At the 3rd annual FutureCISO conference held on 5 June 2024 in Singapore, 80% of the 115 security professionals who attended the event stated that data security was their primary focus for 2024, 11 percentage points ahead of cloud security. Security professionals recognise the challenges of protecting data that resides across multiple repositories, including on-premises data centres, the cloud, edge devices, and data in transit.
Additionally, 53% cited visibility of what exists as their most pressing challenge while attempting to secure the edge. Technology has grown in complexity, reflecting the state of business and regulatory environments.
FutureCISO gathered insights from several security subject matter experts regarding the current landscape for CISOs and their organisations, as well as possible developments in 2025.
Identity theft
In a rapidly changing landscape, identity-based attacks are becoming more sophisticated, with phishing kits evolving to bypass security measures like impossible travel flags. Brett Winterford, regional chief security officer at Okta, emphasises the importance of adopting phishing-resistant authentication to combat these threats.
"Organisations must evolve their technologies and policies to defend against increasingly complex attacks," says Winterford.
As attackers pivot from phishing to device-based strategies, organisations face challenges in securing endpoints. Compromised devices can lead to identity theft, necessitating robust device trust and endpoint detection measures. Additionally, attackers may exploit weaknesses in business processes, tricking employees into divulging sensitive information.
The rise of downgrade attacks, where users are coerced into using less secure authentication methods, further complicates security efforts. Meanwhile, the emergence of generative AI poses new risks, such as deepfake scams targeting employees.
To mitigate these threats, businesses must educate their workforce, implement stringent verification processes, and foster a culture of vigilance. As identity-based attacks continue to evolve, proactive adaptation is essential for safeguarding sensitive data. Organisations are urged to commence their security evolution today.
Dark web
Coming into 2025, dark web forums reveal alarming trends in cybersecurity risks. A recent NordVPN analysis highlights significant discussions around advanced disinformation tactics, smart home vulnerabilities, and AI-driven social engineering.
"Although last year's predictions remain relevant, the popularity of hacking courses and DIY cybercrime kits has increased noticeably," says Adrianus Warmenhoven, a cybersecurity expert at NordVPN.
Key concerns include the rise of account takeovers, fuelled by "combo lists" of stolen credentials, and the exploitation of smart home devices, with over 9.1 billion security events reported globally. Identity theft remains a top priority for cybercriminals, evolving into sophisticated techniques like synthetic identity fraud and reverse identity theft.
Moreover, "disinformation as a service" is emerging as a major threat, with cybercriminals leveraging AI to spread misinformation through bot farms and fake accounts, targeting specific demographics for maximum impact. AI-driven social engineering is also becoming more complex, allowing hackers to manipulate employees into revealing sensitive information.
Organisations must bolster their defences against these evolving threats to protect sensitive data and maintain security integrity. The dark web's trends serve as a stark reminder of the challenges ahead.
The threat of an AI gap
In 2025, businesses are expected to increasingly engage AI middleware companies to streamline the adoption of secure and efficient AI solutions. Middleware facilitates seamless communication between systems, reducing the need for in-house expertise. "By leveraging third-party expertise, organisations reduce the risks associated with AI development," says Anthony Spiteri, regional CTO APJ at Veeam.
As AI adoption rises, so too will the complexity of data management, necessitating robust practices to protect critical datasets. Additionally, many organisations are anticipated to shift workloads back from public clouds to on-premises data centres, embracing a hybrid approach that offers greater control and efficiency.
The threat landscape is evolving, with AI-powered attacks like deepfakes and sophisticated phishing becoming more prevalent. To combat these risks, businesses will adopt proactive cybersecurity strategies and advanced identity validation methods. This shift emphasises the importance of data resilience at the executive level, as chief AI officers (CAIOs) take charge of ethical AI usage and data integrity.
As organisations prepare for the challenges ahead, comprehensive data recovery strategies will be essential, ensuring readiness against emerging threats and compliance with stricter regulations.
Deepfakes
In 2025, deepfake technology is poised to become a significant cybersecurity challenge, enabling sophisticated social engineering attacks that exploit human vulnerabilities. "We anticipate a surge in insider threats, with deepfake-generated 'employees' infiltrating organisations to steal data or execute ransomware schemes," warns Stewart Garett, regional vice president at MongoDB.
To combat this evolving threat, AI will be essential. "AI-powered resilience frameworks will enable organisations to adapt dynamically to complex threats," Garett emphasises. As developers enhance detection capabilities, businesses will adopt advanced identity verification methods like behavioural analysis and contextual authentication, moving beyond traditional passwords.
Predictive AI will also play a crucial role in assessing both technical systems and human behaviours, allowing for rapid adaptation to emerging threats. The future of cybersecurity hinges on creating agile, AI-enhanced defences that tackle both technical and human vulnerabilities head-on.
The rocky road to AI
Security professionals FutureCFO have spoken see leveraging AI as an important strategy moving forward. Gartner predicts that by 2027, generative AI contribute to a 30% reduction in false positive rates for application security testing and threat detection by refining results from other techniques to categorise benign from malicious events.
However, despite the interests around its use, 64% of attendees to the FutureCFO conference cited a lack of understanding of AI and AI as a cyber tool. The complexity of AI technologies necessitates a deep understanding of both the tools and the specific security needs of the organisation, which can be hindered by skills shortages.
It doesn’t help that the rapid evolution of cyber threats requires ongoing adaptation of AI strategies, while concerns about data privacy and ethical considerations complicate compliance with regulations.
Given that AI as a security solution remains nascent, reliance on AI can lead to false positives, resulting in alert fatigue among security teams. To navigate these challenges successfully, CISOs must foster collaboration between IT and security teams and ensure that AI solutions align with overall business objectives, ultimately harnessing AI's potential to enhance their cybersecurity posture in an increasingly perilous digital landscape.