Innovation, insight and influence: the CISO playbook for 2025 and beyond
From Covid-19 to war in Ukraine, SolarWinds Sunburst, Kaseya, Log4j, MOVEit and more, the past five years brought cyber to mainstream attention, but what comes next? The Computer Weekly Security Think Tank looks ahead to the second half of the 2020s
As 2024 comes to a close and we reach the midpoint of a decade that might generously be described as having so far been ‘turbulent’, I’d like to inject a note of positivity regarding the outlook for the second half of the 2020s.
Before you dismiss me as naïve or irrationally optimistic, please hear me out. I’m not claiming that the cyber security threats facing CISOs and their teams aren’t extremely problematic. On the contrary, threat actors are adopting AI to mount more complex and sophisticated attacks. This is a trend we can expect to continue in the second half of the 2020s.
But this is exactly why we cyber security professionals cannot afford to be immobilised by fear, uncertainty and doubt. To borrow a line from the Frank Herbert sci-fi epic Dune, “Fear is the mind killer.” And the broader business community must avoid paralysis too. What’s clear is, the nature of today’s threat landscape demands a united front.
To help allay fear, cyber security professionals can create a robust plan and a playbook of strategies that we can be confident will service us well. With that in mind, I’d like to propose that CISOs and their teams focus on continuing to build three key attributes in 2025 and beyond: innovation, insight and influence.
Innovation is vital
Innovation is a vital element of the CISO playbook for 2025 and beyond. In the next five years, all analysis points to an escalation of cyber security threats driven by artificial intelligence (AI), and I firmly believe we must fight fire with fire. In other words, just as malicious actors have been quick to master and weaponise AI to conduct their attacks, AI can help cyber security teams build robust defences.
Cyber criminals are already using AI to automate attacks, to identify vulnerabilities in corporate systems, and to create attacks that are more likely to evade detection. In response, cyber security teams should be using AI to proactively patch any points of weakness, to spot suspicious anomalies in traffic flows and user behaviours, and to stop them in their tracks. AI provides the bridge between security data and actionable knowledge at scale.
In short, smart cyber security teams will get AI working for them. They will tap into its analytic powers and automation capabilities to craft proactive and adaptive strategies that reduce their reliance on traditional rules-based detection and manual effort.
Insight matters
Insight matters because we need to recognise and acknowledge that cyber threats are changing. Ransomware, phishing, zero-day exploits haven’t gone away – but increasingly, cyber security teams must also consider their approach to deepfake attacks, based on fraudulent but highly convincing images and multimedia files purporting to relate to real people.
The use of deepfakes by malicious actors is on the rise. In February 2024, Hong Kong police authorities reported that a finance worker at a multinational firm was tricked into paying out $25m to fraudsters who use deepfake technology to pose as the company’s own chief financial officer in a video conference call. The firm was later revealed to be engineering giant Arup
In May, Mark Read, the CEO of the world’s largest advertising company WPP, became the target of an elaborate deepfake scam, in which fraudsters created a WhatsApp account with a publicly available image of Read and used it to set up a Microsoft Teams meeting that appeared to be with him and another senior WPP executive. In this case, the attempt to solicit money and personal data was unsuccessful.
Other firms will be targeted, as the underlying technology becomes more accessible and affordable for threat actors. According to IT market analyst company Gartner, by 2026, almost one-third of organisations (30%) will consider their current authentication or digital ID tooling inadequate to fight deepfakes.
With that in mind, during 2025, IT security teams must step up and play an instrumental role in helping to counter this kind of sophisticated social engineering attack, by educating executives and employees on the risk, training them to spot deepfakes, and putting advanced AI and machine learning capabilities to work on identifying and deterring them.
The Computer Weekly Security Think Tank looks ahead
- Mike Gillespie and Ellie Hurst, Advent IM: CISOs will face growing challenges in 2025 and beyond.
- Elliot Rose, PA Consulting: The most pressing challenges for CISOs and cyber security teams.
- Pierre-Martin Tardif, ISACA: Six trends that will define cyber through to 2030.
- Stephen McDermid, Okta: In 2025: Identities conquer, and hopefully unite.
- Deepti Gopal, Gartner: CISOs: Don't rely solely on technical defences in 2025.
- Paul Lewis, Nominet: Decoding the end of the decade: What CISOs should watch out for.
- Rob Dartnall, SecAlliance: 2025-30: Geopolitical influence on cyber and the convergence of threat.
- Elliott Wilkes, ACDS: Look to the future: How the threat landscape may evolve next.
Security influencers
Finally, CISOs must continue to engage more broadly with business to understand its priorities. The CISO’s expertise and opinions must directly impact business strategy and they are important interlocutors in boardroom discussions about organisational risk.
Today’s CISO is more frequently involved in strategic conversations and needs a sound understanding of overall business priorities in order to build programmes that manage risk exposure effectively. In short, the role is expanding significantly as cyber attacks become an ever-more complex and prominent part of the overall enterprise risk picture.
This trend will see CISOs working more closely than ever with other senior executives, including those involved in overseeing finance, legal, HR and operations, as well as with those at the very top of the corporate hierarchy. A recent survey from Deloitte Global, for example, shows that one in five businesses worldwide now has the CISO report directly to the CEO, rather than the chief information officer.
According to the report’s authors: “Today CISOs are not only protectors against outside threats, but key players helping their organisation find success by integrating cyber considerations in the strategic decision-making process.”
I couldn’t agree more. Innovation, insight and influence are just three elements of my own strategy for 2025 and beyond – others include inclusivity and imagination – but I believe they will go a long way in helping us to face the future with determination and a positive mindset.
Originally published at ECT News