Cybersecurity’s core mission remains the same: Defend the organization from all the dangers that lurk in the digital space.
But what constitutes danger is evolving, as are the technologies involved on both the offensive and defensive sides of cybersecurity. So, too, are the ways security chiefs execute on that mission.
Threats are rising, and they’re becoming more sophisticated. Attacks are coming at an ever-increasing rate of speed. Artificial intelligence is reshaping everything. Market and financial pressures are mounting.
CISOs feel the squeeze. Bitsight Trace surveyed 1,000 cybersecurity and cyber risk leaders for its State of Cyber Risk and Exposure 2025 report and found that 90% said managing cyber risks is harder than it was five years ago. The explosion of AI and the widening attack surface are the top two reasons for that increasing difficulty, according to respondents.
But cyber leaders say those are only two of the factors impacting security. Here they delve into five key trends reshaping IT security strategies today.
1. Financial pressures putting the squeeze on security budgets
Macroeconomic uncertainties have put pressure on the C-suite to keep costs in check. That pressure extends to the security function, with CEOs and CFOs expecting CISOs to do more with less, says Lou Steinberg, founder and managing Partner at CTM Insights, a cybersecurity research lab and incubator.
“We’ve hit a point of funding fatigue with information security. Budgets have gone up and to the right forever, and now they’re flat and sometimes down,” Steinberg says. “That’s new to many CISOs, so they have to answer questions about efficiencies that they have not had to in the past.”
The 2025 Budget Benchmark Report from IANS Security and Artico Search found that average annual security budget growth dropped to 4%, a sharp decline from 8% in 2024 and the lowest growth rate in five years. It also found that only 47% of the 587 surveyed CISOs reported an increase in their security budgets in 2025, down significantly from 62% in 2024 and 78% in 2022. More than half (54%) reported flat or shrinking budgets.
Similarly, the 2025 Global Cybersecurity Leadership Insights Study from professional services firm EY found that cybersecurity budgets have fallen from 1.1% to 0.6% of annual revenue over the past two years.
Steinberg said CISOs in response are simplifying their tech stack, shedding bespoke and point-in-time solutions for off-the-shelf options that offer the same controls but are easier to manage and have a lower total cost of ownership. They’re identifying more areas to automate to generate efficiencies, and they’re outsourcing more to reduce talent costs.
2. AI-enabled attacks emerging to amplify business risks
CISOs now rank AI-powered cyberattacks as their top concern, cited by 80% of CISOs in a survey by Boston Consulting Group. That’s in contrast to a year ago when CISOs put AI-powered attacks at No. 4 on their list of top concerns.
Adversaries are using generative AI for more sophisticated, more targeted, and more effective social engineering — which 62% of CISOs listed as a major concern or critical threat, according to the BCG survey.
“Organizations have seen a surge in automated, Gen-AI powered attacks, which are increasingly easy for attackers to execute and can be extremely effective at deceiving employees, partners, or customers,” BCG said in announcing its survey results.
This has CISOs spending more in areas they believe can help them counter these types of attacks, notably threat intelligence and application security as well as AI-enabled security solutions, BCG reported.
Security leaders are bracing for even more powerful AI-enabled attacks. Kris Lovejoy, global security and resiliency practice leader at IT infrastructure services provider Kyndryl, predicts that by 2027 enterprises will be hit by fully autonomous, AI-driven cyberattacks.
Such predictions have CISOs rushing to implement AI tools for detection, response, recovery and resilience, says Wolfgang Goerlich, IANS Research faculty and a public sector CISO.
3. Agentic AI rising to redefine security fundamentals
CISOs have been working to secure their own organization’s AI initiatives, adjusting policies and implementing tools to protect the data being used by AI as well as the AI algorithms.
That work is ongoing, but CISOs must now start planning how to safeguard their organizations from the risks created by agentic AI.
Team8’s 2025 CISO Village Survey found that 37% of CISOs said securing AI agents was among their most urgent concerns.
Steinberg says agentic AI will require CISOs to evolve how they approach not just authentication but authorization, too.
“Most agents today live in their walled gardens so CISOs trust them implicitly,” Steinberg explains. “But we’re moving to a place where we’ll have outside agents interacting with [a CISO’s own organization], and the CISO will have to authenticate those agents to know it is what it says it is and that it is authorized to take the action it’s taking. We’re going to have to ask, ‘Are you authorized to perform the task you’re asking me to do.’”
For example, Steinberg says agentic AI will allow a traveler to book a flight with little more than a prompt. The traveler would start with an online query for a flight that meets certain perimeters, such as departing airport and destination, day, preferred airline, etc. The AI agent would then move from search to booking to payment on its own.
In this future state, the airline will have to find a way to verify that the agent was authorized to book the flight on the traveler’s behalf — a difficult task without a human in the loop, Steinberg says.
“We have to have some sort of way to confirm that a real person with a real identity wants the agent to do a specific thing. Otherwise, how will the organization know that the chain is trustworthy?” Steinberg says, noting that agentic AI will mean the end of CISOs using authentication as a proxy for authorization.
Steinberg says he doesn’t see any real solutions to that challenge yet, although researchers and technology companies are trying to expand existing authorization protocols to include authentication mechanisms, too.
“But until there is a real standard solution, we’re going to continue to use the walled garden approach: I’ll only trust what is mine,” he says. “And that is going to be limiting at a time when the business folks are going to want to do things. It could mean the security department will once again be the department of no and slow.”
4. Speed of change shifting security postures and practices
Speed is another trend impacting security strategies, as CISOs say they’re moving faster now than they have in the past and they expect they’ll have to move still faster in the future to keep pace with adversaries and the business.
Consider some figures.
The CISO Perspectives Report 2025: AI and Digital Supply Chain Risks from Cobalt, a security tech and services company, found that 60% of surveyed security leaders believe attackers are evolving too quickly to maintain a truly resilient security posture.
And the 2025 CISO Benchmark Report: Securing the Digital Foundation for Reinvention from Accenture and the Retail & Hospitality ISAC found that 45% of CISOs surveyed cited “speed of business requirements” as a barrier to secure the digital core by design.
“It’s about the speed of change and keeping up with it,” saysPhil Swain, CISO and vice president of information security at tech company Extreme Networks. “CISOs are here to support the business, and security is an enabler of the business, so as businesses evolve faster and become a lot more nimble and more innovative, that is percolating down into security. Security has to evolve more quickly and become more adaptable.”
5. Vendor landscape raising questions about viability, resiliency, and trust
The security tech sector has experienced a surge in mergers and acquisitions in 2025.
“M&A activity remains high (with Q1’s annualized deal count in line with 2024’s record deal volume) as strategic buyers and investors consolidate capabilities across key domains — cloud security, exposure management, identity and SecOps — positioning themselves to meet evolving enterprise needs and capitalize on cross-platform value,” according to the Cybersecurity Software Sector M&A Industry Insights Spring 2025 report from Kroll, a provider of financial and risk advisory solutions.
That may not always benefit CISOs, however, Goerlich says.
“When we think about resilience, we have to think about the resilience of our tech software and services providers. That is driving us to look more at the vendor market. More and more we have to pay attention to the viability of our vendors, whether they’re going to be acquired and whether they’ll be around,” he says. “Because when a vendor gets bought, costs can go through the roof, the vendor’s roadmap can be paused. I had one vendor that was bought and its roadmap was paused and it fell behind and I ended up with a weakness [in my security program] as a result. So I had to pivot when I wasn’t planning on it.”
Goerlich says he’s now spending more time monitoring the vendor markets for investor trends and M&A news so that he can safeguard his security program against such situations in the future.
No Responses