Regulations and resilience will raise CISOs’ risk management stakes

In 2024, organizations waded through turbulent regulatory waters. Globally, governments enacted new cybersecurity and privacy requirements across industries. Meanwhile, security and risk leaders sprinted to secure emerging technologies like genAI even if their use cases were still evolving. 

Almost every industry experienced first-hand the consequences of poor IT resilience planning. And despite downplaying their third-party risk, organizations saw an increase in software supply chain breaches. With cybercrime expected to cost $12 trillion in 2025, regulators will take a more active role to protect consumer data while organizations pivot to adopt more proactive security measures to limit material impacts to their organization. Forrester predicts that in 2025:

* The EU will fine a genAI provider for the first time under the EU AI Act. EU enforcement of the EU AI Act requirements on prohibited use cases will kick off as private action only in February 2025 and expand to general-purpose AI (GPAI) models (e.g., genAI) in June 2025. With the EU AI Office and data protection authorities joining forces to oversee GPAI providers, it won’t take long for the action to begin! In 2025, a GPAI model’s provider will receive the first fine for violating the EU AI Act. 

Users take note: While the Act aims GPAI requirements — such as disclosing training sources and sharing results of model evaluations including adversarial testing — directly at GPAI providers, compliance obligations are linked across AI actors. Organizations that are not prepared will inevitably face a third-party risk nightmare. As companies diversify the genAI models they use, they must vet their providers carefully and ensure they collect all of the evidence necessary to avoid exposing themselves to investigation and fines.

* A major IoT breach will disrupt a large class of devices. IoT devices and their vulnerabilities are proliferating within enterprises, increasing the risk of IoT device-related cyber security breaches. Most device classes are at risk, making it challenging for network and security leaders to agree on risk reduction efforts. 

Anywhere-work introduces vulnerable personal or third-party IoT devices into an enterprise’s security posture. Malicious actors can now compromise a common class of IoT devices and execute a broad-scale attack, as was seen in September 2024 when thousands of sabotaged pagers exploded simultaneously in Lebanon. 

Another IoT device class will be compromised in 2025, requiring organizations to conduct lengthy and costly remediation efforts, possibly replacing entire groups of devices. Apply Zero Trust principles to your IoT infrastructure and a “secure what you sell” model to enforce minimum security requirements, limit your exposure, and reduce your likelihood of compromise.

* CISOs will deprioritize genAI use by 10% due to lack of quantifiable value. According to Forrester’s 2024 data, 35% of global CISOs and CIOs consider exploring and deploying use cases for genAI to improve employee productivity a top priority for the digital workplace in 2024. 

Disillusionment around genAI is growing as marketing promises fail to result in actionable outcomes. The thought of an autonomous security operations center (SOC) using genAI generated a lot of hype, but it couldn’t be further from reality.

Microsoft Security Copilot early adopters cite that they were able to complete incident reporting and script analysis tasks faster, but other activities like response were markedly slower. In 2025, security practitioners will continue to sink into disenchantment with AI. 

With 18% of global AI decision-makers who are CISOs already citing inadequate budget as the greatest barrier to adopting AI, this number will increase by 10 percentage points in 2025 as CISOs struggle to see the expected gains and fail to make the case for the budget requirements to support it.

* A Western government will bar specific third-party or open-source software. Recent incidents, such as the XZ Utils hack, a new owner’s compromise of polyfill.io service, and the 3CX double supply chain compromise, illustrate how adversaries exploit the trust placed in maintainers for political and financial gain. Software vendors are beginning to make software bills of materials (SBoMs) available, but with that comes component transparency. 

These SBoMs enable governments to better scrutinize the security, developer practices, maintenance, and contributors of software bundled within products they purchase. In 2025, a government armed with this information will restrict the use of a third-party or open-source component. To comply, software suppliers will need to remove the offending component and replace the functionality. 

Once one country adopts stringent measures on the grounds of national security, others will follow. Suppliers must step up their due diligence, monitor their third-party and open-source components, and plan to provide transparency to government agencies.

* Breach-related class action costs will surpass regulatory fines by 50%. Breach-related spending is no longer limited to regulatory fines and remediation costs. Despite the increase in frequency, scale, and consequence of cyberattacks, lawmakers have failed to consistently strengthen cybersecurity requirements. 

An absence of cyber security regulation has led customers, employees, and shareholders to litigate to seek damages and force companies to make critical improvements to their security risk management. The financial exposure is enormous in data breach class action litigation. 

In 2023, T-Mobile settled breach-related class actions for $350 million plus spent $150 million to improve security. Hundreds of cases are awaiting trial, including more than 100 surrounding the MOVEit vulnerability breach and 50 for the Change Healthcare cyber attack. With the percentage of companies facing class actions at a 13-year high, CISOs will be asked to contribute toward the company’s class action defense fund in 2025, making costs from class actions greatly exceed fines imposed by regulators.

Summary
Security, risk, and privacy leaders are facing numerous external and internal challenges as they seek to balance technical risks with regulatory compliance requirements. In 2025, EU regulators will issue their first fine against a generative AI (genAI) provider; a major IoT breach will disrupt a large class of devices; CISOs will deprioritize genAI due to lackluster outcomes; a Western government will bar third-party software; and the costs of breach-related class actions will surpass regulatory fines. 

-- Source: Forrester Research, USA and Australia.