Industry executives and experts share their predictions for 2025. Read them in this 17th annual VMblog.com series exclusive.
By Greg Virgin,
CEO of Redjack
Organizations need to adopt a range
of capabilities to remain competitive and secure in the evolving landscape of
cyber resilience. For 2025, organizations should prioritize these eight cyber
resilience trends - or risk being left behind in an increasingly complex and
volatile cyber landscape.
1. Cyber Resilience Takes Shape
The term "cyber resilience" remains
undefined in much of government and industry guidance, although it is
frequently referenced. Too often, marketing buzzwords co-opt the term to refer
to traditional cybersecurity measures, reducing its meaning to little more than
bolstered defenses.
However, a more robust definition of
cyber resilience is emerging, driven by thought leaders, business executives,
and regulatory bodies. It refers to an organization's ability to ensure "cyber
survivability"-the capacity to minimize damage and quickly recover from a cyber
event or outage.
This definition goes beyond merely
hardening defenses; it also stresses the need for IT agility. Organizations
need to pivot and transform their IT environments rapidly, allowing them to
execute business objectives while simultaneously protecting themselves from
threats.
This transformation requires
automated, evidence-driven solutions that identify exactly where and how
essential business functions operate within their IT ecosystems. These systems
must provide real-time visibility into critical workflows, giving organizations
the tools to respond to disruptions as they happen, and limiting the potential
impact on operations.
By the end of 2025, organizations
must have a solution in place that automatically identifies how to recover the
critical functions of the business from a total failure, providing a
step-by-step recovery plan based on the last known working state.
2. Operational Technology as the
Focal Point of Attack Surface
As Gartner noted when it retired its
Market Guide for Operational Technology Security, the attack surface is
expanding as operational systems (OT/IIoT/IoT) become more interconnected with
traditional IT.
Recent cyberattacks targeting OT
environments-such as the Colonial Pipeline ransomware attack in 2021-highlight
the increasing focus of cyber adversaries on critical infrastructure. But even
organizations that aren't "critical infrastructure" are at risk from attackers
that can penetrate networks through insecure operational systems.
From legacy industrial control
systems, to medical devices, to "smart building" technology, to physical
security devices like cameras and turnstiles, any organization that is not 100%
online has operational technology that creates significant risks. In some
cases, this is due to lack of cybersecurity controls in historically air-gapped
systems, while in others it's due to improper implementation and/or oversight
of network-connected devices.
Implementing security controls for
individual systems is not sufficient. Organizations need to fully understand
what operational technology they have, and whether and how those systems are
connected within their network environment that powers their critical business
functions.
By the end of 2025, businesses should
have a complete, automated map of their compute infrastructure. This map should
show critical assets and systems and highlight weak points where security
measures need to be strengthened to avoid catastrophic failures.
3. Shift Away from Emphasis on
Cybersecurity Endpoint Solutions
For years, the cybersecurity industry
has shifted back and forth between focusing on network-based defenses and
endpoint protection. The recent CrowdStrike outage has once again prompted a
reevaluation of endpoint-focused solutions, with organizations changing their
focus to addressing sophisticated, large-scale attacks.
The next wave of cybersecurity will
likely emphasize solutions focused on attack surface management and using AI to
detect patterns, anomalies and threats within their networks. Many of these
solutions are cloud-based, and focus on organizations' adoption of cloud
environments.
While this reaction is
understandable, it will create a gap of visibility in hybrid enterprise
environments. Additionally, as organizations look to use AI-powered automation
to support their security workflows, they will need to ensure that the AI
systems have robust real-time data to act on - data that shows the truth of how
their complex infrastructure actually functions.
By the end of 2025, organizations
must implement solutions that provide insights into the complete compute
infrastructure that powers their business functions and also deliver the rich,
real-time data needed to fuel AI-based cybersecurity systems, enabling faster
and more accurate threat detection and response.
4. Post-Quantum Readiness
The impending arrival of quantum
computing poses a significant threat to current cryptographic methods. The U.S.
National Institute of Standards and Technology (NIST) has warned that quantum
computers could eventually break many of the encryption algorithms in use
today, threatening the privacy and security of sensitive data. Government
agencies are already urging businesses to prepare for the quantum future,
advising them to evaluate their current cryptographic methods and develop
post-quantum cryptographic strategies to protect critical data pathways.
Post-quantum readiness involves more
than just adopting new encryption algorithms; it requires a comprehensive
understanding of how and where encryption is applied within an organization's
systems. This includes developing an inventory of cryptographic protocols and
encrypted pathways, identifying which business functions rely on secure
communications, and ensuring these pathways are resilient against quantum
attacks.
By the end of 2025, businesses must
have a detailed inventory of all cryptographic methods and encrypted data
pathways critical to business functions, ensuring that they can be updated to
post-quantum encryption standards when the time comes.
5. China Isolation and Validation
Amid rising tensions between the U.S.
and China, security and risk management companies note that many American
companies are reconsidering their reliance on Chinese IT infrastructure and
manufacturing. China's cybersecurity laws, which often require companies to share sensitive data with the
government, are driving businesses to decouple from Chinese technology
providers. Additionally, there is concern that geopolitical events, such as a
potential conflict in the South China Sea, could lead to a sudden and severe
disruption of global supply chains.
This trend of "China isolation"
highlights the need for companies to have a clear understanding of where their
IT infrastructure is geographically located. Without this understanding,
organizations may inadvertently expose themselves to geopolitical risks. Having
a detailed map of IT infrastructure locations is essential to mitigating these
risks and ensuring that sensitive business operations remain secure and
resilient.
And it's not just China - conflicts
and natural disasters can arise anywhere. Businesses need to think about
operational resilience from a geographic perspective.
By the end of 2025, organizations
must have a complete map of the geographic locations of their IT
infrastructure, including cloud data centers and third-party service providers,
to ensure they are prepared for geopolitical shifts.
6. M&A Cyber Diligence
Cybersecurity risk assessments are
becoming an essential part of mergers and acquisitions, as acquiring companies
often inherit the cybersecurity risks of the target company. A failure to
perform cyber diligence can lead to costly breaches or operational disruptions
that could have been avoided. The SolarWinds supply chain attack, for example,
demonstrated how vulnerabilities in one company can spread to others through
interconnected systems.
While companies know they need this
information, due to time constraints they too often need to rely on incomplete
data in their analysis - which opens them up to risks post-acquisition.
M&A cyber diligence requires a
detailed understanding of the business functions and systems of the target
company, along with an evaluation of how resilient those functions are to
cyberattacks. This includes identifying critical assets, vulnerabilities, and
recovery capabilities, allowing the acquiring company to make informed
decisions about risk management.
By the end of 2025, businesses must
be able to automatically generate a complete map of the functions and systems
of any company they acquire and assess how resilient those functions are to
cyber threats. They should adopt solutions that rapidly collect robust data and
use AI to generate the risk insights they need.
7. Third-Party Risk Maps
Third-party vendors play an
increasingly important role in modern business operations, but they also
introduce significant cybersecurity risks. A study by the Ponemon Institute
found that 53% of organizations had experienced a data breach caused by a third-party
vendor, demonstrating how critical it is for businesses to monitor third-party
risks effectively.
Managing third-party risk requires
not only visibility into vendor relationships but also an understanding of how
these vendors impact the organization's overall cybersecurity posture.
Organizations need to be able to map third-party dependencies to critical
business functions, identifying which assets rely on external vendors and
ensuring that those vendors meet the same security standards as the
organization itself.
Third-party risk oversight is about
detecting risk, not just accounting for it. As organizations adopt new
third-party suppliers and technologies to meet their business goals, they need
a ‘radar screen' that identifies risks to their business functions - not a
spreadsheet of vendors and security policies. Automation will play a key role
in managing these relationships, allowing businesses to continuously monitor
vendor risks in real time.
By the end of 2025, organizations
must have a complete understanding of which systems and business functions rely
on third-party vendors, and they must be able to automatically map these
dependencies to organizational risks, enabling proactive risk management.
8. Move Beyond Basic Asset Inventory
We've seen it happen time and time
again-companies with basic asset inventories get hit hard by cyberattacks, and
they're left wondering how things went so wrong. Recent cases like the MOVEit
and Log4j incidents show just how vulnerable organizations can be, even with
asset inventories in place. The reason? Many companies rely on outdated or
incomplete inventories that don't dynamically update or integrate with
real-time threat detection systems. They're stuck trying to defend themselves
with a static map, while the attack surface is constantly shifting.
- In 2023, attackers exploited
vulnerabilities in the MOVEit file transfer software used by various sectors,
including critical infrastructure and IoT systems. Despite organizations having
asset inventories, the interconnected nature of devices and the lack of
immediate visibility into vulnerable software usage hindered effective
mitigation. Progress Software, the tool's owner, issued patches, but the
incident revealed how asset inventories can struggle to track all dependencies
across systems
- Similarly, in 2021, Apache Log4j,
a widely used Java-based logging library, exposed millions of systems worldwide
to potential attacks. Apache released multiple patches to address the issue,
but mitigation efforts were complicated by the challenge of identifying all
vulnerable systems.
The problem with these cases is that
their asset inventories weren't built for today's cyber environment-fast,
agile, and evolving constantly. You need more than just a static list; you need
a smart system that not only shows you what you have but also tells you what's
at risk and how to protect it in real-time.
Even more importantly, organizations
need to be able to prioritize remediation efforts - they need to know which
critical business functions are most at risk from a given vulnerability so they
can triage issues based on criticality to the business. Most asset inventory
solutions only provide an IT-centric view of their infrastructure, without
considering how each IT asset or system fits into the larger business context.
By the end of 2025, the companies
that thrive will be those that move beyond basic asset inventories. They'll
adopt fully integrated, AI-driven systems that dynamically update, map critical
dependencies, and provide continuous risk assessment - from the perspective of
ensuring the resilience of critical business functions.
Companies stuck
with old, static systems will be left behind, vulnerable to the ever-growing
threat landscape. The future of asset management is proactive, not
reactive-make sure your inventory is built for what's coming.
Conclusion
The evolving landscape of cyber
resilience requires businesses to adopt a range of new capabilities by 2025 to
remain competitive and secure.
From automated recovery solutions and
rich AI-driven data to post-quantum cryptography inventories and comprehensive
third-party risk maps, these capabilities will enable organizations to adapt to
the paradigm shifts shaping the future of cybersecurity. Companies that fail to
implement these solutions risk being left behind in an increasingly complex and
volatile cyber landscape.
References:
Ponemon Institute, Data Risk in the Third-Party Ecosystem:
Second Annual Study (2020)
National Institute of Standards
and Technology (NIST), Post-Quantum
Cryptography Standards (2022)
Department of Homeland Security
(DHS), Cyber Resilience Guidance for
Critical Infrastructure (2021)
CrowdStrike Incident Report, Impact of Recent Outages on Endpoint
Security (2023)
Colonial Pipeline Attack Report, Lessons Learned from the Largest
Infrastructure Cyber Attack (2021)
##
ABOUT THE AUTHOR
Greg Virgin, CEO at Redjack
Greg began his career with the National
Security Agency (NSA), where he developed his patented sensor technology for
defense, energy, and homeland security environments. He founded Redjack in 2007
to commercialize the technology and extend its capabilities to support cyber
resilience initiatives within both public and private sector organizations.