfake awareness in most security training programs.

Info-Tech Research Group Resources:

• Develop a Security Awareness and Training Program That Empowers End Users
• Combine Security Risk Management Components Into One Program

Cloud First, Security Third?

Around every silver lining, there's a dark cloud

Critical Uncertainties

Availability of effective cloud security tools

The market for cloud security tools is booming but still very immature. Most cloud vendors offer many security features, but they tend to be very complex and require highly skilled technical professionals to fully utilize. Feature sets and configuration options vary significantly among vendors, making life even more difficult for security teams at organizations with multi-cloud strategies.

There is significant uncertainty whether truly comprehensive security tools that can automate best-practice security configurations across multiple cloud providers will emerge over the next few years.

Public cloud adoption

It is certain that organizations will continue their migration toward cloud computing. While all signs point toward expanding use of public cloud environments, it is possible that this trend will slow. In this case, investment may shift toward private cloud.

Another key uncertainty will be whether organizations continue to prefer multi-cloud strategies or move toward single clouds. This may affect whether organizations look to the cloud vendor for security tools or select pure-play security vendors instead.

“We [Capital One] don't start using a service just because it's announced and it's cool. We start using it when we are sure we can meet security and other commitments we have internally.” (Bernard Golden, VP, Cloud Strategy, Capital One, December 2018, source: fortune, 2019)

Probable Scenario

“And then I hack into their ec2 instances, assume-role their IAM instance profiles, take over the account and corrupt SSM, deploying my backdoor, mirror their s3 buckets, and convert any snapshots I want to volumes and mirror the volumes I want via storage gateway” (June 16, 2019, post by “erratic,” the Twitter handle of Paige Thompson, accused in the Capital One data breach)

The most probable 2025 scenario for Cloud First, Security Third is that organizations will continue to migrate data to the cloud faster than they can secure it. Programs such as FedRAMP in the US have helped ensure that cloud infrastructure itself is secure, but in IaaS and PaaS models, customers are still responsible for the security of their applications and middleware.

Properly securing cloud data requires highly specialized security skills. As we will see in Security Team 2.0, the enormous security skills gap is only likely to get wider. In the absence of cloud security specialists, most organizations will need to look toward cloud security tools to support their cloud strategies. Organizations that rush ahead into the cloud without either the right security skills or tools may quickly find their expected cost optimizations to vanish into data breach expenses.

A shift away from public cloud toward private cloud may partially alleviate the security risks, but there is no indication that this will happen to any great extent. Additionally, there is no guarantee that private cloud will prove more secure than public cloud over the long term.

Recommendations and Resources

Recommendations:

1. Organizations need to develop a structured cloud security architecture that aligns with their overall cloud strategy.
2. As part of their architecture development, organizations should consider the skills required to implement necessary controls. Plans for addressing identified gaps against current skill sets should be determined and consider training, outsourcing, or tooling.
3. Costs to properly secure cloud systems should be incorporated into overall cloud cost optimization plans.

Info-Tech Research Group Resources:

• Ensure Cloud Security in IaaS, PaaS, and SaaS Environments
• Identify Opportunities to Mature the Security Architecture
• Embed Security Into the DevOps Pipeline