Threats have been more sophisticated, unpredictable and harder to pin down. Attackers don’t just exploit technical weaknesses – they target human behaviour, organisational blind spots, and even regulatory loopholes. From spear phishing and deepfake fraud to misinformation generated by artificial intelligence (AI), cyber criminals are using emerging technologies to launch attacks with precision and ease. This means the old playbook of relying solely on technical defences isn’t enough anymore.
Organisations need a shift in mindset: prioritising secure human behaviours, leveraging technologies like GenAI, and addressing business risks as much as external threats. The scope of cyber security is not just tech-savvy but also human-centric.
CISOs need to also consider the following trends for their security strategies for the near future.
The Rising Cost of Malinformation
In 2024, one of the more subtle yet critical challenges that emerged was the rise of malinformation – deliberate misinformation aimed at manipulating and destabilising. Battling misinformation and reputational threats is becoming a top-line issue for all. By 2028, organisations will spend over $500 billion annually addressing malinformation, with impacts felt across marketing and cyber security budgets alike.
Deepfake fraud, social engineering, and AI-driven scams are driving the need for enterprise-wide programmes led by CISOs. Companies must prioritise investments in resilience measures such as chaos engineering to prepare for these challenges.
Zero-trust principles under pressure
Zero-trust has become a cyber security cornerstone, but its application has limits. By 2026, 75% of organisations will exclude legacy systems and operational environments from zero-trust strategies due to their unique constraints.
Adapting zero-trust principles to non-IT systems, like production lines or older platforms, will be critical for organisations looking to expand their defences while maintaining operational efficiency.
Shifting responsibilities for CISOs
Cyber security leaders are facing increased accountability. By 2027, two-thirds of Global 100 companies will extend directors’ and officers’ insurance to their cyber security leaders, reflecting heightened scrutiny on their roles. Clarifying the CISO role and aligning it with regulatory expectations is vital to manage these risks effectively.
Merging insider risk and data security
Insider threats remain a significant challenge, particularly in an era of remote and hybrid work. By 2027, 70% of organisations will combine data loss prevention and insider risk management with identity and access systems. This integrated approach will help businesses better identify and mitigate potential threats while simplifying their security frameworks.
GenAI: A quiet revolution
GenAI is set to make a practical but measured impact on cybersecurity operations. By 2028, AI-driven solutions will allow 50% of entry-level cybersecurity roles to be filled without requiring specialised education, helping organisations bridge talent shortages. In addition, organisations integrating GenAI into employee training programmes and security workflows could see up to a 40% reduction in employee-driven incidents by 2026. While GenAI offers promising tools for improving efficiency and education, it should be viewed as a complement to, not a replacement for, broader security strategies.
Decentralising application security
As low-code and no-code tools grow in popularity, application security is moving closer to the teams building the software. By 2027, 30% of organisations will empower non-technical professionals to manage aspects of app security, supported by new roles like “application security product managers. Providing these teams with the right resources and training will be essential to maintaining robust security practices in a more decentralised environment.
Navigating the hurdles
2024 underscored the growing personal and legal stakes for cyber security leaders. As the threat landscape evolves, the lessons of 2024 underline the critical need for organisations to be agile, innovative, and human-focused in their strategies. While the potential of GenAI is undeniable, its success will hinge on careful governance and targeted use. At the same time, the growing impact of threats like malinformation and personal liability underscores the need for new tools, strategies, and insurance protections.
Ultimately, cyber security in 2025 will require security and risk management leaders to act decisively and collaboratively. Those who embrace this complexity and prioritise building secure behaviours within their teams will be the ones who stay ahead and succeed in 2025.
Deepti Gopal is director analyst at Gartner.
