A new year opens to both fresh and persistent cybersecurity challenges. These key projects should be at the top of your 2025 to-do list.
Originally Posted at CSO
Credit: Gorodenkoff / Shutterstock
As 2025 dawns, CISOs face the grim reality that the battle against cyberattackers never ends. Strong and carefully planned cybersecurity projects are the best way to stay a step ahead of attackers and prevent them gaining the upper hand.
“Urgency is the mantra for 2025,” says Greg Sullivan, founding partner of cybersecurity services firm CIOSO Global. “It’s not a matter of if you will be breached; it’s the reality of when you will be breached.” Because of this, Sullivan believes risk mitigation is crucial. “This can only be accomplished by goal setting … and continuous security posture improvement.”
Here’s a rundown of cybersecurity projects every CISO should consider launching in 2025.
1. Secure AI deployments and related data
Over the past year, AI has transformed entire industries. For organizations to be successful in 2025, securing AI solutions and the data they process must be a top priority, says Archana Ramamoorthy, senior director for regulated and trusted cloud at Google Cloud.
“While traditional security measures focus on data at rest and in transit, the growing reliance on AI and the desire for secure collaboration reinforces the critical need to protect data in use,” she observes. “By prioritizing secure AI initiatives, organizations can safeguard their most sensitive data and build trust in AI models overall.”
As organizations move toward agentic AI, which empowers AI systems to help users accomplish complex tasks that require planning, research, content generation, and actions, the need for robust security measures becomes even more critical. Without secure AI and accurate data, enterprises risk not only operational failures, but also major security incidents.
To effectively secure AI workloads, security teams should first gain an understanding of AI use within their enterprise, as well as the data and models used to power their business. “Next, assemble a cross-functional team to assess risks and develop a comprehensive security strategy,” Ramamoorthy advises. “Following best practices and adopting a secure AI framework will help to enable a strong security foundation and ensure that when AI models are implemented, they are secure by default.”
2. Adopt third-party risk management
Third-party risk management (TPRM) is now a top cybersecurity approach, says Ben Saine, principal consultant at technology research and advisory firm ISG. TPRM identifies, assesses, and mitigates risks associated with outsourcing tasks to third-party vendors or service providers. “TPRM’s value is impossible to overestimate,” he states. “Making TPRM the top priority will be essential to protecting your company against the many threats presented by outside vendors and partners.”
With a successful TPRM project, your enterprise will have a better security posture, with fewer vulnerabilities and proactive control over outside hazards, Saine says. TPRM, backed by real-time monitoring and the ability to quickly respond to developing hazards, can also ensure compliance with pertinent laws, reducing the risk of fines and legal headaches. “Compliance will also help your enterprise project credibility and dependability to clients and partners,” he says.
A strong TPRM program guarantees that your operations can survive interruptions brought on by outside events, Saine says. “Maintaining enterprise continuity and lowering downtime depend on this resiliency.”
3. Safeguard data exposed to third-party AI tools
Third-party AI tools are reshaping multiple business processes. Yet without robust data security, organizations risk exposing their most valuable assets to breaches and compliance failures, warns Dan Glass, CISO at NTT DATA North America. “As AI adoption grows, proactive data governance and security integration will define the difference between competitive advantage and catastrophic risk,” he says.
Glass advises IT leaders to assess how enterprise data is accessed and used across third-party AI tools. “Then prioritize investments in encryption, access controls, and monitoring to secure these workflows.”
4. Strengthen compliance with a unified risk management strategy
CISOs have the most at stake if cited for noncompliance, so they will play a key role in carrying out compliance plans, says Michael Fanning, CISO at Splunk, which specializes in operational intelligence software. “In this regard, they may take an inherently conservative approach, such as limiting where company data is stored.” Yet CISOs shouldn’t try handling this project alone, he warns. “CISOs and CIOs need the help of general counsels to sponsor policy and programmatic approaches and set the organization’s priorities.”
“Together, not only will CISOs, CIOs, and general counsels develop a unified risk management strategy and collaborate on policy, they’ll form cross-functional task forces to monitor regulatory shifts, assess impacts, and implement necessary changes across an organization,” Fanning predicts. “They will also have to work closely on investment strategies, infrastructure decisions, and vendor selection to remain compliant with where certain data can reside,” he says. “These successful partnerships will leverage shared dashboards and reporting tools, which will help everyone stay up to date on compliance and respond quickly to new governance issues.”
5. Establish asset visibility and strong cloud governance
As has been the case for the past several years, a core challenge for CISOs has been achieving comprehensive asset visibility and effective cloud governance, states Jim Broome, CTO at cybersecurity services firm DirectDefense.
“Many organizations still struggle to know the location of all of their assets and data, as well as ensuring that those resources are properly managed and protected,” he says. “Looking ahead, prioritizing asset discovery, inventory management, and a robust cloud security posture should be the central focus.”
You can’t protect what you can’t identify, Broome warns. “Regardless of where your data lives — on-premises, in the cloud, or across multiple platforms — you’re ultimately accountable for its safety and compliance.” Gaining clear, continuous visibility into your enterprise’s digital footprint is critical for mitigating risk, maintaining compliance, and safeguarding your organization’s reputation.
Broome recommends building success in progressive, attainable steps that align with the organization’s maturity level. “Start by aiming for at least 70% asset data visibility and management,” he says. “As you refine your discovery processes, enhance controls, and improve operational efficiencies, continue increasing that coverage.”
The ultimate goal should be establishing a continuous improvement cycle that leads to comprehensive oversight, reduced risk, and a more resilient security posture.
6. Commit to trust-by-design methodologies
In 2025, organizations should prioritize trust-by-design principles, particularly when building AI-powered systems, says Vikram Kunchala, Deloitte’s US cyber solutions and platforms leader. Trust by design facilitates the proactive integration of security into every phase of development, thereby mitigating the risk of security breaches and protecting critical assets and data.
Trust by design ensures security is embedded early in development, rather than as an afterthought, Kunchala explains. By anticipating threats and safeguarding data, trust by design strengthens trust, resilience, and ethical integrity in AI solutions. “This approach not only protects sensitive information, but also helps AI systems better withstand evolving risks and maintain compliance with regulatory standards.”
When implementing trust-by-design principles with AI-powered systems, security leaders should align their goals with overall enterprise objectives while obtaining buy-in from key executives and stakeholders. Additionally, conducting thorough assessments of the development processes can help identify vulnerabilities while prioritizing remediation and controls. “One of the most critical phases in a trust-by-design approach is involving both security and development teams from initial design to deployment and maintenance,” Kunchala adds.
7. Build an integrated cyber-storage foundation
Instead of treating storage as a passive repository, create an advanced cyber-storage platform that integrates active security features, such as honeypots designed to detect and misdirect attackers, says Aron Brand, CTO at network security firm CTERA.
Brand also suggests using AI-based anomaly detection to identify threats early, using immutability to protect backups from tampering, and active disaster recovery to ensure rapid restoration. “Reimagining storage in this way simplifies operations, reduces gaps, and strengthens resilience against increasingly sophisticated threats,” he says. “Investing in cyber-storage is not just about reducing risk; it ensures that data systems can defend themselves and recover effectively when under attack.”
Cyber-storage offers an integrated, self-defending system centered around data, fully aligned with the demands of today’s security challenges, Brand says. “It’s a necessary addition to our strategies.”
