12 CIS Experts' Cybersecurity Predictions for 2025

The 2024 general election...the CrowdStrike Falcon outage...insider threats from nation-state actors — these developments created new risks for organizations like yours in 2024. In doing so, they shifted the conversation around your cybersecurity priorities going forward.

There's so much change in the cybersecurity field to decipher. Where do you focus your efforts?

To put next year into context, we spoke to a dozen experts at the Center for Internet Security^® (CIS^®) about their cybersecurity predictions for 2025. Here's what they had to say.

Marci Andino | VP of the Elections Infrastructure Information Sharing and Analysis Center^® (EI-ISAC^®)

While the increase in attention generated by a presidential election is over, election officials will continue to experience the impact of generative artificial Intelligence (GenAI). GenAI makes it easier, faster, and more economical to create higher quality phishing emails. But it’s not all bad news. There will likely be more positive uses of the technology, as well.

The EI-ISAC will also continue to adapt to multidimensional threats in order to better meet the needs of our election members. Cyber attacks on critical election infrastructure can be combined with information operations, physical attacks, and election disruption tactics to impact election operations.

Sean Atkinson | CISO

Zero Trust Enablement with the Focus for 2025 on Identity: The emphasis on unauthorized access and privilege escalation will act as a catalyst to drive a robust assessment of identity management and drive adoption of zero trust security models.

AI-Enabled Attack and Defense: We will continue to see new artificial intelligence (AI) capabilities and maturity in this space as attackers integrate this capability into sophisticated attack strategies and defenders/vendors integrate better models into defensive capability.

Supply Chain Risk Management: An increased focus on assessment strategies for vendor due diligence, vendor alignment to more robust security compliance frameworks, a start of the "shift left demand" from the customer base, as well as organizations and thought leaders building governance assessment models for AI integrations into products and services.

Jason Emery | Director of Cybersecurity Advisory Services Program

AI-Assisted Cybersecurity Tools: I believe we will see the continued evolution of AI-assisted cybersecurity tools that help offset the lack of cybersecurity professionals in smaller U.S. State, Local, Tribal, and Territorial (SLTT) government organizations. These tools will provide operations-oriented IT staff the ability to manage and secure their environment even while overwhelmed by the daily tasks of “keeping the lights on.” Managed service providers (MSPs) and managed security service providers (MSSPs) will also leverage these tools to become nimbler and to stretch their limited human resources further when supporting their clients.

Governance Focus in K-12: In my work, I see many small- to medium-sized K-12 school districts starting to focus more on formalizing their cybersecurity programs, including governance from the top down. Many district superintendents and school boards are realizing the importance of top-level support in these programs. A good cybersecurity program is not just an IT concern but is, in fact, a strong business concern. I see districts implementing proven cybersecurity controls like the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and the CIS Critical Security Controls (CIS Controls) more in the coming year to help them be strategic in their efforts and investments.

IT-OT/ICS Convergence: IT and Operational Technology (OT) / Industrial Control Systems (ICS) will continue to see more convergence. These systems are used to manage our water, wastewater, power, etc. Traditionally, these platforms have remained outside the IT environment. I see more of these systems being connected to the general network for remote management, additional capabilities, etc. This adds cybersecurity risk to these environments. We will see more emphasis being placed on proper vulnerability management, threat detection, and cybersecurity frameworks for OT/ICS environments. They key to success will be to take into account the unique nature of these systems to avoid affecting uptime negatively.

Don Freeley | VP of IT Services

Zero Trust Advances in the Enterprise: Embracing a zero trust approach to securing company assets, access, and systems will gain momentum in organizations of all size in 2025. Employees and customers demand access to resources and data from multiple locations and devices. Each link in the access chain needs to be treated as untrusted, with access and authorization continuously verified. Secure websites or VPNs, even with MFA enabled, are not enough to prevent unauthorized access, data loss, and exfiltration.

Secure by Design Becomes Part of IT’s DNA: Recent high-profile security breaches will drive adoption of secure by design principles in IT projects. The idea that security can be bolted on to a service or project at the end has shown itself to be hard and inefficient. Incorporating security, compliance, and governance into early stages of a design leads to better overall outcomes and helps foster a culture of security across the organization. IT organizations will accelerate the move in this direction in 2025.

Stephen Jensen | Sr. Director of Plans, Programs, & Exercises

2025 is bringing with it more connected devices than ever before. The Internet of Things (IoT) has revolutionized how organizations collect data about the day-to-day lives of their customers and employees. The intersection of conventional networks with wirelessly enabled devices of all sizes and types creates new avenues for attack as well as new areas of focus for security professionals. Securing these connected devices by using network segmentation, improved network protocols meant for these types of connections such as Wi-Fi HaLow, and ensuring that your devices are patched and updated when available will help to keep your environments secure.

Angelo Marcotullio | CIO

Angelo Marcotullio Training and adhering to basic cybersecurity practices ensure that even non-technical staff can recognize and mitigate risks. Cyber attacks such as phishing, ransomware, and malware often exploit human errors, making employees the first line of defense. By focusing on these basics, employees help safeguard the organization’s reputation, financial stability, and customer trust. Moreover, prioritizing cybersecurity fosters a culture of responsibility and awareness across the workforce. Employees who are vigilant about spotting suspicious activities and following security protocols not only protect themselves but also contribute to the organization's overall resilience. This collective effort minimizes the likelihood of successful cyber attacks and demonstrates the organization’s commitment to safeguarding its stakeholders. Empowering all employees to recognize and report potential cybersecurity attacks can lead to the prevention of cyber attacks.

Lee Myers | Sr. Director of Security Operations

Consolidation of Operations: For many years, there has been a rush to spend cybersecurity funding to bring in the latest and greatest technology to aid in cyber defense efforts against an ever-evolving cyber attack ecosystem. Organizations' technology footprint now exceeds their ability to successfully leverage the tools "in house," with them relying on third-party consultants or service providers to utilize these tools and leverage the collected data on their behalf. As expertise grows within these organizations and a more mature cyber strategy emerges that aligns with business or organization goals, we will see a reduction in redundant or unused technology within individual organizations. This will lead to increased efficiency and impact from the tools that remain, with resources being reprioritized for their use and the value that they bring to the organization.

Lee Noriega | Executive Director of Cybersecurity Services Organization and Acting General Manager of Sales and Business Services

Head shot of Lee Noriega Executive Director, Cybersecurity Services Organization at Center for Internet Security Going into 2025, the security risks of AI will continue to be a huge area of concern for many organizations.

Cybercriminals will continue to leverage AI to enhance the sophistication and scale of their attacks.
AI-Generated phishing emails and adaptive malware will make it increasingly difficult for traditional security measures to detect and mitigate threats.
AI will contribute to the evolution of ransomware, increasing the speed and precision of these attacks as well as making them more difficult to defend against.
The combination of social media and generative AI will enable more sophisticated scams and impersonations.
As AI tools become more integrated into business operations, there will be a growing risk of data breaches caused by improper use of these tools.

Randy Rose | VP of Security Operations & Intelligence

Increased Uses for Quantum Outside of Research: In 2025, expect to see application of quantum computing outside of the university research lab. Advances in quantum are expected to challenge current cybersecurity measures by potentially breaking common cryptographic algorithms. In response, there will be a surge in adopting quantum-resistant algorithms (aka post-quantum cryptography) to protect sensitive data across all industries. Additionally, quantum computing will enhance threat detection and predictive analytics; it will be marketed as a means to enable a shift from being reactive to being proactive. In software development, quantum computing will drive innovation in algorithm design, improving efficiencies in code execution and problem-solving capabilities. Expect well-resourced early adopters to start implementing soon and less resourced followers to face technical and financial challenges in updating systems to keep up pace.

Evolution of IoT and Edge Computing: The industry continues to move from the cloud to the "fog" of edge computing, placing data processing closer to the data source and even using crowdsourcing techniques of other nearby devices. This is going to put an increased focus on IoT as an increasingly attractive target for attackers, as one of the biggest beneficiaries of edge computing is the IoT device handling real-time data. IoT devices are now ubiquitous; they're found throughout homes and businesses globally, including smart appliances, HVAC systems, solar and other power systems, and smart speakers, to name a few. As the attack surface for IoT grows, so too will the need for IoT security tools, frameworks, and best practices.

Focus on Socio-Political Impacts of Emerging Technology: While AI and machine learning (ML) have been around for a long time now, their use historically was mostly hidden from the public consumer. That changed in November 2022 with the public release of ChatGPT followed by other large language models (LLMs). We're now leaving the honeymoon phase and beginning to shift focus onto what we've learned these past two years on the social, political, and technical impacts of GenAI. Expect more research on the impact of GenAI on everyday life, the use of GenAI to augment skills that once took years to hone (such as coding), and the democratization of creative works. There will be significant challenges to intellectual property claims and authenticity which we may start to see play out in court in 2025. Based on the way the models are trained, some LLMs have been shown to widen existing gaps in equity and increase digital repression. While GenAI has the potential to enhance learning and accessibility, without proper oversight, it risks deepening the digital divide, supercharging disinformation and information operations campaigns, and amplifying global concerns around human rights.

Marcus Sachs | SVP, Chief Engineer

Artificial Intelligence: In 2025, artificial intelligence (AI) will play an even larger role in cybersecurity, both for good and bad. Attackers are likely to use AI to automate attacks, create adaptive malware, and avoid traditional detection methods. Unlike manually controlled attacks, AI-powered adversaries will use adaptive algorithms to change and carry out attack strategies in real time. These strategies could adjust based on what they detect and exploit, making it harder for defenders to keep up. Meanwhile, defenders will also increase their use of AI to improve threat detection, anomaly spotting, and predictive analysis. This AI "arms race" will redefine how attackers and defenders tackle cybersecurity.

Compliance and Regulation: As AI systems become more common, cybersecurity issues related to data privacy, manipulation of AI models, and misuse of AI-generated content will grow. To address this, compliance frameworks will be introduced to ensure organizations secure their AI training data, model accuracy, and interactions with users. This new focus on "AI security compliance" will push companies to improve defenses around AI models, reducing risks of disinformation, theft of intellectual property, and misuse of sensitive data in AI systems. Beyond AI, traditional regulatory actions will impact critical infrastructure, with governments likely to enforce minimum cybersecurity standards and response protocols to boost resilience against physical and cyber threats. Expect new policies requiring cybersecurity education and proactive risk assessments for critical infrastructure to mitigate major risks. Cyber-Informed Engineering principles may gain traction as an essential tool for embedding resilience into critical systems.

Cloud Security: With more organizations moving data and operations to the cloud, there will be greater attention on cloud security and data location. In 2025, new laws may require that sensitive data stay within national borders, affecting how companies manage and store data across regions. This emphasis on data sovereignty will lead companies to adopt multi-cloud strategies to stay compliant with evolving regulations while ensuring flexibility and security. As businesses and critical services become increasingly dependent on cloud services, some countries may prioritize cloud availability in national emergency plans, recognizing that stable cloud access is mandatory for crisis management. This shift could lead towards the establishment of a new program like Cloud Service Priority (CSP), treating cloud infrastructure as important as utilities like electricity and telecoms.

Zero Trust: Zero trust architectures, which do not assume any inherent trust within or outside an organization’s network, will likely become the default approach for cybersecurity in organizations with hybrid or remote workforces. As employees work from various locations on different devices, zero trust will gain importance for securing both on-premises and cloud environments. This approach will drive investments in identity and access management, endpoint security, and continuous monitoring technologies, changing how companies secure both internal and external access.

TJ Sayers | Director of Intelligence & Incident Response

A Bolstered Cybercriminal Market for Phishing as a Service Models. AI-Driven tools have all but eliminated classic human errors within traditional social engineering activity. Typos and formatting mistakes in text-based phishes are increasingly rare, and advanced voice and video deepfakes are near-indecipherable from reality. Exploiting the human as an initial attack vector still reigns supreme, and customizable phishing kits under a fee-for-service model will lower the bar of entry for threat actors and greatly increase their social engineering successes against end users.

My predictions from last year will also apply in 2025. Ransomware and associated extortion-based threats will undoubtedly remain the leading and most disruptive threat facing SLTTs, and blurred lines between threat actor groups will grow increasingly opaque

Valecia Stocchetti | Sr. Cybersecurity Engineer, CIS Critical Security Controls

AI Embedded in Software: AI has exploded in many ways over the past 1–2 years. This rise in the use and abuse of AI will likely continue to grow in 2025. Organizations will face many complex challenges because of this. For one, vendors will continue to embed AI features into their software and applications, producing a forcing-function for organizations to either adopt or drop these new features. In some instances, these AI features can't be turned off or removed. Organizations will need to be vigilant in what is acceptable risk in terms of using AI features. Questions to ask include the following: Where is my data being stored? Is it being kept confidential and is it protected? Am I still in compliance with certain regulations I need to comply with? Regulations on AI are still emerging. It remains to be seen whether end-organizations will be able to keep up with demands on the vendor side.

AI-Based Threats: On the other hand, AI-based threats will continue to grow, impacting both our personal and professional lives. Organizations will face an increase in phishing attacks created with AI, making them more lifelike and less like the former “Nigerian prince” email scams we once solely faced. This means that users will need to be even more observant and, more importantly, “think before they click.” According to the 2024 Verizon DBIR, human elements are still responsible for 68% of data breaches. While that figure may have fluctuated somewhat over the years, it still remains quite high. Organizations will need to continue to implement a defense-in-depth strategy in order to block these threats and prevent themselves becoming tomorrow’s news headline.

AI For The Better: While AI can pose all sorts of “doom and gloom” in the cybersecurity world, it can also do a lot of good. Depending on the technology, we can become more efficient at our jobs, reducing the need for manual work. For example, it can help us with intrusion prevention systems so that we can detect and prevent the less “noticeable” threats as well as reduce the rate of false positives. There is also the benefit of AI models learning from the data that is fed into the system, making it (hopefully) more effective.

Overall, AI will continue to spark innovation, bring about new threats, and continue to raise privacy concerns. As with anything in the field of technology, it’s a balance between usability and security. This is why it is important for organizations to:

Practice due diligence when it comes to vetting software vendors
Consider the benefit that AI can bring and weigh it against the risk
Keep up to date with emerging threats

Stay Current with Multidimensional Threats

The predictions above are what stand out to us. They're not all-inclusive of everything that's changing in cybersecurity. If you think we missed something, let us know on Twitter, LinkedIn, or Facebook.

You then need to focus on keeping up with all the changes discussed in the blog post. One of the ways you can do this is by taking a proactive approach to understanding new developments among cyber, physical, and hybrid threats. To simplify this process, we created ThreatWA™. It brings together the expertise of CIS analysts to illuminate emerging multidimensional threats that matter to you.

Ready to stay aware and protected with clear, actionable threat insights?