{"id":1657,"date":"2025-01-27T09:01:00","date_gmt":"2025-01-27T09:01:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1657"},"modified":"2025-01-27T09:01:00","modified_gmt":"2025-01-27T09:01:00","slug":"cisos-top-12-cybersecurity-priorities-for-2025","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1657","title":{"rendered":"CISOs\u2019 top 12 cybersecurity priorities for 2025"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Security chief Andrew Obadiaru\u2019s to-do list for the upcoming year will be familiar to CISOs everywhere: advance a zero-trust architecture in the organization; strengthen identity and access controls as part of that drive; increase monitoring of third-party risks; and expand the use of artificial intelligence in security operations.<\/p>\n

\u201cNothing is particularly new \u2014 maybe AI is newer, and the pace at which it\u2019s all going keeps increasing \u2014 but we need to do better at all of it in 2025,\u201d says Obadiaru, CISO at Cobalt, which offers penetration testing as a service.<\/p>\n

Obadiaru\u2019s priorities mirror those listed by other CISOs on multiple reports, including Foundry\u2019s recent Security Priorities Study<\/a>, that show security leaders doubling down on security fundamentals while also layering in newer elements \u2014 namely AI.<\/p>\n

Despite overall similarities in objectives among security leaders, CISOs are also prioritizing based on their organization\u2019s unique needs, based on the maturity of their security posture, as well as their market position, industry, and other differentiating factors.<\/p>\n

Leading-edge CISOs are also implementing additional accountability strategies to ensure their teams know the organization\u2019s security priorities and that other executives and business leaders do their part to help secure the enterprise.<\/p>\n

Accountability as a priority is essential if CISOs want to finish 2025 in a stronger position than when the year started, says David Chaddock, managing director for cybersecurity at digital services firm West Monroe.<\/p>\n

\u201cIt\u2019s hard for CISOs to do all these things on their priority lists if they don\u2019t own the people and talent to [implement and maintain them],\u201d he says. \u201cSo it\u2019s all about driving those priorities by using a governance framework which forces everyone else to put in their piece of the pie to make sure those things get accomplished.\u2019<\/p>\n

Top 12 security priorities today<\/h2>\n

Foundry\u2019s recent Security Priorities Study polled 870 IT security decision-makers and found that today\u2019s top directives are dominated by longstanding themes.<\/p>\n

At the top of the priority list for CISOs is strengthening their organization\u2019s security posture to better protect confidential and sensitive data, with 40% designating it a top priority for 2025.<\/p>\n

Rounding out the top 5 are: upgrading IT and data security to boost resiliency; securing cloud data and systems; enhancing security awareness through user training; and simplifying IT security infrastructure.<\/p>\n

\n

Foundry \/ CSO<\/p>\n<\/div>\n

Additional items among on the top 12 priorities are perennial objectives for many security departments, including the need to enhance identity and access controls (26%), to improve threat intelligence (25%), to reduce security spending (20%), to streamline compliance and privacy efforts (19%), and to better leverage data for security purposes (19%).<\/p>\n

Two big movers compared to the year prior were accelerating the use of AI to improve security effectiveness (25%), up to eighth overall from 12th in 2023, and improve management of third-party risks<\/a> (23%) \u2014 two security issues that have grabbed more headlines of late.<\/p>\n

Risk mitigation and management<\/h2>\n

The work happening in Obadiaru\u2019s security department at Cobalt reflects most of those trending priorities.<\/p>\n

As CISO for a company that has \u2014 like most organizations today \u2014 remote workers, Obadiaru has prioritized advancing a zero-trust environment. He sees zero trust<\/a> as critical for mitigating security risk in a business that has employees, partners, and customers interacting with the company anywhere, anytime via digital channels.<\/p>\n

This priority has Obadiaru\u2019s security team reconfiguring pieces of the IT stack, tweaking the tech architecture, and implementing more authentication and access controls.<\/p>\n

\u201cThe goal is to be in a very stable place with zero trust by the end of 2025,\u201d Obadiaru adds.<\/p>\n

He also wants to implement more AI capabilities for enhanced threat detection and monitoring, as well as more automation within the security function. To that end, Obadiaru is moving to an AI-powered security information and event management (SIEM)<\/a> system.<\/p>\n

And he plans to use AI for monitoring vendor risk. He says it will complement the security assessment vendors undergo when onboarded and will strengthen his third-party risk management practice.<\/p>\n

\u201cWe want to be able to monitor and validate their security stances and know if their environment changes in a way that changes the risk,\u201d he explains, adding that he uses security scorecards and benchmarking as part of this process. \u201cWe\u2019re using it now, but not to the degree we should. We want to develop a process where we can take the information provided and use it over the course of the vendor\u2019s contract.\u201d<\/p>\n

Additionally, Obadiaru is prioritizing work around regulatory compliance, work that includes renewing his company\u2019s ISO 27000-01 certification this summer and ensuring his security organization keeps pace with all new regulatory and certification requirements.<\/p>\n

The double-edge sword of AI<\/h2>\n

Adam Currie, global vice president and CISO for HCLSoftware, is also seeking to increase his organization\u2019s use of AI to improve security effectiveness.<\/p>\n

As part of this effort, Currie and team are focusing on better understanding how threat actors themselves are using AI \u2014 and studying how HCLSoftware\u2019s internal use of AI could add risk.<\/p>\n

It\u2019s about \u201chow do we leverage AI to protect ourselves from AI,\u201d Currie says, highlighting the need for CISOs to train their teams to take on that challenge, in particular securing the data and models on which the company\u2019s AI initiatives depend.<\/p>\n

Likewise, Ken Knapton, who provides CISO and CIO services through his IT services firm Rocky Mountain CIO, highlights AI as a key CISO priority.<\/p>\n

Knapton also sees the technology as a double-edge sword: It helps security teams \u201creduce friction and boost improvements\u201d on the one hand but also \u201cis bringing with it a lot of its own security concerns.\u201d<\/p>\n

To address AI, Knapton is crafting security policies for the use of AI and the data it requires and is putting in guardrails, procedures, and controls to enforce them.<\/p>\n

\u201cCISOs have to be very active in 2025 in defining how and when organizations should leverage AI while also protecting corporate IP and customer data, making sure we\u2019re protecting all our nonpublic protected information,\u201d says Knapton. \u201cWe all have to be cautious about what data we\u2019re putting into the AI systems.\u201d<\/p>\n

Cloud security, compliance, and more<\/h2>\n

Brennan P. Baybeck, senior vice president and CISO for customer success services at Oracle and a board director with the IT governance association ISACA, is looking to use cloud-native capabilities to ensure \u201cworkloads are as secure as possible\u201d \u2014 a move that Baybeck says will \u201ccut back on the security infrastructure that needs to be managed.\u201d<\/p>\n

\u201cWe want to utilize as many of those native capabilities as possible as it reduces costs, simplifies security infrastructure, and cuts overhead,\u201d he adds.<\/p>\n

Another priority for Baybeck is enhancing identity and access controls \u2014 an objective that includes improving access governance, going to passwordless authentication, and beefing up API security.<\/p>\n

Like many CISOs, HCLSoftware\u2019s Currie is also keeping compliance top of mind. \u201cWe have hard and fast regulatory requirements we have to adhere to, so that\u2019s baked into our top priorities,\u201d he says, noting that compliance is \u201ca business enabler for us.\u201d<\/p>\n

And all that needs to be undertaken with a close eye on the budget, Currie says.<\/p>\n

\u201cOperational efficiencies and cost efficiencies are high priorities for us,\u201d he says.<\/p>\n

Security maturity\u2019s influence on priorities<\/h2>\n

Even with similar overarching goals, how CISOs go about executing their security agenda will vary based on multiple factors, says Steve Ross, director of cybersecurity for the Americas at S-RM, a global corporate intelligence and cybersecurity consultancy.<\/p>\n

Ross says an organization\u2019s security maturity level typically dictates the CISO\u2019s priorities and plan of execution.<\/p>\n

For example, those with a low level of security maturity typical focus on strengthening protection of confidential and sensitive data, Ross says, while also upgrading systems to boost corporate resiliency. Enhancing security awareness through end-user training<\/a>, improving identity and access controls, and offloading responsibilities to MSSPs<\/a> are other typical baseline priorities \u2014 all to be done while reducing spend.<\/p>\n

Organizations with midlevel security awareness are more likely to be focused on streamlining compliance and privacy efforts, simplifying IT security infrastructure, improving management of third-party risks, and shortening incident response time, in addition to reducing spend, improving access control, and exploring MSSP options, Ross says.<\/p>\n

Meanwhile, CISOs leading high-maturity organizations typically focus on improving their understanding of external threats and accelerating the use of AI to improve security effectiveness, Ross says. They\u2019re also looking to do a better job leveraging data and analytics for security purposes, and they\u2019re assuming responsibility for risks presented by both operational technology and IT systems. At the same time they continue to focus on doing better at the fundamentals, such as improving third-party risk management.<\/p>\n

To be sure, Ross adds, some priorities \u2014 such as ensuring the ability to identify an attack and shorten response times \u2014 are universal. \u201cThose are perennial priorities, because they\u2019re critically important to the business and continuing operations,\u201d he says.<\/p>\n

Assigning accountability<\/h2>\n

There is, however, an emerging trend among top CISOs seeking to execute on their long list of perennial priorities, West Monroe\u2019s Chaddock says.<\/p>\n

The most effective CISOs recognize that they require cooperation, coordination, and compliance with security rules from everyone, he says. So they have put in place governance frameworks and performance-level agreements that drive accountability to the executives who oversee the people and work tied to each specific security objective.<\/p>\n

That\u2019s how they\u2019ll successfully get through their priorities year after year, he says.<\/p>\n

\u201cIt\u2019s not all CISOs, but leading CISOs, who put more back on the other teams, not to wash their hands of it, but to put accountability where it belongs,\u201d Chaddock explains. \u201cIt\u2019s the only truly sustainable way to allow a CISO to secure the things they\u2019re accountable for.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Security chief Andrew Obadiaru\u2019s to-do list for the upcoming year will be familiar to CISOs everywhere: advance a zero-trust architecture in the organization; strengthen identity and access controls as part of that drive; increase monitoring of third-party risks; and expand the use of artificial intelligence in security operations. \u201cNothing is particularly new \u2014 maybe AI […]<\/p>\n","protected":false},"author":0,"featured_media":1658,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1657","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1657"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1657"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1657\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1658"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1657"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1657"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1657"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}