In 2025 Security And Risk Pros Will Brace For Regulations

In 2024, regulators around the world implemented a broad array of proposed cybersecurity- and privacy-focused policies and legislation to better manage emerging risks associated with emerging technologies like generative AI, and those involving managing third-party relationships. Security and risk leaders were running to lock in genAI even as use cases were only beginning to emerge; nearly every industry was hardest hit with critical IT disruptions that came unaccompanied by planning for resilience; and even though third-party risks were repeatedly downplayed, worldwide organizations saw an increase in software supply chain breaches.

With cybercrime projected to hit $12 trillion in 2025, regulators will be more proactive with their role in consumer data protection as organisations shift to adapt and implement more aggressive security measures in order to mitigate material impacts. Here are three of Forrester's cybersecurity, risk, and privacy predictions for this year for 2025, reflecting how the organization must adapt to these emerging risk domains.

On the basis of lack of measurable value, CISOs will demote genAI use by 10%.

In Forrester's 2024 data, 35% of global CISOs and CIOs claimed that they consider looking into and deploying genAI-based use cases for boosting employee productivity a priority. Although the security product market has hyped the productivity gain potential of genAI too much, their search for actionable results is disillusioning to some extent. While the concept of a self-governing security operations center powered by genAI is an exciting one, it is far removed from reality. In 2025, the trend will continue without letup, and security practitioners will dig themselves further into the pit of disappointment as budgetary constraints and underperforming AI serve to create fewer security-focused genAI deployments.

Class-action breach-related costs will rise to be over 50% of the amount to be paid in regulatory fines.

Breach-related spending now encompasses more than just fines and remediation costs under the guise of regulatory compliance. For centuries, cyber regulations have not been enough in the pursuit of protecting customers and employees-thus placing these people in a position to initiate class-action lawsuits and file damage claims. Class-action expenses are astounding in data breach litigations. And with the percentage of companies facing class actions at a 13-year high, CISOs will be asked to contribute toward the company's class-action defense fund in 2025, making costs from class actions greatly exceed fines imposed by regulators.

A Western government will bar specific third-party or open-source software.

Software supply chain attacks are the top culprit for data breaches in organizations globally. Pressure by Western governments to require private companies to produce software bills of materials is a boon for transparency in software components. SBOMs will bring to the fore, for governments, which parts of what they purchase are third-party and open source. In 2025, an armed government with that information will restrict an open-source component on grounds of national security. To comply, software suppliers must remove offending parts and replace functionality.