Security in 2025 — Challenges, Risks, and What Leaders Must Do
Every year brings new challenges — more threats, new techniques, more astute perpetrators.
The stakes will get bigger and bigger—cybercrime costs are projected to reach $10.5 trillion annually by 2025, up from $3 trillion in 2015. This surge represents the largest economic transfer in history, surpassing even the global trade of illegal drugs.
The variety in types of attacks will continue to surprise us. We can expect threats stemming from AI, quantum computing, 5G networks, deepfakes, biometric data, you name it. As well as more of the same—more phishing, supply chain and ransomware attacks—with an extra boost from AI.
Adding to the complexity, regulatory pressures will continue to mount, making the lives CISOs and their teams more and more difficult.
The key to getting ahead of these challenges is understanding what’s ahead and preparing for the worst.
Here are a few trends I expect in the coming year.
Breaches from Unknown Assets Will Exceed 70 Percent
Breaches originating from unknown and undermanaged assets will surpass 70%, increasing from the roughly 60% most analysts cite today. Organizations’ expanding and increasingly complex attack surfaces—driven by cloud migrations, third-party dependencies and remote work infrastructure—will create dangerous blind spots for attackers to exploit.
Security teams will continue to focus on managing known assets, leaving these vulnerabilities unchecked. As attackers target these gaps, the urgency for organizations to prioritize true attack surface management will grow. Companies will need to shift from reactive, asset-specific security approaches to proactive, discovery-first strategies that secure every asset attackers could see or target—even those outside traditional inventories. Security teams must consider assets in the digital supply chain that they don’t directly own or manage but still create risk for their organization.
Visibility and Security Controls Coverage Become the New Leadership Mandate
Risk leaders will focus on two critical priorities to address the growing risk of unmanaged assets: Achieving global visibility and ensuring consistent security control coverage across their IT ecosystems. The question will no longer be, “Do I have the latest tools?” Instead, leaders will ask, “Are my key security controls deployed across my entire attack surface?”
Consistency and coverage will become the ultimate benchmarks for effectiveness. This shift will mark a significant evolution in risk management strategy, as no technology will compensate for poor visibility or fragmented control deployment. Organizations that embrace this pivot will position themselves to reduce risk at scale and strengthen their overall security posture.
AI-Powered Attackers Will Change the Game
The race between attackers and defenders will fundamentally change this coming year. Cybercriminals—especially nation-state actors and APTs—will use advanced AI-driven reconnaissance techniques to exploit security gaps faster and at a greater scale than ever before. We’ve already seen a dramatic acceleration in threats. To quote the CISO of a Fortune 500 company, “Two years ago it took attackers a few months to exploit new vulnerabilities. Now, it takes hours or days.”
Attackers will deploy chained AI models to map organizations’ external attack surfaces, pinpoint weak spots and launch automated exploitations—all within hours of new vulnerabilities being disclosed. This pace will overwhelm traditional defenses, emphasizing the critical need for automated solutions that outpace human capabilities. Security leaders will no longer rely on the manual efforts of white-hat hackers or pentest teams to stay protected. Instead, they must embrace automation and AI to fight fire with fire, preemptively identifying and mitigating vulnerabilities before attackers can act.
Darknet Growth Will Challenge Security Teams
The volumes of interactions on Darknet forums and encrypted channels like Telegram and Signal are poised to surge, making them even more critical hubs for data leaks, breaches and cybercriminal collaboration. As these platforms grow, they introduce new challenges for businesses trying to track stolen data and potential vulnerabilities.
Monitoring these spaces will become increasingly complex. Gaining access requires significant human effort, and processing vast amounts of data requires advanced tools. Without automation, security teams risk falling behind as the volume of threats outpaces their ability to respond.
Organizations that prioritize automating threat hunting will gain a decisive advantage. By detecting leaks early and integrating findings into their broader defense strategies, they can better prioritize and fortify their defenses. Proactive security teams will lead the charge, turning these challenges into opportunities to stay ahead of emerging threats.
Don’t Panic, Just Prepare
While the subtext may come across as a panic alarm, it’s not meant to be. It’s what all security leaders should expect with each passing year. The key is preparedness and staying one step ahead. More visibility into threat vectors and assets is a big piece of the puzzle. Once you know where the weak spots are, you can put a plan of attack in place and mitigate any incoming threats.
