In 2025, security and risk professionals will prepare for regulation and resilience
In 2024, regulators around the globe introduced a host of proposed policies and legislation focused on cybersecurity and privacy to better manage the emerging risks associated with emerging technologies such as generative AI (genAI), as well as those related to managing of relations with third parties. Security and risk leaders rushed to secure GenAI, even as its use cases were still developing; nearly every industry experienced critical IT outages due to a lack of resilience planning; and despite the minimization of third-party risks, organizations globally saw an increase in software supply chain breaches.
With cybercrime expected to cost $12 trillion by 2025, regulators will take a more active role in protecting consumer data as organizations look to adopt more proactive security measures to limit material impacts. This year’s Cybersecurity, Risk and Privacy Predictions from Forrester to 2025 reflect how organizations must evolve to address these evolving risk areas. Here are three of those predictions:
CISOs will de-prioritize the use of genAI by 10% due to lack of measurable value.
According to Forrester 2024 data, 35% of global CISOs and CIOs consider exploring and deploying use cases for genAI to improve employee productivity as a top priority. The security product market has been quick to tout the expected productivity benefits of genAI, but the lack of practical results is fueling disappointment. The thought of an autonomous security operations center using genAI generated a lot of hype, but it couldn’t be further from reality. In 2025, the trend will continue and security practitioners will sink deeper into frustration as challenges such as insufficient budgets and unrealized AI benefits reduce the number of security-focused genAI deployments.
Class action costs associated with violations will exceed regulatory fines by 50%.
The costs associated with violations are no longer limited to regulatory fines and remediation costs. Historically, cyber regulations have not gone far enough to protect customers and employees — leading to the same people pursuing class action lawsuits and seeking damages. Class action costs are high in data breach litigation. And with the proportion of companies facing class actions at the highest level in 13 years, CISOs will be required to contribute to the company’s class action defense fund in 2025, making the costs from actions to group far exceed the fines imposed by regulators.
A western government will ban specific third party or open source software.
Software supply chain attacks are a leading culprit for data breaches in organizations globally. Increasing pressure from Western governments to require private companies to produce software bills of materials (SBOMs) has been a boon to the transparency of software components, but these SBOMs emphasize the role of third-party and open source software in products that governments buy. In 2025, a government armed with this information will restrict an open source component for reasons of national security. To comply, software suppliers will have to remove the offending component and replace the functionality.
Register here to receive Forrester’s complimentary Forecasts guide, which covers the best technology and security predictions for the coming year. Get additional additional resources, including webinars, at Forrester’s Prediction Center 2025.
This post was written by Senior Analyst Cody Scott and appeared first here.