Get Instant Access
to This Blueprint

Security icon

2025 Security Trend Report

Future-proof the CISO.

  • Through 2025, the chief information security officer will need to navigate emerging threats, skills shortages, and new regulations. The CEO and CIO will increasingly rely on the CISO to ensure that expected security outcomes are delivered during a time of extensive technology transformation.

Our Advice

Critical Insight

  • Learn about emerging threats that will impact the business and social environment. These are shifts that change the way we interact with technology. The future-proofed CISO must learn about them and foresee the impact they will have. This report explores threats that will have a profound impact on the business and social environment in the next several years.
  • Adopt emerging technology but beware the hype. Use scenario analyses for these technologies to help security teams separate fact from fiction and make informed decisions on how to leverage emerging security tech.
  • Grow by delivering on outcomes. The future-proofed CISO needs to understand how to deliver on required security outcomes in a changing environment without an army of security analysts at their command.

Impact and Result

  • Cybersecurity stewardship is an ever-evolving task, but you don't have to stand alone. Follow Info-Tech's learn-adopt-grow framework to confidently tackle this new challenge in security leadership.

2025 Security Trend Report Research & Tools

2025 Security Trend Report

Read the 2025 Security Trend Report to understand how emerging threats and new trends in cybersecurity will impact your organization and how CISOs can prepare for them.


2025 SECURITY TREND REPORT

Future-Proof the CISO

Analyst Perspective

“Artificial intelligence was going to transform IT in 1974. And in 1985. And again in 1997. And 2011.

We’ve been talking about quantum computing and forecasting the subsequent death of encryption since 1981.

The Internet of Things is over ten years old, and we’ve been predicting ransomware in our refrigerators every year since.

Security professionals love to prognosticate. However, without a structured approach for assessing the probabilities of potential scenarios, such soothsaying does little to help chief information security officers prepare for the future. Info-Tech’s 2025 Security Trend Report uses scenario analysis to present a likely outlook for cybersecurity in the year 2025 to future-proof the CISO.” (Kevin Peuhkurinen, Director, Research – Security, Info-Tech Research Group)

Introduction

New information technologies will introduce new threats. Responding to these threats will require new security skills. The scarcity of these skills will drive security leaders to embrace yet newer technologies in an attempt to fill the gap. Security failures will drive governments to introduce new regulations, further increasing the demands on already strained security teams.

To meet these challenges, the future-proofed CISO needs the best data available. The 2025 Security Trend Report synthesizes input from industry leaders and subjects it to structured scenario analysis using Info-Tech methodologies to present probable scenarios with practical recommendations.

Future-Proofing the CISO

Learn about emerging threats

Learn about new threats that will impact the business and social environment. These are shifts that change the way we interact with technology. The future-proofed CISO must learn about them and foresee the impact they will have. This report explores threats that will have a profound impact on the business and social environment in the next several years.

Adopt emerging technology, but beware the hype

This report highlights emerging technologies that can help future-proof the CISO. However, the hype around these technologies threatens to overpromise and underdeliver. We provide scenario analyses for these technologies to help security teams separate fact from fiction and make informed decisions on how to leverage emerging security tech.

Grow by delivering on outcomes

New threats and new technologies will require new security skills. Unfortunately, the security skills gap is already large and growing. The future-proofed CISO needs to understand how to deliver on required security outcomes in a changing environment without an army of security analysts at their command.

Learn About Emerging Threats

Stock image of a person in front of a television with an image of themself.
Synthetic Media

In Cybersecurity in a Post-Truth World, we describe the enormous emerging security, political, social, and technological challenges associated with synthetic video and audio. Deepfake and related technologies have already been used to augment social engineering attacks, and they threaten to do much more.

Stock image of a lock on a cloud icon.
Cloud Misconfigurations

Cloud computing may prove to be the greatest disruptor of traditional information technology yet seen. However, the rush to the cloud could be the undoing of many companies. In Cloud First, Security Third?, we look at the significant challenges facing security teams as their businesses chase their place in the sky.

Stock image of a satellite in front of a connected city.
5G-Enabled IoT

5G networking has the capability of actually improving cybersecurity. However, before we can take advantage of it, we need to face hard facts about IoT security as our cars, thermostats, and manufacturing robots move to the edge. When IoT Met 5G explores the road ahead for this important new technology.

Adapt to Emerging Trends

Stock image of a cloud with the word 'Compliance' on it, and different aspects of compliance surrounding it.
New Regulations

In the new business world, the only certainties are taxes and compliance obligations. Drowning in Regulations looks at how new cybersecurity and privacy laws and regulations will drive changes to all organizations and what that means to security teams.

Stock image of people and androids alternating in a row.
Security AI

In Security Team 2.0, we look at the ever- growing chasm in cybersecurity skills. Faced with new threats, new technologies, and new compliance obligations, security leaders will need to make hard decisions. If you can’t hire people, can you replace them with robots?

Cybersecurity in a Post-Truth World

When seeing isn’t believing

Stock image of a person in front of a television with an image of themself. There are marker points mapped onto his face.

14,678 deepfake videos online as of September 2019 (source: DeepTrace, 2019)

Is weaponized artificial intelligence our greatest cyber threat yet?

In 2015, when an innovative criminal donned a latex mask of French defense minister Jean-Yves Le Drian and conned wealthy patriots out of €80 million, they were unknowingly foreshadowing a much larger problem to come.

However, even when the first deepfake video appeared in 2017, the cybersecurity implications were not front of mind for most people.

The first real implications came to be felt only in March 2019 when cybercriminals used synthetic voice audio to help steal $243,000 from a UK energy company.

What does authentication mean in a post-truth world?

Signals and Drivers

The main driver for Cybersecurity in a Post-Truth World will be the effectiveness of social engineering attacks based on machine learning and artificial intelligence, including generative adversarial network techniques such as deepfake.

Of course, the problem of synthetic media is far wider and deeper than just cybersecurity. This fact is reflected by the large sums of money being spent to fund deepfake detection tools.

96% of all online deepfake videos are pornographic in nature


Pie chart showing that 96% of all deepfake videos are pornographic in nature.
source: DeepTrace, 2019

$68,000,000 spent by DARPA on deepfake detection technology in 2018 (source: futurism, 2018)

$243,000 amount stolen using synthetic voice audio in one 2019 incident (source: DeepTrace, 2019)

$10,000,000 contributed by Facebook for the Deepfake Detection Challenge (source: Facebook, 2019)

Critical Uncertainties

Innovation in AI-based social engineering attacks

Social engineering attacks are certain to remain a threat over the next five years. The introduction of machine learning and artificial intelligence will be a force multiplier for this threat, as we have already seen with the use of deepfake to augment traditional business compromise email attacks.

However, the real danger is that AI will become a true disruptor, allowing innovative criminals to invent entirely new social engineering attacks for which we have no defenses.

Effectiveness of detection and prevention controls

Governments and industries are profoundly concerned with the implications of deepfake and related technologies for good reasons that include but go far beyond cybersecurity. They are investing significant sums of money to fund detection tools. Fortunately, any progress that is made on this problem should benefit cybersecurity.

Nevertheless, detection is a huge challenge and there is plenty of uncertainty about how effective these tools will prove. Deepfake algorithms will almost definitely continue to improve, and it will become harder and harder to determine with absolute confidence whether any particular video or audio is real or fake.

“How are we going to believe anything anymore that we see? To me that’s a real threat to our democracy.” (Hany Farid, Professor, University of California, Berkeley, source: the wall street journal, 2018)

Scenario: Strong innovation by criminals in their use of deepfake-enabled social engineering attacks combined with a lack of effective security controls will pose a colossal challenge for all organizations.

Response: Combating this threat without effective technology controls will require most organizations to implement much stronger manual process controls for critical transactions.

Innovation in AI Attacks:
High

Scenario: Criminals continually innovate in their use of synthetic media in social engineering attacks. However, detection and prevention controls prove highly effective in combating these attacks.

Response: Organizations that understand the threat and implement effective controls early should largely mitigate the risk. Those that don’t may find themselves facing an existential threat.

Effectiveness of Controls:
Low

Scenario Analysis

Effectiveness of Controls:
High

Scenario: Lack of innovative AI-based attacks coupled with poor detection controls will be a status quo scenario. Synthetic media will be primarily used for pornographic purposes but may occasionally pose a cybersecurity threat as well.

Response: For cybersecurity teams already struggling with social engineering attacks, deepfake technology will become another headache. Security awareness programs will need to become a focus.

Innovation in AI Attacks:
Low

Scenario: The use of synthetic media in social engineering attacks remains fairly static, likely due to limitations of the technology. Highly effective detection controls significantly mitigate the risk to most organizations.

Response: Deepfake technology use remains largely restricted to pornography. While still a huge public policy and privacy challenge, the cybersecurity risk fades.

Probable Scenario

“The weaponization of deepfakes and synthetic media is influencing the cybersecurity landscape, enhancing traditional cyber threats and enabling entirely new attack vectors.” (Giorgio Patrini, Founder, CEO, and Chief Scientist, DeepTrace, source: DeepTrace, 2019)

The most probable 2025 scenario for Cybersecurity in a Post-Truth World is that improvements in real-time deepfake and related technologies will significantly outpace detection efforts.

Vast sums have already been spent by governments and industry to develop detection technologies, and this investment will very likely increase considerably. However, the technical problem of deepfake improvement is currently smaller than that of detection; small improvements in synthetic media will require exponentially larger improvements in detection to counter.

Even when or if effective detection controls are developed, there will be huge challenges with deployment. Potential victims can be exposed to synthetic media through many different vectors, and ensuring that detection controls protect all vectors will be a significant undertaking.

Over the longer term, raised awareness of the threat among the general populace may prove to be the most effective defense. However, this is unlikely to occur before 2025.

Recommendations and Resources

Recommendations:

  1. Organizations of all sizes should assess their exposure to AI-enabled social engineering attacks.
    • Variations on existing social engineering attacks, especially business compromise emails and ransomware delivery, should be expected to emerge first.
    • Synthetic voice attacks against call centers, even those that use voice biometrics for authentication, are very likely by 2025.
    • Other critical business transaction points should be assessed for their vulnerability to deepfake technologies.
  2. Additional authentication procedures should be considered to mitigate identified vulnerabilities. These should be augmented with the inclusion of deepfake awareness in most security training programs.

Info-Tech Research Group Resources:

Cloud First, Security Third?

Around every silver lining, there's a dark cloud

Stock image of a lock on a cloud icon.

990,000,000 records exposed due to misconfigured cloud security in 2018 alone (source: IBM Security, 2019)

Can cloud security tools save us from ourselves?

In the early days of cloud computing, security teams were primarily worried about Software as a Service (SaaS) and whether vendors could be trusted to properly protect data. These concerns soon faded as organizations came to realize that, in most cases, their on-premises cybersecurity was actually inferior to what SaaS providers offered.

However, as cloud adoption has moved from SaaS to Infrastructure as a Service (IaaS) and Platform as a Service (PaaS), new security concerns are emerging. Unlike SaaS, using IaaS and PaaS requires that organizations properly configure the security of their cloud systems.

Failure to do so is fast becoming a significant risk, but will we pause long enough in our rush to the cloud to learn how to secure it?

Signals and Drivers

The main driver for Cloud First, Security Third will be the increasing number of companies adopting a “cloud-first” or “cloud-only” strategy. Even without a cloud-first strategy, many organizations will continue to move workload to the cloud, increasing their exposure.

The complexity of properly securing cloud instances is expected to increase, while the availability of appropriately skilled resources to do the work will remain scarce.

However, the Capital One breach in 2019 reminds us of the potentially huge costs of making a mistake with cloud security.

$150 million estimated direct costs in 2019 from Capital One cloud misconfiguration data breach (source: fortune, 2019)

39% of companies have adopted a cloud-first strategy as of 2019 (source: Flexera, 2019)

$12.6 billion estimated global spend on cloud security tools by 2023 (source: dark reading, 2019)

Critical Uncertainties

Availability of effective cloud security tools

The market for cloud security tools is booming but still very immature. Most cloud vendors offer many security features, but they tend to be very complex and require highly skilled technical professionals to fully utilize. Feature sets and configuration options vary significantly among vendors, making life even more difficult for security teams at organizations with multi-cloud strategies.

There is significant uncertainty whether truly comprehensive security tools that can automate best-practice security configurations across multiple cloud providers will emerge over the next few years.

Public cloud adoption

It is certain that organizations will continue their migration toward cloud computing. While all signs point toward expanding use of public cloud environments, it is possible that this trend will slow. In this case, investment may shift toward private cloud.

Another key uncertainty will be whether organizations continue to prefer multi-cloud strategies or move toward single clouds. This may affect whether organizations look to the cloud vendor for security tools or select pure-play security vendors instead.

“We [Capital One] don't start using a service just because it's announced and it's cool. We start using it when we are sure we can meet security and other commitments we have internally.” (Bernard Golden, VP, Cloud Strategy, Capital One, December 2018, source: fortune, 2019)

Scenario: Continued cloud-first adoption combined with a dearth of security tools will leave millions of records exposed.

Response: Organizations moving toward cloud first will need to seriously consider whether they have the in-house expertise required to properly secure their cloud assets. Lack of tools may drive more organizations toward private cloud.

Cloud Adoption:
High

Scenario: Companies continue to adopt cloud-first and cloud-only strategies. Fortunately, comprehensive security tools become widely available to help organizations manage their cloud risks.

Response: While organizations will be free to pursue public/private cloud and single-/multi-cloud strategies, security tools will need to factor into overall cloud cost optimization plans.

Availability of Cloud Security Tools:
Low

Scenario Analysis

Availability of Cloud Security Tools:


High

Scenario: Lack of effective cloud security tools may lead to slower cloud adoption for some organizations.

Response: Developing a cloud security strategy and architecture in the absence of effective tools may be a competitive advantage, allowing more organizations to securely embrace new cloud strategies.

Cloud Adoption:
Low

Scenario: Slowed cloud adoption combined with the availability of effective cloud security tools will drive down the costs of those tools.

Response: With plenty of options to choose from, organizations will want to strategize whether to adopt a comprehensive set of security tools from their cloud vendor or select a pure-play security vendor.

Probable Scenario

“And then I hack into their ec2 instances, assume-role their IAM instance profiles, take over the account and corrupt SSM, deploying my backdoor, mirror their s3 buckets, and convert any snapshots I want to volumes and mirror the volumes I want via storage gateway” (June 16, 2019, post by “erratic,” the Twitter handle of Paige Thompson, accused in the Capital One data breach)

The most probable 2025 scenario for Cloud First, Security Third is that organizations will continue to migrate data to the cloud faster than they can secure it. Programs such as FedRAMP in the US have helped ensure that cloud infrastructure itself is secure, but in IaaS and PaaS models, customers are still responsible for the security of their applications and middleware.

Properly securing cloud data requires highly specialized security skills. As we will see in Security Team 2.0, the enormous security skills gap is only likely to get wider. In the absence of cloud security specialists, most organizations will need to look toward cloud security tools to support their cloud strategies. Organizations that rush ahead into the cloud without either the right security skills or tools may quickly find their expected cost optimizations to vanish into data breach expenses.

A shift away from public cloud toward private cloud may partially alleviate the security risks, but there is no indication that this will happen to any great extent. Additionally, there is no guarantee that private cloud will prove more secure than public cloud over the long term.

Recommendations and Resources

Recommendations:

  1. Organizations need to develop a structured cloud security architecture that aligns with their overall cloud strategy.
  2. As part of their architecture development, organizations should consider the skills required to implement necessary controls. Plans for addressing identified gaps against current skill sets should be determined and consider training, outsourcing, or tooling.
  3. Costs to properly secure cloud systems should be incorporated into overall cloud cost optimization plans.

Info-Tech Research Group Resources:

When IoT Met 5G

The final nail in the coffin of the security perimeter

Stock image of a satellite in front of a connected city.

1.9 billion users on 5G by 2025 (source: TeleGeography, 2019)

Will 5G-enabled IoT usher in a new era of cyber-physical threats?

Alarms were being raised about Internet of Things (IoT) security at least as early as 2011. These alarms peaked in 2016 when the Mirai IoT botnet launched the largest distributed denial-of-service (DDoS) attacks yet seen.

The alarms have faded somewhat lately, largely because most IoT devices are hidden away behind home routers or corporate firewalls and therefore harder to discover and attack.

The promise – and threat – of 5G is that it will remove that perimeter, exposing billions of devices directly to the internet. Many of these devices will be in cars, medical equipment, and other applications where security can be a matter of life or death.

Can we solve IoT security before people start dying?

Signals and Drivers

The main driver for When IoT Met 5G will be the benefits of 5G cellular service for IoT devices. These will include lower power requirements, lower latency, higher speeds, and reduced complexity related to the need to connect to Wi-Fi networks.

These are all compelling benefits for IoT manufacturers, and the main bottleneck for mass adoption will be availability of 5G service. It is expected that this availability will be very widespread by the early 2020s.

41.6 billion IoT devices connected to the internet by 2025 (source: IDC, 2019)

1.9 billion users on 5G by 2025 (source: TeleGeography, 2019)

600,000 IoT devices participated in Mirai botnet DDoS attacks in 2016 (source: Cloudflare, 2017)

Critical Uncertainties

Security of IoT devices

IoT is famously insecure, with problems including poor authentication, nonexistent patching, and lack of encryption. Much of the blame for this is rooted in the fact that IoT manufacturers are often regular manufacturers who feel compelled by market forces to bolt networking capabilities onto their cameras, thermostats, and refrigerators but have no experience in network security.

Security perimeters have mitigated the risks so far, but 5G promises to remove that perimeter. There have been some recent efforts to improve IoT security, such as new guidance and security baselines for devices from the US-based NIST; however, it is very uncertain to what degree manufacturers will get serious about security over the next two to three years.

5G adoption by IoT devices

It seems certain that 5G network service will become widely available in most major markets by the early 2020s, with a predicted 1.9 billion subscribers by 2025. It is also certain the number of IoT devices will continue to grow, with 41 billion internet-connected devices predicted by 2025.

What is less certain is how many of these devices will be on 5G networks. Early adopters will likely be devices that require high bandwidth and low latency, such as cars and video surveillance systems. However, lower power requirements and complexity benefits may drive 5G migration faster.

“As you move into the future, the notion of a fixed perimeter goes away, meaning that devices are everywhere, and actually IoT devices in particular are everywhere, because they’re connected to 5G networks. When that comes into play, one of the key fundamental principles of threat actors is scanning for IoT devices or vulnerabilities.” (Paul Martini, CEO, iBoss Cybersecurity, source: Threatpost, 2019)

Scenario: Improved IoT security combined with slow 5G adoption will be a best-case scenario for security teams.

Response: Security teams in this scenario should research how they can take advantage of inherent security benefits of 5G to actually improve overall network and device security.

IoT Security:
High

Scenario: Strong IoT security removes a serious challenge for security teams. However, high adoption of 5G means that these teams need to ensure that IoT security is properly configured.

Response: Security teams will need to develop expertise in managing IoT security to ensure that configuration errors do not derail progress during the rush to adopt 5G.

IoT Adoption of 5G:
Low

Scenario Analysis

IoT Adoption of 5G:


High

Scenario: Continued weak IoT security along with slow 5G adoption will be close to the status quo.

Response: A status quo feeling may lead to a false sense of security. Sluggish 5G adoption will still mean at least some 5G adoption, and early adopters will find themselves exposed and vulnerable. Security teams should work with internal stakeholders to identify where IoT 5G adoption may occur in the organization to proactively mitigate the risks.

IoT Security:
Low

Scenario: In this worst-case scenario, an explosion in 5G adoption exposes billions of insecure IoT devices to attack on the internet.

Response: In the short term, security teams of IoT manufacturers and users will be scrambling to implement mitigating controls. A rash of high-profile data breaches will very likely prompt governments to enact new IoT cybersecurity laws and regulations.

Probable Scenario

“IoT devices are more dangerous than our traditional computers because they sense the world around us, and affect that world in a direct physical manner. Increasing the cybersecurity of these devices is paramount.” (Bruce Schneier, Security Expert, Author, Consultant, source: schneier on security, 2018)

The most probable 2025 scenario for When IoT Met 5G is that IoT security will remain generally inadequate during the initial wave of 5G adoption. 5G service availability and pricing may slow adoption, and many early use cases may include devices from manufacturers with a strong vested interest, and expertise, in security.

In this kind of scenario, security teams may be able to use 5G’s inherent security benefits, including encryption, device authentication, and network slicing, to actually improve network security.

On the other hand, a rush toward adoption that exposes billions of insecure devices to the internet will be a nightmare scenario for manufacturers and security teams. We could expect IoT botnets an order of magnitude larger than anything seen before, as well as a plethora of high-profile data breaches due to compromised devices. Human safety and privacy concerns will compel governments to quickly pass new cybersecurity laws and regulations.

Recommendations and Resources

Recommendations:

  1. Manufacturers of IoT devices should seriously consider applying the NIST guidelines and baseline for securing IoT to their devices.
  2. IoT device end-user organizations need to identify where devices are currently used. Many of these will not be under the control of the IT department. Security teams also need to start working with business units to identify where 5G-enabled IoT devices may be deployed and begin building a plan to secure these devices.

Info-Tech Research Group Resources:

Drowning in Regulations

The road to hell is paved with compliance obligations

Stock image of a cloud with the word 'Compliance' on it, and different aspects of compliance surrounding it.

57% of all countries now have data protection laws (source: privacy laws & business international report, 2019)

Can we learn to navigate the torrents of privacy and security regulations before we drown?

Once upon a time, security leaders could be overheard welcoming new regulations. They were seen as important allies, helping to justify the acquisition and implementation of new security controls.

In hindsight, perhaps we should have been more careful with what we wished for.

Many organizations are now finding themselves having to manage multiple cybersecurity and data protection laws and regulations. Those that operate globally need to navigate a patchwork of disparate obligations across multiple jurisdictions.

With more of the same on the horizon, how do we learn to swim before we sink?

Signals and Drivers

The main driver for Drowning in Regulations will be the continuing push by governments to enact data protection and cybersecurity laws and regulations to protect citizens.

Indeed, a 70% increase in the number of countries with data protection laws over the last ten years only tells part of the story.

Many countries, including Canada, have recently updated their existing laws. And many others, including Argentina, Israel, India, and New Zealand, are planning to do so. The desire to obtain GDPR adequacy will drive even more countries in this direction.

132 countries with privacy laws as of 2019


Bar graph with years 2009 to 2019 showing the number of countries with privacy laws going from under 80 to over 130.
(source: privacy laws & business international report, 2019)

Critical Uncertainties

New cybersecurity and privacy regulations

It seems almost certain that governments and regulation-setting bodies across the globe will continue to develop new cybersecurity regulations as well as new privacy regulations that include security considerations. Governments that in the past were concerned that regulations may hinder competitiveness are now seeing that data breaches are even worse.

However, new laws and regulations can take years before they come into effect. The General Data Protection Regulation (GDPR) took four years between its first draft and the date it entered into force. This time constraint casts uncertainty on the number of new regulations that companies will need to consider by 2025.

Cooperation among regulatory bodies

So far, there has been little evidence that policy-setting and regulatory bodies are cooperating among themselves to align regulations with the goal of simplifying compliance efforts. When it happens, it is often because an industry has taken the initiative to self-regulate across jurisdictions.

It is therefore uncertain how much effort will be directed toward cooperation and alignment of new regulations by governments and other regulatory bodies.

“Privacy is a complex, multi-level, comprehensive concept which is now being regulated in more than 130 countries with more than 500 privacy laws. To be successful in complying with so many laws, businesses must develop a multi-jurisdictional approach to privacy laws that is consistent and predictable yet also not one-size-fits-all.” (K Royal, Senior Privacy Consultant, TrustArc, source: tech privacy, 2019)

Scenario: Few new security and privacy regulations emerge, and those that do are highly aligned. Compliance management becomes a simple process.

Response: Most organizations will be able to manage their compliance obligations with simple tools and few staff.

Inter-Government Cooperation:
High

Scenario: Governments worldwide continue to develop new security and privacy regulations, but there is significant alignment aimed at simplifying compliance.

Response: Organizations will be able to adopt single security and privacy frameworks to meet most regulations, reducing the efforts required for compliance management.

Number of New Regulations:
Low

Scenario Analysis

Number of New Regulations:


High

Scenario: Few new security and privacy regulations emerge, but those that do are all unique to their own jurisdiction.

Response: For companies that operate in a single geography, minimal effort is required. Global organizations will continue to struggle with disparate requirements, but the relative scarcity of these will make the job manageable.

Inter-Government Cooperation:
Low

Scenario: Governments worldwide continue to develop new security and privacy regulations. With little or no alignment, compliance for global companies becomes a major challenge.

Response: All companies that operate globally will need to invest in an enterprise-grade governance, risk, and compliance (GRC) tool to help manage disparate regulatory regimes.

Probable Scenario

“I also believe a common global framework — rather than regulation that varies significantly by country and state — will ensure that the Internet does not get fractured, entrepreneurs can build products that serve everyone, and everyone gets the same protections.” (Mark Zuckerberg, CEO, Facebook, source: Facebook, 2019)

The most probable 2025 scenario for Drowning in Regulations will be a continuing torrent of new laws and regulations. At the national level, and the state level in the USA, these will primarily be focused on privacy. However substantially, all such laws will have data protection requirements that overlap into information security.

At the state and industry level, we will see more new and updated laws and regulations specific to cybersecurity. These will be accompanied by further requirements that are disseminated through contracts, such as the US DOD Cybersecurity Maturity Model Certification.

What we very likely won’t see by 2025 is evidence of any serious coordination among regulation-setting bodies. GDPR adequacy may be the beginning of a journey toward a global framework for data protection, but it is unlikely to gain much traction in the short to mid term.

Recommendations and Resources

Recommendations:

  1. Most organizations that do not already have a security compliance management function should start developing one. At the very least, these should include processes and responsibilities for identifying emerging regulations and mapping them into a common control framework.
  2. Organizations that operate globally or have a worldwide clientele should be looking at adopting a governance, risk, and compliance (GRC) tool to help manage their obligations. In the past, GRC tools tended to be very complex, expensive, and required highly skilled technical staff to implement and maintain. Fortunately, the advent of new cloud-based solutions is making GRC more accessible.

Info-Tech Research Group Resources:

Security Team 2.0

Can AI save us from the talent shortage?

Stock image of people and androids alternating in a row.

1,800,000 unfilled cybersecurity positions globally by 2022 (source: center for strategic & international studies, 2019)

Can artificial intelligence save us from the cybersecurity talent shortage?

The first warnings about the cybersecurity skills gap appeared in 2010. The Center for Strategic & International Studies (CSIS) published A Human Capital Crisis in Cybersecurity, reporting a shortfall of up to 30,000 cybersecurity workers in the USA.

By 2019, CSIS was reporting that this shortfall had grown to 314,000, with a projected global shortfall of 1.8 million positions by 2022.

The first cybersecurity products marketed as being powered by artificial intelligence appeared in 2014, and by mid-2019 there were at least 30 such products.

Can AI save us from the growing talent shortage, or is it all just too much hype?

Signals and Drivers

The main driver for Security Team 2.0 will be the escalating cybersecurity skills gap.

The number of cybersecurity products that are marketed as artificial intelligence has exploded since Darktrace emerged on the scene in 2014.

However, a 2018 survey from the Ponemon Institute reports that a plurality of respondents believe the effect of AI cybersecurity products will be to increase the workload on security staff.

The result may be a growing reliance on managed security service providers.

1,800,000 unfilled cybersecurity positions globally by 2022 (source: center for strategic & international studies, 2019)

Line graph of 'Cybersecurity products marketed as powered by AI' from 2013 to 2019. The line curves up exponentially.
(source: google)

$56 billion global market for managed security service providers by 2024 (source: channel futures, 2018)

Pie graph showing 'Only 34% believe that AI defenses will reduce security staff workload'. It also shows that 45% think it will increase workload and 21% are unsure.
(source: Ponemon Institute, 2018)

Critical Uncertainties

Effectiveness of “AI” cybersecurity products

The study of artificial intelligence has undergone a number of booms and busts in the 60+ years since it began. Over and over, the promises of AI have been unrealized. Darktrace began this latest boom in cybersecurity AI, but it remains uncertain whether this too will go bust in the end.

Another key uncertainty is not how effective AI defenses will be at stopping attacks but how effective they will be in reducing security staff workloads. AI tools may simply create new jobs for “cyber AI specialists” or may increase demand for incident responders.

Availability of skilled cybersecurity workers

It seems certain that by the year 2025, there will still be a huge talent shortage in cybersecurity. The only uncertainty will be how large that shortage is. The Center for Strategic & International Studies puts the number at 1.8 million unfilled positions by 2022, but other reports have suggested the number may be much higher.

More and more colleges and universities are offering cybersecurity programs, but the problem may be greater than simple numbers. Graduates of these educational programs tend to be generalists who still need several years of on-the-job training or advanced learning to gain the specialized skills that are most in demand.

By 2025, “only the largest companies that need the highest levels of security will still maintain their own cybersecurity staff. The specialization, cost, and staffing difficulties will drive most of us to work with service providers.” (Michael Rock, Director, Enterprise Information Security, Hillenbrand, source: interview)

Scenario: Security products based on machine learning and artificial intelligence fail to live up to their promises. Continued scarcity of cybersecurity skills means that only the largest and wealthiest enterprises can afford to have an in-house security team.

Response: Most organizations will need to embrace managed security service providers for core security processes.

Availability of Cyber Skills:
High

Scenario: Cybersecurity skills remain scarce, but AI security products are able to provide advanced prevention, detection, and response capabilities.

Response: Organizations who effectively embrace AI defenses will be able to move precious security personnel away from technical controls and toward more complex activities such as compliance and risk management.

Effectiveness of AI Defenses:
Low

Scenario Analysis

Effectiveness of AI Defenses:


High

Scenario: Security products based on machine learning and artificial intelligence fail to live up to their promises. Fortunately, a flood of new security professionals enters the workforce, closing the skills gap.

Response: An abundance of skilled security professionals will drive salary expectations down, allowing most organizations to staff up their security teams to unprecedented levels.

Availability of Cyber Skills:
Low

Scenario: A flood of new security professionals enters the workforce, only to find that AI-based security products have rendered many of their jobs obsolete.

Response: Underemployed security professionals may look to cybercrime as a means to obtain the lucrative jobs that they were led to expect. Insider threats may emerge as a significant challenge.

Probable Scenario

“It’s a national security risk that we don’t have the talent regardless of whether it’s in the government or the private sector. We have a massive shortage that is expected that will grow larger.” (Jeanette Manfra, Assistant Director for Cybersecurity, Department of Homeland Security, source: tech crunch, 2019)

The most probable 2025 scenario for Security Team 2.0 is that the cybersecurity talent shortage will continue or even worsen. Scarcity of skills will keep salary expectations high, making it hard for small and medium enterprises to justify adding new staff. Even when security leaders are granted approval to add new positions, they will find it increasingly difficult to attract qualified candidates.

There is significant uncertainty as to whether AI-driven security products will alleviate this challenge. Even if they do live up to their promises, the use of AI defenses could end up actually increasing the workload on security teams.

Nonetheless, the hype surrounding cyber AI will grow to a fever pitch over the years 2020-2023. Chief information security officers will find themselves under mounting pressure to get on the bandwagon lest they suffer from an AI gap.

Less scrupulous vendors will take advantage of the hype. Because there is no well-accepted definition of artificial intelligence, these vendors will market products that rely on heuristics and other existing algorithms as being “AI.”

Recommendations and Resources

Recommendations:

  1. Large enterprises that need to maintain in-house cybersecurity teams should:
    • In the short term, begin cultivating an understanding of the artificial intelligence defense market and how to separate hype from fact.
    • In the medium term, identity where AI products may fit into their overall security architecture.
    • In the long term, develop AI use cases, key goals, and associated proof of concept metrics for engaging vendors.
  2. Most other organizations should start developing a long-term strategic plan for outsourcing specific security processes to a managed security services provider in order to meet security objectives in the face of a significant talent shortage.

Info-Tech Research Group Resources:

Become a Future-Proofed CISO

Cybersecurity stewardship is an ever-evolving task, but you don't have to stand alone. Follow Info-Tech's learn-adopt-grow framework to confidently tackle this new challenge in security leadership.

Establish a solid foundational understanding to adopt the current most impactful technologies, learn about changes in the technological and threat environments to innovate thoughtfully, and grow in your capacity as business partner by balancing the business and security impacts of new technologies.

Learn, Adopt, and Grow

Use Info-Tech's resources to support you on your journey to becoming a future-proofed CISO

01

Learn

Identify emerging changes in the technology and threat environments.

02

Adopt

Analyze changes to the cybersecurity ecosystem to understand business impacts.

03

Grow

Establish a strategic cybersecurity plan to take advantage of new security technologies.

Research Contributors

Photo of Don Davidson, Enterprise Security Architect, Canada Life Don Davidson
Enterprise Security Architect
Canada Life
Photo of Ashley Ewing, Chief Information Security Officer, University of Alabama Ashley Ewing
Chief Information Security Officer
University of Alabama
Photo of Robert H. Jackson, Global Chief Information Security Officer, Sedgwick Robert H. Jackson
Global Chief Information Security Officer
Sedgwick
Photo of Michael Rock, Director, Enterprise Information Security, Hillenbrand Michael Rock
Director, Enterprise Information Security
Hillenbrand

Research Contributors

Blank photo. Anonymous
Director, Cyber Governance
Financial Industry
Blank photo. Anonymous
Chief Information Security Officer
Government Industry

The author would like to recognize 33 information security and IT professionals who completed an anonymous survey as part of this research.

References

General

Antal, Katherine et al. “The Next Generation of Emerging Global Challenges.” Policy Horizons Canada. 19 October 2018. Accessed 14 August 2019.

Battle, LeVar. “What’s Next? Webroot’s 2019 Cybersecurity Predictions.” Webroot. 27 November 2018. Accessed 14 August 2019.

Carroll, Eoin, et al. “McAfee Labs 2019 Threats Predictions Report.” McAfee Labs. 29 November 2018. Accessed 15 August 2019.

Cheng, Roger. “AT&T makes new predictions after 1993 'You Will' ads come true.” CNet. 28 November 2018. Accessed 15 August 2019.

CSO Magazine. “9 cyber security predictions for 2019.” CSO Magazine. 20 November 2018. Accessed 16 August 2019.

Durbin, Steve. “2020 Vision: How to Prepare for the Future of Information Security Threats.” Infosec Island. 6 April 2018. Accessed 15 August 2019.

FireEye. “Facing Forward: Cyber Security in 2019 and Beyond.” FireEye. 2018. Accessed 14 August 2019.

Forcepoint. “2019 Forcepoint Cybersecurity Predictions Report.” Forcepoint. Accessed 16 August 2019.

Kaspersky Lab. “Threat Predictions for Industrial Security in 2019.” Kaspersky Lab. Accessed 15 August 2019.

Kilpatrick, Ian. “Top ten cybersecurity predictions for 2019.” ITProPortal. 8 November 2018. Accessed 16 August 2019.

LogRythym Labs. “8 Cybersecurity Predictions for 2019.” LogRythym Labs. 3 December 2018. Accessed 15 August 2019.

Lohrmann, Dan. “The Top 19 Security Predictions for 2019.” Government Technology. 2 January 2019. Accessed 14 August 2019.

Morbin, Tony. “2019 cyber-security predictions - Pandora's box of ills - but Hope remains.” SC Magazine. 21 December 2018. Accessed 14 August 2019.

Press, Gil. “60 Cybersecurity Predictions For 2019.” Forbes. 3 December 2018. Accessed 15 August 2019.

Proofpoint. “Cybersecurity Predictions for 2019.” Proofpoint. 12 December 2018. Accessed 14 August 2019.

Shortridge, Kelly. “2019 Cyber Security Predictions.” Medium. 5 December 2018. Accessed 15 August 2019.

Steinkopf, Tim. “Six Cybersecurity Predictions for 2019.” SC Magazine. 12 December 2018. Accessed 16 August 2019.

Thompson, Hugh, and Trilling, Steve. “Cyber Security Predictions: 2019 and Beyond.” Symantec Blog. 28 November 2018. Accessed 16 August 2019.

Watkins, Randy. “Five Cybersecurity Predictions For 2019.” Information Security Buzz. 29 January 2019. Accessed 16 August 2019.

Weber, Steven et al. “Cybersecurity Futures 2025.” UC Berkeley Center for Long-Term Cybersecurity. February 2018. Accessed 29 August 2019.

Cybersecurity in a Post-Truth World

Adjer, Henry et. al. “The State of Deepfakes.” DeepTrace. September 2019. Accessed 11 October 2019.

Alaphilippe, Alexandre, et. al. “Automated tackling of disinformation.” European Parliamentary Research Service. March 2019. Accessed 11 October 2019.

Robitzski, Dan. “DARPA Spent $68 Million on Technology to Spot Deepfakes.” Futurism. 19 November 2018. Accessed 11 October 2019.

Schellmann, Hilke. “Deepfake Videos Are Getting Real and That’s a Problem.” The Wall Street Journal. 15 October 2018. Accessed 22 October 2019.

Schroepfer, Mike. “Creating a data set and a challenge for deepfakes.” Facebook. 5 September 2019. Accessed 11 October 2019.

References

Cloud First, Security Third

Asay, Matt. “Capital One's 'all-in' cloud strategy is much more than a tech decision.” TechRepublic. 7 December 2018. Accessed 30 October 2019.

Flexera. “Cloud Computing Trends: 2019 State of the Cloud Survey.” Flexera Blog. 27 February 2019. Accessed 28 October 2019.

IBM Security. “X-Force Threat Intelligence Index 2019.” IBM. February 2019. Accessed 28 October 2019.

Krebs, Brian. “Capital One Data Theft Impacts 106M People.” Krebs on Security. 19 July 2019. Accessed 29 October 2019.

Shen, Lucinda. “Capital One’s Data Breach Could Cost the Company up to $500 Million.” Fortune. 31 July 2019. Accessed 28 October 2019.

Sheridan, Kelly. “Cloud Security Spend Set to Reach $12.6B by 2023.” Dark Reading. 18 April 2019. Accessed 28 October 2019.

When IoT Met 5G

Bell, Pete. “Our Forecast? 1.9 billion 5G Users by 2025.” TeleGeography. 17 June 2019. Accessed 23 October 2019.

CCSInsight. “CCS Insight Predicts 1 Billion Users of 5G by 2023, with More Than Half in China.” CCSInsight. 18 October 2018. Accessed 23 October 2019.

Clayson, Paul. “Special Letter: At the Edge ‒ The IoT Security Imperative.” Strategic News Service. 26 September 2019. Accessed 22 October 2019.

Cloudflare. “Inside the infamous Mirai IoT Botnet: A Retrospective Analysis.” Cloudflare. 14 December 2017. Accessed 23 October 2019.

International Data Corporation. “The Growth in Connected IoT Devices Is Expected to Generate 79.4ZB of Data in 2025, According to a New IDC Forecast.” IDC. 18 June 2019. Accessed 23 October 2019.

References

When IoT Met 5G

National Institute of Standards and Technology. “NIST Releases Draft Security Feature Recommendations for IoT Devices.” NIST. 1 August 2019. Accessed 23 October 2019.

Oswald, Ed. “It’s 2025. How has 5G changed our lives? We asked experts to predict the future.” Digital Trends. 14 August 2019. Accessed 23 October 2019.

Seals, Tara. “5G and IoT: How to Approach the Security Implications.” Threatpost. 26 September 2019. Accessed 23 October 2019.

Schneier, Bruce. “New IoT Security Regulations.” Schneier on Security Blog. 13 November 2018. Accessed 24 October 2019.

Tobin, Anna. “5G Will Account For 15% Of Global Mobile Market By 2025.” Forbes. 25 February 2019. Accessed 23 October 2019.

Zscaler. “IoT in the Enterprise: An analysis of traffic and threats.” Zscaler ThreatLabz. May 2019. Accessed 23 October 2019.

Drowning in Regulations

Ehret, Todd. “INTERVIEW: Data-privacy compliance timeline is 'yesterday,' leading tech lawyer says.” Reuters. 8 October 2019. Accessed 11 October 2019.

Greenleaf, Graham. “Global Data Privacy Laws 2019: 132 National Laws & Many Bills.” Privacy Laws & Business International Report, 14-18. 1 August 2019. Accessed 22 October 2019.

Solove, Daniel. “Developing a Multi-Jurisdictional Approach to Privacy Laws — An Interview with K Royal.” Tech Privacy. 6 October 2019. Accessed 31 October 2019.

White, Kelly. “A New Standard Is Emerging In Cybersecurity Regulations.” Forbes. 31 May 2019. Accessed 11 October 2019.

Zuckerberg, Mark. “Four Ideas to Regulate the Internet.” Facebook. 30 March 2019. Accessed 22 October 2019.

References

Security Team 2.0

Crumpler, William and Lewis, James. “The Cybersecurity Workforce Gap.” Center for Strategic & International Studies. 29 January 2019. Accessed 3 October 2019.

Evans, Karen and Reeder, Franklin. “A Human Capital Crisis in Cybersecurity.” Center for Strategic & International Studies. 15 November 2010. Accessed 3 October 2019.

Gately, Edward. “More Consolidation, Standardization on the Horizon for MSSPs.” Channel Futures. 6 December 2018. Accessed 7 October 2019.

Ponemon Institute. “The Value of Artificial Intelligence in Cybersecurity.” Ponemon Institute. July 2018. Accessed 7 October 2019.

Shieber, Jonathan. “The lack of cybersecurity talent is ‘a national security threat,’ says DHS official.” Tech Crunch. 3 October 2019. Accessed 8 October 2019.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Talk to an Analyst

Our analyst calls are focused on helping our members use the research we produce, and our experts will guide you to successful project completion.

Book an Analyst Call on This Topic

You can start as early as tomorrow morning. Our analysts will explain the process during your first call.

Get Advice From a Subject Matter Expert

Each call will focus on explaining the material and helping you to plan your project, interpret and analyze the results of each project step, and set the direction for your next project step.

Unlock Sample Research

Author

Kate Wood

Contributors

  • Don Davidson, Enterprise Security Architect, Canada Life
  • Ashley Ewing, Chief Information Security Officer, University of Alabama
  • Robert H. Jackson, Global Chief Information Security Officer, Sedgwick
  • Michael Rock, Director, Enterprise Information Security, Hillenbrand
  • Anonymous, Chief Information Security Officer, Government Industry
  • Anonymous, Director, Cyber Governance, Financial Industry
  • 33 further individuals completed an anonymous survey as part of this research
Visit our COVID-19 Resource Center and our Cost Management Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019