{"id":1410,"date":"2025-01-06T06:00:00","date_gmt":"2025-01-06T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1410"},"modified":"2025-01-06T06:00:00","modified_gmt":"2025-01-06T06:00:00","slug":"12-cybersecurity-resolutions-for-2025","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1410","title":{"rendered":"12 cybersecurity resolutions for 2025"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

As cyber threats continue to evolve, CISOs must prepare for an increasingly complex threat landscape. From dealing with AI-driven attacks to managing changing regulatory requirements, it\u2019s clear that 2025 will be another big year for CISOs.<\/p>\n

But staying ahead requires more than just implementing the next cutting-edge set of tools or technologies. It demands a shift in mindset \u2014 viewing cybersecurity not just as a technical function, but as a strategic enabler of business resilience.<\/p>\n

To help you navigate the road ahead, here are 12 new year\u2019s resolutions every cybersecurity leader should consider adopting.<\/p>\n

1. Learn whether AI is relevant to your business<\/h2>\n

The rise of generative AI has been a game-changer for industries across the board, including cybersecurity, but not always for the better. Technology and cybersecurity researcher Erik J. Huffman warns: \u201cWith AI, we know it can be extremely helpful, but we\u2019re all kind of holding our breath, wondering how it is going to be used against us. Anything that we\u2019ve developed for good, the attackers are going to just take it and flip it on its head for bad. They\u2019re just a lot more creative than we are on the good guy side.\u201d<\/p>\n

Huffman points out an early example of this is WormGPT, and how it\u2019s making coding for threat actors easier. \u201cIt\u2019s ChatGPT, but for malicious purposes. It\u2019ll create ransomware for you. It\u2019ll develop malicious code and vulnerabilities for you \u2026 it\u2019s taken the job of coding for a threat actor and made it really easy, especially like non-native English speakers, non-native Chinese speakers, or non-native Italian speakers. You can now write a phishing email in whatever language you want, and it\u2019ll read pretty decently.\u201d<\/p>\n

His advice for CISOs in the new year is to take the time to figure out if AI is suitable for their business. \u201cAsk yourself, \u2018Do you really need it?\u2019 Don\u2019t just follow the trend because everyone else is doing it, and don\u2019t just deploy an AI solution in your organization because the CEO says, \u2018Hey we need something AI in here\u2019.\u201d<\/p>\n

2. Upskill on AI and learn how to use it for good<\/h2>\n

Still on the topic of AI, Chirag Joshi, founder and CISO of 7Rules Cyber, believes AI isn\u2019t just a tool for attackers, it\u2019s also a powerful ally for defenders. He points out how leveraging AI smartly can reduce the cost and duration of breaches.<\/p>\n

\u201cAwareness and training programs, and the human risk management aspect of AI has to evolve. If your training and awareness efforts are not accounting for these changes, that\u2019s a gap,\u201d he says. \u201cUsing it smartly could help defend and have a significant impact \u2014 both in terms of the cost of data breach and reducing the time it takes to respond to incidents and contain them. I think that needs to be factored into response and detection plans.\u201d<\/p>\n

Joshi also urges CISOs to explore AI\u2019s potential in areas like risk assessments and policy guidance. \u201cYou don\u2019t eliminate human oversight; it absolutely has to be there. But can you augment it and make it more effective?\u201d<\/p>\n

3. Lean in on identity-centric security<\/h2>\n

With malicious actors weaponizing AI and deepfake technologies, Avishai Avivi, CISO at SafeBreach, stresses the rising importance of identity-centric security<\/a> to combat these threats.<\/p>\n

\u201cRealizing that malicious actors are leveraging the same technologies to enhance their capabilities, identity-centric security, and the risks presented by deepfake technology will mean an increased focus on security controls that can help identify, reduce, or neutralize these risks,\u201d he says.<\/p>\n

4. Step up non-human identity security<\/h2>\n

While securing human identities<\/a> is a priority, it\u2019s equally crucial to address the growing reliance on APIs and machine-to-machine communications, which bring their own set of risks, as Avivi highlights.<\/p>\n

\u201cThe security of these machine-to-machine connections becomes increasingly critical and yet another risk category we need to consider,\u201d he says.<\/p>\n

5. Ensure security investments are proportional<\/h2>\n

As organizations grapple with evolving threats, Joshi highlights the importance of adopting a \u201creasonable and proportionate\u201d approach to security investments. He points out how recent regulatory actions, such as those designed because of the Medibank and Optus breaches in Australia<\/a>, have reinforced this point.<\/p>\n

\u201cWhat does it really mean to have a reasonable, indefensible security? The investments we make and the efforts we put in need to be timely. This is where boards are leaning in, because it\u2019s not just core for them, it\u2019s also a liability for CISOs,\u201d he explains.<\/p>\n

6. Obtain directors and officers liability insurance<\/h2>\n

CISOs must also consider personal protection measures<\/a>. Wouter Veugelen, head of cybersecurity Australia and senior managing director of FTI Consulting, predicts there\u2019ll be greater scrutiny of individual accountability for CISOs in 2025. As legal cases involving CISOs become more frequent, he believes it\u2019s time for CISOs to consider taking out directors and officers liability insurance.<\/p>\n

\u201cThere is an increased risk for someone taking on a CISO role, where they may be subject to the same scrutiny [as CEOs] in the future. Traditionally, CISOs are not included in organizations\u2019 [insurance] package \u2026 so having this type of insurance would definitely be part of my list,\u201d Veugelen says.<\/p>\n

7. Stay ahead of cybersecurity legislation<\/h2>\n

On the topic of legal preparedness, David Hull, CISO at technology research and advisory firm ISG, emphasizes the importance of CISOs staying ahead of incoming cyber legislation. \u201cThere\u2019s a ridiculous amount of legislation still to come,\u201d he says, pointing out that newly introduced laws are not always the clearest.<\/p>\n

However, he acknowledges one of the strengths of the cybersecurity sector lies in its close-knit community, which often comes together to untangle and understand new laws. \u201cYou see the community come together, with everyone asking the same questions, and together you figure out how to interpret it.\u201d<\/p>\n

8. Educate executives about the costs of data breaches<\/h2>\n

But it\u2019s not just CISOs that need to pay attention. While many executives understand the immediate impacts of a data breach, the long-term costs often remain underappreciated. Veugelen points out to how cases stemming from breaches in 2022 that are still in court today.<\/p>\n

\u201cCISOs should continue to educate executives the significance of all of these costs. As such, they should seek to optimize cybersecurity budgets for proactive cybersecurity defense as a means to reduce overall risk exposure and the likelihood of suffering such big cybersecurity and data breach,\u201d he says.<\/p>\n

9. Speak the language of business<\/h2>\n

But as Joshi argues, one of the biggest challenges CISOs face is knowing how to translate technical risks into business terms. He highlights the role that CISOs need to play in helping the broader business bridge that gap.<\/p>\n

\u201cYou really need to understand how the business makes money \u2026 you have to as a CISO, otherwise you\u2019re disconnected from what\u2019s happening,\u201d Joshi says. \u201cIf you can\u2019t talk with some level of competence or authority about the primary things on top of mind of C-suites in terms of expanding into new areas, new products, or new strategies \u2026 you won\u2019t be having risk conversations. You really can\u2019t do cyber risk without incorporating business risk.\u201d<\/p>\n

10. Collaborate with other parts of the organization<\/h2>\n

Gone are the days when cybersecurity operated in silo. In 2025, effective cybersecurity will depend on long-lasting relationship with multiple business departments, from legal and procurement to marketing and operations.<\/p>\n

\u201cMake sure that cybersecurity goals are aligned with the business executives,\u201d Veugelen warns. \u201cI still often see cybersecurity seen as a broker source or a function that delays projects, but ultimately cybersecurity should be seen as a business enabler that helps deliver new digital innovations, but in a secure way.\u201d<\/p>\n

11. Tackle third-party risks head-on<\/h2>\n

Third-party vendors remain one of the weakest links in many organizations\u2019 cybersecurity strategies, according to Joshi, who points to the Crowdstrike outage as a prime example. He advises CISOs to \u201cthink of a better way to manage supply chain risks, especially vendor risk assessments.\u201d<\/p>\n

\u201cI think they need to get beyond these questionnaires and start to adopt some more leading practices, and a better way to do that is to actually collaborate,\u201d he says. \u201cCollaboration is not just getting together for roundtables; it\u2019s also about focusing on having deeper conversations \u2026 [about] what does it mean for them, and actually contextualize and personalize that conversation.\u201d<\/p>\n

12. Put cyber recovery back at the top of the agenda<\/h2>\n

While not a new concept, recent cyberattacks have underscored the importance of prioritizing an organization\u2019s ability to recover alongside its defense strategies. As Hull explains, \u201cCISOs need to open their eyes a bit and say, \u2018We probably need to do a bit better there and refocus our attention on recovery\u2019.\u201d<\/p>\n

Huffman agrees, emphasizing that the speed of recovery is critical to retaining customers after an attack. \u201cIf it takes you two or three weeks to recover, you\u2019re now an anomaly. The focus is shifting to whether you can recover within three days or a week. How prepared are you for a cyberattack? Can you recover within a socially acceptable amount of time?\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

As cyber threats continue to evolve, CISOs must prepare for an increasingly complex threat landscape. From dealing with AI-driven attacks to managing changing regulatory requirements, it\u2019s clear that 2025 will be another big year for CISOs. But staying ahead requires more than just implementing the next cutting-edge set of tools or technologies. It demands a […]<\/p>\n","protected":false},"author":0,"featured_media":1411,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1410","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1410"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1410"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1410\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1411"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1410"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1410"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1410"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}