Industry executives and experts share their predictions for 2025. Read them in this 17th annual VMblog.com series exclusive. Another
year is coming to a close, and it's time to gaze into the crystal ball to see
what's in store for 2025. Keep reading for insights from DigiCert's Dean Coclin, Senior Director of Digital Trust Services; Avesta Hojjati, Vice President of
Engineering; Tim Hollebeek, Vice President of Industry
Standards; and Mike Nelson, Global Vice President of Digital
Trust.
Prediction 1: Post-quantum cryptography
will advance from theoretical to practical and deployed
Last year, DigiCert predicted that ongoing advances in
quantum computing would motivate executives to learn more about its risks and
accelerate their investments in post-quantum cryptography (PQC). We predict
that 2025 will be the year that PQC takes a major leap forward, from abstract
line items on IT roadmaps to deployed operational solutions.
We're
already seeing the first steps toward putting PQC into play. The U.S. National
Security Agency (NSA) is expected to announce CNSA 2.0 algorithms for critical NSS
networks. We predict adoption of quantum-resistant cryptography will grow, with
advanced encryption becoming available in hardware
security modules (HSMs) and applications. As its adoption accelerates, PQC will
also evolve to become a regulatory compliance imperative. Global organizations have acknowledged the
need for a quantum-secure economy, and compliance standards and regulations are
in process for financial services organizations as well as healthcare
providers.
Prediction 2: 2025 will
see a continued rise in the hiring of Chief Trust Officers
In 2025, we'll see a continued rise in Chief Trust
Officers (CTrOs) as organizations prioritize digital trust and transparency to
navigate increasingly complex regulatory environments and rising cybersecurity
threats. With trust now a key factor in customer relationships, companies will
recognize the need for a dedicated executive to oversee data privacy, ethical
AI, and secure digital experiences.
The CTrO
will play a crucial role in building and maintaining trust with customers,
partners, and regulators, ensuring that companies not only meet compliance
standards but also actively foster trust as a core business asset. As digital
ecosystems expand, the demand for leaders who can align technology, security,
and transparency will continue to grow-and grow fast.
Prediction 3: Coalition for Content
Provenance and Authenticity (C2PA) will go mainstream
For cybersecurity pros, the 2024 election will be
remembered as the first where AI deepfakes threatened to undermine voter
confidence. So much of the media we consume is suspect, making content
provenance more vital than ever. We predict that Coalition for Content
Provenance and Authenticity's (C2PA)
Content Credentials icon will become commonplace to make it easier for
consumers, creators, and marketers to identify authentic digital content.
Supported
by top brands like Adobe, Microsoft, Nikon, Leica, and several others, the C2PA
standard utilizes PKI to produce a tamper-evident record, which helps users
differentiate between real and fake media. In the event content is manipulated
or edited, the changes are recorded, making it easier to identify deepfakes and
other altered content. It won't be long before people see content credentials
on many of the images they see online.
Prediction 4: As certificates evolve,
crypto-agility will become more essential than ever
At a recent CA/Browser (CA/B) forum meeting, Apple
proposed a gradual reduction of the maximum validity for public SSL/TLS
certificates to 45 days by 2027. This proposal is part of a growing trend toward shorter certificate lifespans,
which aims to improve internet security by reducing risks associated with
longer certificate validities. To keep pace with the need for more frequent
renewals, we predict that organizations will require more automation for web PKI.
Certificate
automation has long been a fundamental aspect of crypto-agility, and for
organizations that haven't made it a part of their processes, certificate
changes on the horizon will motivate them to adapt.
Prediction 5: Organizations will demand
resilience and zero outages
The massive CrowdStrike outage this past summer not
only revealed the need for better testing of automated software updates at
scale, but also the importance of digital trust. We predict that expectations
will rise and that people will demand more proof that their software and updates
aren't just safe and reliable-they're secure and fully trusted. That's
particularly true in cases where your physical safety can be compromised. As
the IoT continues to mature, we're seeing over-the-air (OTA) software updates
across a variety of use cases-but how can people know that these updates are
legitimate?
It's not
hard to imagine how disruptive a flawed or malicious update could be to a fleet
of self-driving cars. We expect it won't be long before automakers adopt a more
transparent approach to sharing the results of their security measures to give
car owners peace of mind. In fact, we believe new regulations from the E.U.
will accelerate this trend worldwide. The region recently adopted a set of
cybersecurity requirements for the design and production of hardware and
software. Effective in 2027, the Cyber Resilience Act is the first
regulation with teeth to ensure that digital products adopt a more holistic
approach to IoT security.
Prediction 6: AI-driven phishing attacks
will surge
In 2025, the proliferation of AI will fuel an
unprecedented surge in sophisticated phishing attacks, making them harder to
detect. Attackers will leverage AI to craft highly personalized and convincing
phishing campaigns, using advanced language models to mimic human communication
with near-perfect accuracy. Automated tools will enable cybercriminals to scale
these attacks at an alarming rate, targeting individuals and organizations with
precision. As traditional defenses struggle to keep pace, organizations will
need to adopt new mechanisms to counter this escalating threat.
Prediction 7: New private PKI standards
like ASC X9 will gain momentum
Emerging private PKI standards like ASC X9 are
crucial. Why? Because they enable interoperability and trust between
organizations without relying on browser-driven, one-size-fits-all
requirements, allowing for customized approaches that address specific business
needs. Developed by the Accredited Standards Committee X9, ASC X9 focuses on
security standards tailored for the financial industry, addressing critical
areas like data integrity and authentication.
Unlike
public PKI, which imposes uniform requirements driven by browser ecosystems,
private PKI offers greater flexibility in defining security policies and
compliance measures. This is particularly relevant for finance, healthcare, and
other industries with stringent regulatory requirements or unique operational
needs. By fostering secure, scalable, and tailored trust frameworks, these
standards will empower organizations to enhance security and streamline
collaboration in a way that public PKI cannot.
Prediction 8: More people will ask for
Cryptography Bill of Materials (CBOMs) to strengthen trust
As cyberattacks and new, potentially malicious
technologies like AI continue to evolve, we'll be seeing an increased threat
level to systems, devices, and processes. We predict that people will digitally
sign more things, more often-and that they'll ask for Cryptography Bills of Materials (CBOMs) to
strengthen digital trust.
CBOMs describe cryptographic assets and their
dependencies. They provide a better understanding of how and where crypto
assets are used and help organizations facilitate assessment of their risk.
They're extremely valuable, and in 2025, their use will become much more
common.
Prediction 9: Managing certificates
with spreadsheets will end by 2028
Although nearly 25% of enterprises* manage their
thousands (and sometimes, tens of thousands) of certificates manually, the era
of manual tools to manage certificates is coming to an end. We predict that as
businesses adopt increasingly stringent security standards and shorter
certificate lifespans, outdated processes and legacy applications will simply
cease to be sustainable.
This
shift will drive organizations to embrace modernized, automated management solutions that provide the agility,
scalability, and efficiency needed to keep up with evolving industry demands.
Businesses that prioritize automation and streamlined workflows will be better
equipped to meet these challenges and remain competitive.
Prediction 10: Organizations will continue
to prioritize fewer vendors to simplify their tech stack
Despite this summer's CrowdStrike incident, which
raised concerns about relying too heavily on a single vendor, we predict that
enterprises will continue consolidating their vendor selection. Managing
thousands of vendor relationships and contracts is a common challenge for large
enterprise IT teams, and streamlining these partnerships offers numerous
advantages. Partnering with a vendor that provides a wide range of solutions
not only creates economies of scale but also simplifies integration and interoperability
across the tech stack, reducing system fragmentation.
Consolidation can enhance security by providing
greater visibility and consistency in practices while lowering the risks
associated with managing multiple platforms. It reduces the complexity and time
spent on contract negotiations, renewals, and vendor evaluations, allowing IT
teams to focus on strategic initiatives. And it fosters stronger, more
collaborative vendor relationships, enabling faster issue resolution, better
support, and tailored solutions that align with enterprise needs. In short,
prioritizing fewer vendors drives efficiency, cost savings, and agility across
the organization-and we don't expect to see that change.
As
we go into the new year, it's clear that the cybersecurity landscape will
continue to evolve at an unprecedented pace. Organizations must remain agile,
embracing innovative technologies, strengthening their defenses, and fostering
digital trust to navigate emerging challenges. From quantum-resistant
cryptography to AI-driven threats and the rise of digital trust leaders, these
trends underscore the importance of a proactive and resilient approach. By
staying ahead of these developments, businesses can not only protect their
assets but also build lasting trust with their customers, partners, and
stakeholders-turning cybersecurity into a competitive advantage in an
increasingly interconnected world.
##