As the year 2025 rushes forward, the responsibilities of CISOs are continuing to evolve. We increasingly recognize the importance of not just identifying risks but actively addressing them through direct action and influence. To remain relevant, we must continue to stay on top of emerging technologies, such as AI and automation. We must also engage a growing range of stakeholders, from customers to peers and Board members.
The year will continue to shape the CISO role into an exciting combination of leadership and tech expertise. Below are three specific trends to keep in mind as we manage the complexities, challenges, and opportunities of the CISO role.
Outcomes, Automation, and AI Experimentation
As CISOs, we feel more personally responsible, accountable, and liable than ever, considering the government's treatment of data breaches in the recent years. There is more attention being put on the CISO role from the boardroom, too, now that the fallout of cyberattacks has a clearer impact on the bottom line. On the positive side, this attention has elevated conversations about security programs. More organizations view CISOs as members of the senior leadership team, expecting positive outcomes rather than risk-oriented opinions.
To meet stakeholders’ expectations and take advantage of the opportunities to mature our security programs, CISOs should review the way that our organizations rely on automated tools to not only identify but ultimately take action on cybersecurity issues. This entails understanding what work will benefit from modern tooling—some of which will likely include AI capabilities—and what role humans should play in the associated processes.
While 2024 marked a year of rapid advancement in AI capabilities, it also highlighted that we don't quite know how to incorporate it into our work in a useful way. Organizations in 2025 are continuing to experiment with AI to understand where it offers the most value. To that end, security leaders—together with IT and legal colleagues—should be ready to help evaluate and possibly onboard a diverse set of immature AI products. The CISO can help by assessing how the product’s use of AI matches the organization’s data security requirements and, if necessary, offer an approach for integrating AI products into the organization’s technology stack in a less risky manner.
Reducing the Attack Surface
Reducing the attack surface will continue to be among the most effective ways for defenders to maintain an edge over attackers.
Gaining visibility into the resources the organization needs to defend is a start so we can identify unnecessary or misconfigured assets. But ultimately, security leaders need to act on that knowledge to improve the organization’s security posture and decrease the number of resources that require protection. This often involves identifying unneeded local software and SaaS applications, including overlapping tools, and working with IT and business leaders to decommission them. Such efforts not only improve security but also reduce costs, offering tangible benefits to the organization.
Reducing the attack surface might start with targeted projects that span weeks or months, but ultimately this practice requires ongoing oversight and culling. To achieve this, we need to maintain visibility into the various types of resources comprising the organization’s IT fabric, including employee workstations, cloud and on-prem systems, container payloads, applications, and user identities. CISOs should plan to remediate in a measured way, scheduling cleanup efforts to address high-risk areas and projects first to earn a win that will help fuel subsequent improvement efforts.
People, Processes, Tooling
People to work at organizations that value their contributions and where they can achieve success. That means that CISOs need to create an environment that allows their team to do their best work and feel like they are contributing to the organization in a meaningful way.
Achieving this includes paying fairly, being clear about expectations, offering regular feedback, providing the necessary tools and training, and linking people's contributions to the organization's business objectives.
For cybersecurity tooling, we need to find ways to reduce manual work and systematize processes. Automating manual work where appropriate allows people to focus on tasks that genuinely benefit from human involvement. This makes work more enticing and amplifies people's ability to introduce positive change into the organization. Building sustainable processes with well-defined roles for technology and people solves a problem not just once but in an ongoing way that will continue to function for years.
Business Context for Cybersecurity Success
The extent to which the C-suite and boardrooms take cybersecurity seriously depends on external and internal business factors. External factors include the expectations that parties such as regulators and customers have on the security program and how they expect the company's executives and board members to be involved in it. Internal factors are what CISOs can control directly to elevate the security program and make it feel relevant to senior stakeholders. We should be linking security and business objectives, understanding the context, terminology, and goals of colleagues throughout the organization, discussing our progress in metrics that others understand, and making sure we not only point out concerns but also contribute toward solving them.
