In 2024, regulators around the globe introduced a myriad of proposed cybersecurity- and privacy-focused policies and legislation to better manage emerging risks relating to emerging technologies such as generative AI (GenAI), as well as those related to managing third-party relationships.
Security and risk leaders sprinted to secure GenAI, even as its use cases were still evolving; almost every industry experienced critical IT disruptions due to lack of resilience planning; and despite downplaying third-party risks, organisations globally saw an increase in software supply chain breaches.
With cybercrime expected to cost $12 trillion in 2025, regulators will take a more active role in protecting consumer data while organisations pivot to adopt more proactive security measures to limit material impacts. This year’s cybersecurity, risk, and privacy predictions from Forrester for 2025 reflect how organisations need to evolve to address these emerging risk domains. Here are three of those predictions:
- CISOs will deprioritise GenAI use by 10% due to lack of quantifiable value. According to Forrester’s 2024 data, 35% of global CISOs and CIOs consider exploring and deploying use cases for GenAI to improve employee productivity as a top priority. The security product market has been quick to hype GenAI’s expected productivity benefits, but a lack of practical outcomes is fostering disillusionment. The thought of an autonomous security operations centre using GenAI generated a lot of hype, but it couldn’t be further from reality. In 2025, the trend will continue, and security practitioners will sink deeper into disenchantment as challenges such as inadequate budgets and unrealised AI benefits reduce the number of security-focused GenAI deployments.
- Breach-related class-action costs will surpass regulatory fines by 50%. Breach-related spending is no longer limited to regulatory fines and remediation costs. Historically, cyber regulations have not gone far enough to protect customers and employees — causing these same people to pursue class-action lawsuits and seek damages. Class-action costs are enormous in data breach litigations. And with the percentage of companies facing class actions at a 13-year high, CISOs will be asked to contribute toward the company’s class-action defence fund in 2025, making costs from class actions greatly exceed fines imposed by regulators.
- A Western government will bar specific third-party or open-source software. Software supply chain attacks are a top culprit for data breaches in organisations globally. Growing pressure from Western governments to require private companies to produce software bills of materials (SBOMs) has been a boon for software component transparency, but these SBOMs highlight the role of third-party and open-source software in the products that governments purchase. In 2025, a government armed with this information will restrict an open-source component on the grounds of national security. To comply, software suppliers will need to remove the offending component and replace the functionality.
