CISOs need to prepare for disruptions caused by AI in 2025

CISOs need to prepare for disruptions caused by AI in 2025

Top cyber security executives from BeyondTrust, Qualys, OPSWAT, Cloudflare, Kaspersky, Tenable, Palo Alto Networks, share their insights, forecasts and predictions into 2025 and beyond, including how businesses and threat actors will return to narrow-AI use cases, why the fear of Generative AI catalysing a volume explosion in targeted attacks will not happen, how AI will impact the CISO’s role in years ahead, why business and security must strike a balance between innovation and security, and why CISOs should urgently shift focus to security transformation and remove vendors causing complexity, among other insights.

As 2025 dawns, the CISO must question the status quo and ask themselves how things need to change in the coming year. Is AI a risk that requires a new security strategy? Could it also be the answer to facing down a threat landscape that is scaling up in terms of both volume and stealth capabilities? Will AI replace security professionals or augment their efforts?

CISOs’ resolutions for 2025 will involve cultural shifts in risk management and collaboration between security and other functions, from IT to the C-suite. To do better, security leaders must focus on business-oriented measures backed by data, and holistic solutions that help target resources where they can make the greatest impact.


Morey Haber, Chief Security Advisor, BeyondTrust
Morey Haber, Chief Security Advisor, BeyondTrust

Businesses and threat actors will return to narrow-AI use cases

In cybersecurity, we know planning is everything. We know to be forewarned is to be forearmed. Meanwhile, AI is, in many respects, a boon to businesses but in the wrong hands has been feared to also be a bane. As we shall see, however, much of this fear has been unfounded. As the years progress, industry experts also continue to fret over the implications of quantum computing.

#1 Fear of Generative AI catalysing a volume explosion in targeted attacks is unfounded.

In 2025, expect to see businesses return to more proven narrow-AI use cases to restore predictability to the ROI of AI projects. Automation and the upskilling of business functions are likely to be among the most common implementations. In parallel, we can expect threat actors, to minimise their costs, return to using narrow AI to soften entry barriers. The fear of Generative AI catalysing a volume explosion in targeted, bespoke attacks is therefore unfounded.

#2 Arrival of the quantum leap

Previous estimates suggest that where a digital machine would take 300 trillion years to crack 2-megabit RSA encryption, a 4,099-qubit quantum computer would only need 10 seconds. This post-quantum reality could be with us by the early 2030s, so we will continue to see individuals and organisations urge action on this critical future problem because of the implications it has for societies.

We could see critical-infrastructure organisations, such as regional banks, telcos and government agencies, form exploratory committees to examine NIST’s post-quantum encryption standards. These will be important first steps on the long road to adoption — a road that is likely to be signposted with many new regulatory standards built around post-quantum cryptography.

#3 Expect to see fire sale of obsolete PCs in 2H 2025

October 2025 will see end-of-life announcements for Microsoft Windows 10. Only the most recent machines, those that have both Secure Boot and TPM, trusted platform module will be eligible for Windows 11 upgrades, meaning everyone else will lose access to updates, including security patches.

If this sounds like a recipe for vulnerability that is because it is.

Expect to see a fire sale of obsolete PCs in the second half of 2025. The forced obsolescence will be good news for the hardware market, however, especially ARM, which will see a volume shift to its mobile-friendly processors. Alternative OSes like Linux and Ubuntu will also benefit from organisations trying to minimise replacement costs.

#4 Merging fake and real personas

Breach data repurposed to create fake online personas. It is a new approach to identity theft called reverse identity theft, in which an identity is linked to another without the knowledge of the legitimate party. Campaigns are already underway to merge fictitious data with legitimate data, especially where names are common. We can expect this to escalate in 2025.

#5 Fake employees and shadow workers

With its large expat populations, the GCC may come to experience overemployment, with residents taking on multiple remote jobs. While many regional employment contracts explicitly prohibit it, the workers that choose to operate this way will be tempted to outsource some of their workload to AI. This is likely to occur under the employer’s radar and may include the creation of fake employees.

Such moonlighting will give rise to more shadow IT and all the security implications it implies, as well as legal issues surrounding content creation that failed to observe risks such as plagiarism.

#6 Point solutions still in favour

Cybersecurity investments will continue to favour multiple point solutions that do not play well together. This will lead to detrimental effects on reporting and visibility, and security teams will bear the brunt — more gaps, more vectors, more paths to privilege.

Threat actors are not waiting. They are not trend-watching. They are creating the trends. Defenders must create some trends of their own or invite disaster.


Richard Seiersen, Chief Risk Technology Officer, Qualys
Richard Seiersen, Chief Risk Technology Officer, Qualys

AI will impact CISO’s role and capabilities in years ahead

As 2025 dawns, the CISO must question the status quo and ask themselves how things need to change in the coming year. Is AI a risk that requires a new security strategy? Could it also be the answer to facing down a threat landscape that is scaling up in terms of both volume and stealth capabilities? Would AI play the role of traffic police officer, analyst, auditor, advisor? And what of the human factor? Will AI replace security professionals or augment their efforts?

#1 Increasing use of AI will not alter basic cybersecurity strategies.

While several regional enterprises are looking for the next best AI solution to fight fire with fire, I am reminded of the famous Alphonse Karr quote, The more things change, the more they stay the same. As such, a better question is, What do businesses stand to lose, what is the value at risk from AI abuse and misuse? And what portion of this risk can be addressed with current security capabilities?

For example, is securing an AI agent from threats like spoofing, tampering, information disclosure, denial of service, or escalation of privileges novel? Does it require new investments to build up a dedicated AI security stack?

Similarly, consider that AI models consist of open-source and first-party code deployed on premises, in the cloud, or both. Infrastructure, software-pipeline, and supply-chain security practices still apply. So again, the question is, do we really need a complete security rethink?

My recommendation is that security teams proactively address these evolving threats by developing robust threat models and establishing guardrails secure by default solutions. The key challenge lies in balancing the desire for rapid digital transformation with the imperative of safeguarding enterprise assets against potential AI-related abuses.

#2 Human factor will be key to guarding against hackers leveraging AI.

AI will enable bad actors to do what they have always done, but faster. Just like defenders, they will use AI to automate software development and expedite the analysis of reams of data to discover plausible vulnerabilities and select and execute exploits.

One critical area for improvement lies in addressing human vulnerabilities, often referred to as layer 8 in cybersecurity. Since humans are easily spoofed, it is essential to implement stronger forms of multi-factor authentication and privileged access management. These measures can help mitigate risks associated with social engineering and wire fraud, which are likely to increase as attackers utilise AI for more sophisticated tactics.

#3 AI-driven cybersecurity will enhance operational efficiency for defenders.

Over the next five years, we can expect significant improvements in operational and capital efficiency for defenders, as AI continues to automate routine tasks and streamline processes. This will free security practitioners to focus on more complex challenges, particularly those involving irreducible uncertainty situations, where the risk cannot be fully understood through empirical data.

As the deterministic aspects of cybersecurity are automated, the role of experts will increasingly shift toward decision-making in uncertain scenarios. AI will aid in modelling these risks, but the effectiveness of these models will heavily depend on the expertise and assumptions of the security professionals using them.

This means that while AI will enhance analytical capabilities, the human element will remain critical in interpreting data and making informed choices among plausible alternatives. Security professionals will continue to play a vital role in navigating complexities and uncertainties, underscoring the importance of their expertise in the evolving landscape of AI-driven cybersecurity.

#4 Automation and orchestration will grow in importance in 2025 to centralise risk telemetry.

Landing all your risk telemetry into one place will become common. Many organisations are already aggregating IT, OT and cloud-native risk data into security data lakes, including asset state and changes over time, along with threat and vulnerability intelligence. Note that telemetry consumption is different from risk measurement.

At a minimum, assets must be normalised, and scores must be rationalised. From there, automation will enable organisations to measure operational efficiency in controlling attack surfaces and implement policy-as-code using AI copilots. AI-driven tools will drive down risk in both a capital and operationally efficient manner.

#5 Cyber risk quantification will become core practice for CISOs.

Measuring risk is a core capability, not a product. As cybersecurity maturity grows, the integration of financial metrics with technical security data will become critical. The industry calls this cyber-risk quantification, CRQ, but I call it cybersecurity risk management.

You cannot extract quantitative measurement from the broader domain of cybersecurity risk management, they are one and the same. The good news is that the majority of CISOs will have CRQ capabilities in 2025, in part or integrated into their cybersecurity risk management programs.

#6 Relationship between CISOs, C-suite, boards will evolve towards strategic collaboration.

The CISO that focuses on economic and operational efficiency will be fast friends with business focused leaders. The modern CISO will see risk management as minimising business impact without breaking the bank. It is that simple in theory. In practice, the CISO must do this in a structured manner that is explainable to business stakeholders and executable by operators, which goes back to measurement as a career skill and core security capability.

Clear, measurable communication will be essential, allowing CISOs to translate complex security strategies into actionable insights for business leaders. In short, our relationship with business folks who are focused on winning will be improved to the extent we adopt the right concepts, objects and methods of measurement.

This approach will foster stronger partnerships with the C-suite, enhancing decision-making and driving business outcomes, while managing cyber risk effectively.

CISOs’ resolutions for 2025 will involve cultural shifts in risk management and collaboration between security and other functions, from IT to the C-suite. To do better, security leaders must focus on business-oriented measures backed by data, and holistic solutions that help target resources where they can make the greatest impact.


Sertan Selcuk, VP METAP and CIS, OPSWAT
Sertan Selcuk, VP METAP and CIS, OPSWAT

UAE organisations often lagging adversary’s AI adoption

In 2024, the UAE Cyber Security Council identified 155,000 vulnerable assets, with two in five critical vulnerabilities remaining unaddressed for over five years.

The cloud is vulnerable. Businesses worldwide are moving their data from cloud storage solutions to on-premises setups and we expect this migration to continue through the coming year as UAE organisations dial back their reliance on third parties.

The rise of the multi-cloud environment has brought with it new vulnerabilities. In 2025, organisations will look to multi-layered defences recommended by the Open Worldwide Application Security Project, OWASP to secure Web apps. Many organisations have relegated security to an afterthought when adopting AI tools.

This may be because best practice standards have yet to emerge on the tools or practices that most effectively protect enterprises as they use AI. This leads to vulnerabilities being overlooked, including those in Web apps.

The art of cybersecurity continues to be non-holistic among regional businesses. Companies work with point solutions, each geared towards a specific area, such as endpoints or networks. This leads to data silos and an open field for attackers who understand how to decipher their attacks so no one tool can detect a breach. As such, the visibility of the security team is compromised.

In 2025, we expect to see UAE enterprises prioritise vendor consolidation, not only to cut costs but to give the SOC a single pane view of the attack surface.

Cheaper AI has lowered entry hurdles for threat actors. In some cases, this has been done by plugging technical knowledge gaps for attackers; in others, AI has provided more grammatically and aesthetically convincing phishing messages, increasing the likelihood of success in credentials theft. The same tools can be leveraged by potential targets to bolster their cyber defences, but so far, we see UAE organisations often lagging their adversaries’ adoption.

In 2025, we believe this trend will begin to reverse itself, with business and technology leaders collaborating on ways to focus cyber investments where they will have the greatest impact.

Both because of increases in the sophistication and volume of attacks and because of the lack of skills and resources in the cybersecurity function, significant budget will now be swallowed by AI, UAE businesses will focus more on the basics in 2025. They will prioritise critical sites and assets, prioritising segmentation to segregate their crown jewels.

With the right strategy, the enterprise can secure the environment while preserving its ability to glean actionable business insights. To accomplish this, it will rely on one-way data transfers using data diodes, backed by traditional scanning policies for inbound removable media and mobile devices.

As the cost of machine learning continues to fall and phishing campaigns become more convincing, UAE enterprises should brace for an increase in attacks on employees’ devices. Where its people have long been an organisation’s greatest cyber-vulnerability, they remain its greatest potential weapon. This year, we will see a greater focus on awareness training and novel detection controls to protect against AI-powered social engineering.

The targeting of the latticework of vendors, suppliers, distributors, and other partners that make up the modern business environment will continue in 2025. As OT becomes ever more vulnerable because of its merger with IT, the energy, utilities, and manufacturing sectors will become points of concern.

Threat actors will target suppliers or subcontractors to compromise critical infrastructure. Since these attacks represent existential threats to the economy at large and to public health and safety, we expect to see an escalation in investment in their protection in 2025.

Amid the explosion in advanced technologies like AI, attackers still commonly exploit basic vulnerabilities with basic infiltration methods. Outdated software is a persistent vulnerability for organisations, and this could be the year when UAE businesses recognise the risks, not only to operations but to their legal standing with regulators.

Unfortunately, investments in awareness training have not been enough to prevent people from falling for social engineering. To address their compliance shortfalls, businesses must intensify their training efforts, tailoring each lesson to the learner, and making sure it is immersive enough to ensure retention.

When OT-heavy organisations adopt cloud technologies for flexibility and scalability, they expand their attack surfaces. This transition calls for strong network perimeter security protocols. Cloud-connected devices must communicate with host services through data diodes for secure, one-way data transfer.

Where remote access to OT environments is necessary, other secure pathways should be used that are tailored to specific OT tasks and use the least-privilege principle. In 2025, we expect to see increased adoption of such cloud-aware solutions.


Grant Bourzikas, CSO, Cloudflare
Grant Bourzikas, CSO, Cloudflare

Shift focus to security transformation and remove vendors causing complexity

In ten years there will only be two types of companies; those that leveraged AI to innovate, and those that no longer exist. With this harsh reality, CISOs must figure out how to be an enabler of AI, not a blocker.

But with AI still in its infancy, very few have a strong understanding of the technology or the risks it may present, leading to extremely low levels of confidence that their organisation is well-prepared. The lack of understanding around AI, is ultimately giving threat actors a leg up.

The broad brush of cyber regulations legislated with good intent will have a reverse effect in 2025; which is creating complexity and having no real impact on stopping attacks. In the past few years we have witnessed a cadence of record shattering, significant breaches that have drawn the eye of regulators.

But while their attempts to raise the security resiliency of organisations are aimed to be helpful, they are often knee jerk reactions that require unrealistic efforts. This is a complete misstep, with much of today’s regulatory efforts ineffective and not focused on the most critical aspects of security controls.

Regulators still fail to recognise what will make the biggest difference in moving the needle towards immutable infrastructure.

Vendor lock-in is a crutch that will lead to increasing breaches in 2025 and organisations must start their security transformation journeys. The deeply rooted foothold that vendors have in organisations’ environments has become one of the main drivers of complexity. The bottom line is that complexity creates chaos, and chaos distracts from the real priorities when it comes to securing an organisation.

Being held hostage by a vendor, to a point where moving off of them seems impossible, is the moment they begin to help shift the balance of power back in favour of threat actors. The hyper-focus on digital transformation over the past few years – implementing a myriad of new tools and vendors across the organisation to rapidly innovate – has left security in the dark.

In 2025, we will feel the full weight of having fallen victim to the cycle: shiny new tools, Wall Street’s buy-in, rush to implement, repeat. We must now shift focus to security transformation, and begin to remove the tools and vendors that are causing complexity vs. furthering innovation.

In 2025, disinformation will transcend the Internet and social media, and move to poison and taint AI models. Information sharing exists at an order of magnitude faster, and more efficient than ever before. And in the world of AI, data is the only currency and organisations that have the most will win – but quantity does not always equal quality.

AI on its own will not solve the world’s most critical problems. The successful implementation and use of AI depends on data. But as disinformation continues to plague society, it will begin to trickle into AI models that are critical to making decisions. Example calculating goods needed to restock grocery store shelves, diagnosing sick patients or analysing market trends to share financial risks with bankers.


Anna Larkina, Privacy Expert, Kaspersky
Anna Larkina, Privacy Expert, Kaspersky

Cross-border cyberbullying to intensify targeting political beliefs

As we look to 2025, the most significant impact on consumers is expected to arise from the intersection of innovation and regulation. Advances in AI, privacy protection, and data ownership frameworks will reshape the way people interact with technology and manage their digital lives. These developments hold immense potential but also demand careful oversight to ensure they serve consumer interests, said

AI is predicted to fully integrate into daily life in 2025, becoming a standard tool rather than a novel technology. With prominent operating systems like iOS and Android rolling out AI-enhanced features, people will increasingly rely on AI for communication, workflows, and creative tasks.

This normalisation also brings challenges as personalised deepfakes become increasingly sophisticated in the absence of reliable detection tools.

The growing emphasis on privacy is expected to lead to new regulations that strengthen user control over personal data. By 2025, individuals may gain the right to monetise their data, transfer it easily across platforms, and benefit from simplified consent processes.

Global frameworks, such as the EU’s GDPR, California’s CPRA and South Africa’s POPIA, continue to inspire reforms worldwide, while decentralised storage technologies could further strengthen user autonomy over their information.

Increasing political polarisation is expected to exacerbate cyberbullying in 2025. Social media algorithms that amplify divisive content, combined with the widespread availability of AI tools for creating deepfakes and doctored posts, are likely to intensify online harassment.

Cross-border cyberbullying could also escalate as global platforms facilitate the targeting of individuals based on their political beliefs.

As the global economy shifts further towards subscription-based models, a rise in fraud related to fake subscription promotions is expected. Cybercriminals are expected to create counterfeit services that mimic legitimate platforms, aiming to deceive users into providing personal and financial information, resulting in identity theft and financial losses.

Australia’s proposed legislation to ban social media access for children under 16 could set a global precedent. If implemented successfully, the restriction could pave the way for broader limitations on access for other demographics. Platforms like Instagram have already begun adopting AI-powered age-verification systems, signalling a shift toward stricter governance of online spaces.


Liat Hayun, VP Product Management and Cloud Security Research, Tenable
Liat Hayun, VP Product Management and Cloud Security Research, Tenable

Business and security must strike balance between innovation and security

In the coming year, companies will face mounting pressure to secure AI initiatives at scale while safeguarding a growing range of data assets from cyber threats.

Organisations must understand that data is the fuel driving their business—it enables insights, fosters collaboration, and powers innovation, said. As AI adoption skyrockets and data storage demands grow, safeguarding distributed data has never been more critical.

As we head into 2025, business leaders and security teams must strike a careful balance between innovation and security, ensuring that AI initiatives do not inadvertently open new doors for cyberattackers.

In 2025 and beyond, we will see more organisations incorporating AI into their infrastructure and products as the technology becomes more accessible. This widespread adoption will lead to data being distributed across a more complex landscape of locations, accounts and applications, creating new security and infrastructure challenges.

In response, CISOs will prioritise the development of AI-specific policies and security measures tailored to these evolving needs. Expect heightened scrutiny over vendor practices, with a focus on responsible and secure AI usage that aligns with organisational security standards. As AI adoption accelerates, ensuring secure, compliant implementation will become a top priority for all industries.

As data volumes grow and become more distributed across multi-cloud environments, the risk of data breaches will rise significantly. With AI tools relying on vast amounts of customer data, cybercriminals will have more opportunities to target these systems, making data exfiltration and unauthorised access easier. Organisations will face an escalating risk as attackers exploit these expanding data environments to achieve malicious goals.

Despite the best efforts of companies like OpenAI, Google and Microsoft to implement robust security protocols, cybercriminals now have powerful tools at their disposal, including AI-driven virtual assistants that can streamline and amplify their attacks. As data volumes continue to surge and become more accessible, the appeal and ease of targeting sensitive information will grow.

This convergence of advanced attack tools and abundant data will make it increasingly difficult for organisations to stay ahead of evolving cyber threats.

These predictions should not deter organisations from embracing AI. Instead, they underscore the importance of developing robust strategies for secure and responsible AI adoption. Organisations must focus on integrating AI into their systems securely rather than viewing it as a risky proposition.


Haider Pasha, Chief Security Officer, Palo Alto Networks, EMEA and LATAM
Haider Pasha, Chief Security Officer, Palo Alto Networks, EMEA and LATAM

AI co-pilots drive re-writing of cybersecurity job roles

Stringent measurement of cyber security efforts become the norm as AI’s impact on cyber-attacks deepens. Security professionals should be proactive in establishing for themselves and their teams specific metrics to track against, laddering up to specific key performance indicators, KPIs.

Rise of AI co-pilots forces the re-writing of cybersecurity job descriptions. With the rising popularity and sophistication of AI-enabled security co-pilots, from helpful assistants to fully autonomous teammates, the human job description for every cybersecurity role will need to be re-written in the next year.

Cyber professionals shoot for the double wins of reducing cost and carbon footprint. Organisations must adopt greener practices to minimise the environmental impact of their digital infrastructure – from embracing consolidation to optimising AI models for energy efficiency.

Browse our latest issue

Intelligent CISO

View Magazine Archive