This year, CISOs will face increasingly complex security challenges due to global trends in politics, technology and the environment.
Key priorities will include addressing the growing risks of geopolitical instability, which may amplify cyber threats from state and non-state actors. As access to data becomes a critical component of global power, CISOs must bolster vigilance in protecting sensitive information. This can mean both sensitive personal information as well as sensitive business information.
Top CISO Focuses in 2025
Enhancing Data Governance Practices
A fundamental issue that CISOs and their teams must reconcile in the coming years is that of data governance practices. As nearly all organizations are now ‘data first organizations’, the wealth of data at the fingertips of a potential attacker is substantive.
However, embedded data governance practices are still in their infancy across many organizations. Knowing what data you hold, where you process and store the data, the type and sensitivity of that data and the levels of protection needed, are still questions that need to be considered in a holistic sense across an organization, and no longer in the General Data Protection Regulation (GDPR) or Intellectual Property silos.
The expanding attack surface, driven by the proliferation of connected devices and systems, only adds to the need for CISOs to have a robust and broad understanding of the data flows across the business. What may seem to be innocuous data collection and storage, when combined with other data sets, could become more harmful to an organization’s customers, employees and business strategy.
Interoperability of applications also means that CISOs need to have a firm understanding of where data is being shared across to third parties, via formal contractual arrangements, APIs or other partnerships. Third party risk management continues to be an area that is difficult for CISOs to get a hold of, due to often decentralized approaches to procurement and management of third parties across the business.
Cybersecurity Input into Organizational AI Use
The rise of AI products presents both opportunities and risks, with adversaries leveraging AI for malicious purposes like undetectable malware and deepfake scams.
CISOs must ensure their voice is heard at the planning stage of any AI use case to avoid security or data ethics being seen as a secondary consideration. This must be balanced by CISOs being able to leverage AI and machine learning tooling to detect anomalous activity and predict potential threats.
The growing threat of ransomware, phishing and zero-day exploits will demand advanced patching and monitoring strategies, potentially using AI and machine learning tools.
Tackling Rising Insider Threats
Insider threats have always been a key vulnerability but with the growth in hybrid work environments, it will require new approaches to physical and cybersecurity integration. There has been a recent rise in lower-level employees selling client data to scammers using their personal devices to take photos of secured data at home.
Clear access logging, privileged access and audit trails continue to be of paramount importance, but also continue to be a loose thread for nefarious insiders to pull on. This again comes down to clear data governance practices: know what you have, where it is and how to protect it.
Prioritizing Operational Resilience
Finally, operational resilience must be prioritized, ensuring rapid recovery from cyber-attacks, supply chain disruptions and geopolitical instability.
As cyber threats evolve, CISOs must remain agile and proactive in safeguarding organizational assets.
Collaboration across cross functional teams is vital to understand threats and impacts of disruption. Scenario Testing (or wargaming) can be leveraged to bring teams together, break down silos and understand where disruption can cause harm to customers, employees and the viability of the organization.
More than anything, the goal for 2025 should be for CISOs to have a strong voice at board level which will be essential in aligning cybersecurity with the broader business strategy, and ensuring that senior leadership understands and can effectively manage cyber risks.