Regulations and Resilience Will Elevate CISOs’ Risk Management Challenges

In 2024, organizations navigated a complex landscape of emerging cybersecurity regulations as governments around the world introduced stricter mandates aimed at safeguarding privacy and data security across various sectors. While these regulations emerged, security and risk leaders raced to fortify their defenses against evolving technologies, such as generative AI (genAI), despite the nascent stage of their applications.

Nearly every sector felt the ramifications of inadequate IT resilience planning, and organizations that underestimated their third-party vulnerabilities faced an uptick in software supply chain breaches. As cybercrime costs are projected to reach $12 trillion by 2025, regulatory bodies are expected to take a more proactive stance in protecting consumer data. Companies, in turn, are pivoting towards more robust security frameworks to mitigate potential damages. Forrester anticipates significant shifts in 2025:

* The EU will impose its first fine on a genAI provider under the EU AI Act. The enforcement of the EU AI Act will commence with a focus on prohibited use cases starting in February 2025, later expanding to include general-purpose AI models like genAI in June. With the collaboration between the EU AI Office and various data protection authorities, swift action against non-compliant GPAI providers is inevitable. By mid-2025, a provider is expected to face the first fine for breaching the act.

Organizations should take heed: although the Act directs compliance requirements towards GPAI providers—such as revealing training datasets and sharing evaluation outcomes—the interconnected obligations extend across the entire AI ecosystem. Companies that fail to prepare could find themselves embroiled in significant third-party risk complications. As businesses increasingly diversify their genAI usage, it is critical to scrutinize providers thoroughly and gather comprehensive evidence to shield against investigations and potential fines.

* A major IoT breach will compromise a significant number of devices. As IoT devices become more prevalent within enterprises, vulnerabilities also multiply, heightening the risk of cyber incidents triggered by these technologies. The sheer variety of devices makes it difficult for security teams to achieve consensus on effective risk mitigation strategies.

The rise of remote work has integrated various personal and third-party IoT devices into corporate environments, creating new avenues for attackers. A notable incident occurred in September 2024, when a mass attack exploited a specific IoT device class, reminiscent of the simultaneous sabotage of thousands of pagers in Lebanon. In 2025, another breach of IoT devices may compel organizations to undertake extensive and costly remedial actions, potentially necessitating the replacement of entire device categories. To counteract these risks, organizations are advised to implement Zero Trust principles within their IoT frameworks and enforce strict security requirements throughout their supply chains.

* A decline in genAI prioritization among CISOs is anticipated. Forrester’s data from 2024 reveals that 35% of global CISOs and CIOs ranked exploring genAI use cases for bolstering employee productivity as a leading priority for the digital workplace. However, declining enthusiasm around genAI is becoming evident as unrealistic marketing claims fail to yield practical benefits.

The excitement surrounding autonomous security operations centers powered by genAI has largely dissipated. Early users of Microsoft Security Copilot have noted slight improvements in efficiency for tasks like incident reporting, yet reported significant slowdowns in response times. By 2025, disillusionment with AI within the security domain is expected to intensify. Currently, 18% of global AI decision-makers who hold positions as CISOs indicate that budget constraints hinder their AI adoption, a figure that is likely to increase by 10% as the expected benefits remain elusive and budget justifications fall short.

* Certain third-party or open-source software may be banned by a Western government. Recent cybersecurity incidents, including the XZ Utils hack and vulnerabilities surrounding services like polyfill.io and 3CX, reveal how adversaries exploit trust in software maintainers for malicious purposes. Although some software vendors are beginning to issue software bills of materials (SBoMs) to enhance component transparency, this initiative opens the door for increased scrutiny from authorities.

As governments utilize SBoMs to assess the security and development practices of software, it is anticipated that by 2025, some nations will prohibit specific third-party or open-source components based on national security concerns. In response, software suppliers will be required to replace affected components and provide alternative functionalities. Once one nation implements strict measures, it could set a precedent for others to follow, pushing suppliers to enhance their oversight of third-party components and ensure compliance with government regulations.

* The financial fallout from breach-related class actions will eclipse regulatory fines. The financial repercussions of data breaches now extend beyond regulatory penalties and remediation costs. With the frequency and severity of cyberattacks on the rise, lawmakers have not consistently enforced stronger cybersecurity regulations. Consequently, customers, employees, and shareholders have increasingly turned to litigation as a means to seek damages and compel organizations to enhance their security practices. The fiscal impact of class action lawsuits following data breaches is substantial.

For instance, T-Mobile’s recent settlement over breach-related class actions amounted to $350 million, in addition to $150 million in security enhancements. Numerous cases are set to go to trial, including over 100 associated with the MOVEit vulnerability and 50 concerning the Change Healthcare cyber incident. At a 13-year high, the percentage of companies facing class actions indicates rising vulnerability, hence in 2025, CISOs may be called upon to contribute toward defense funds for class action lawsuits, a trend that may see costs from these actions significantly outpace regulatory fines.

In summary, security, risk, and privacy leaders are grappling with multiple challenges, balancing technical risks and compliance obligations. In 2025, we can expect to see the first fine against a genAI provider by EU regulators, a significant disruption caused by an IoT breach affecting various devices, CISOs scaling back priorities around genAI use, the potential barring of specific software by a Western government, and class action costs arising from data breaches exceeding regulatory penalties.

— Source: Forrester Research, USA and Australia.

Source link