As we head into 2025, the responsibilities of Chief Information Security Officers (CISOs) are continuing to evolve. Many CISOs are recognizing the need to not only identify security risks but also to take action (both directly and through influence) toward addressing them. To remain relevant, CISOs must continue to stay on top of emerging technologies, such as AI and automation. We must also manage a broadening range of stakeholders, ranging from customers to peers and board members.
The new year will continue to shape the CISO role into an exciting combination of leadership and technological expertise. There are three specific trends for CISOs to keep in mind as we manage the complexities, challenges, and opportunities of their role.
Outcomes, Automation, and AI Experimentation
CISOs feel more personally responsible, accountable, and liable than ever, considering the government's treatment of this year's slew of data breaches. There is more attention being put on the CISO role from the boardroom, too, now that the fallout of cyberattacks has a clearer impact on the bottom line. On the positive side, this attention has elevated conversations about security programs. More organizations view CISOs as members of the senior leadership team, expecting positive outcomes rather than risk-oriented opinions.
To meet stakeholders’ expectations and take advantage of the opportunities to mature their security programs, CISOs should review the way that their organizations rely on automated tools to not only identify but ultimately take action on cybersecurity issues. This entails understanding what work will benefit from modern tooling—some of which will likely include AI capabilities—and what role humans should play in the associated processes.
While 2024 marked a year of rapid advancement in AI capabilities, it also highlighted that we don't quite know how to incorporate it into our work in a useful way. Organizations in 2025 will continue to experiment with AI to understand where it offers the most value. To that end, security leaders—together with IT and legal colleagues—should be ready to help evaluate and possibly onboard a diverse set of immature AI products. The CISO can help by assessing how the product’s use of AI matches the organization’s data security requirements and, if necessary, offer an approach for integrating AI products into the organization’s technology stack in a less risky manner.
Reducing the Attack Surface
Reducing the attack surface will continue to be among the most effective ways for defenders to maintain an edge over attackers.
Gaining visibility into the resources the organization needs to defend is a start so we can identify unnecessary or misconfigured assets. But ultimately, security leaders need to act on that knowledge to improve the organization’s security posture and decrease the number of resources that require protection. This often involves identifying unneeded local software and SaaS applications, including overlapping tools, and working with IT and business leaders to decommission them. Such efforts not only improve security but also reduce costs, offering tangible benefits to the organization.
Reducing the attack surface might start as a series of concrete projects that span weeks or months, but ultimately this practice requires ongoing oversight and culling. To achieve this, the organization needs to maintain visibility into the various types of resources comprising the organization’s IT fabric, including employee workstations, cloud and on-prem systems, container payloads, applications, and user identities. CISOs should plan to remediate in a measured way, scheduling cleanup efforts to address high-risk areas and projects first to earn a win that will help fuel subsequent improvement efforts.
People, Processes, Tooling
We all want to work at organizations that value our contributions and where we can achieve success. That means that CISOs need to create an environment that allows their team to do their best work and feel like they are contributing to the organization in a meaningful way.
Achieving this includes paying fairly, being clear about expectations, offering regular feedback, providing the necessary tools and training, and linking people's contributions to the organization's business objectives.
For cybersecurity tooling, we need to find ways to reduce manual work and systematize processes. Automating manual work where appropriate allows people to focus on tasks that genuinely benefit from human involvement. This makes work more enticing and amplifies people's ability to introduce positive change into the organization. Building sustainable processes and clarifying the role that technology and people play in them solve a problem not just once but in an ongoing way that will continue to function for years.
Business Context for Cybersecurity Success
The extent to which the C-suite and boardrooms take cybersecurity seriously depends on external and internal business factors. External factors include the expectations that parties such as regulators and customers have on the security program and how they expect the company's executives and board members to be involved in it. Internal factors are what CISOs can control directly to elevate the security program and make it feel relevant to senior stakeholders. We should be linking security and business objectives, understanding the context, terminology, and goals of colleagues throughout the organization, discussing our progress in metrics that others understand, and making sure we not only point out concerns but also contribute toward solving them.
