12 cybersecurity resolutions for 2025

As cyber threats continue to evolve, CISOs must prepare for an increasingly complex threat landscape. From dealing with AI-driven attacks to managing changing regulatory requirements, it’s clear that 2025 will be another big year for CISOs.

But staying ahead requires more than just implementing the next cutting-edge set of tools or technologies. It demands a shift in mindset — viewing cybersecurity not just as a technical function, but as a strategic enabler of business resilience.

To help you navigate the road ahead, here are 12 new year’s resolutions every cybersecurity leader should consider adopting.

1. Learn whether AI is relevant to your business

The rise of generative AI has been a game-changer for industries across the board, including cybersecurity, but not always for the better. Technology and cybersecurity researcher Erik J. Huffman warns: “With AI, we know it can be extremely helpful, but we’re all kind of holding our breath, wondering how it is going to be used against us. Anything that we’ve developed for good, the attackers are going to just take it and flip it on its head for bad. They’re just a lot more creative than we are on the good guy side.”

Huffman points out an early example of this is WormGPT, and how it’s making coding for threat actors easier. “It’s ChatGPT, but for malicious purposes. It’ll create ransomware for you. It’ll develop malicious code and vulnerabilities for you … it’s taken the job of coding for a threat actor and made it really easy, especially like non-native English speakers, non-native Chinese speakers, or non-native Italian speakers. You can now write a phishing email in whatever language you want, and it’ll read pretty decently.”

His advice for CISOs in the new year is to take the time to figure out if AI is suitable for their business. “Ask yourself, ‘Do you really need it?’ Don’t just follow the trend because everyone else is doing it, and don’t just deploy an AI solution in your organization because the CEO says, ‘Hey we need something AI in here’.”

2. Upskill on AI and learn how to use it for good

Still on the topic of AI, Chirag Joshi, founder and CISO of 7Rules Cyber, believes AI isn’t just a tool for attackers, it’s also a powerful ally for defenders. He points out how leveraging AI smartly can reduce the cost and duration of breaches.

“Awareness and training programs, and the human risk management aspect of AI has to evolve. If your training and awareness efforts are not accounting for these changes, that’s a gap,” he says. “Using it smartly could help defend and have a significant impact — both in terms of the cost of data breach and reducing the time it takes to respond to incidents and contain them. I think that needs to be factored into response and detection plans.”

Joshi also urges CISOs to explore AI’s potential in areas like risk assessments and policy guidance. “You don’t eliminate human oversight; it absolutely has to be there. But can you augment it and make it more effective?”

3. Lean in on identity-centric security

With malicious actors weaponizing AI and deepfake technologies, Avishai Avivi, CISO at SafeBreach, stresses the rising importance of identity-centric security to combat these threats.

“Realizing that malicious actors are leveraging the same technologies to enhance their capabilities, identity-centric security, and the risks presented by deepfake technology will mean an increased focus on security controls that can help identify, reduce, or neutralize these risks,” he says.

4. Step up non-human identity security

While securing human identities is a priority, it’s equally crucial to address the growing reliance on APIs and machine-to-machine communications, which bring their own set of risks, as Avivi highlights.

“The security of these machine-to-machine connections becomes increasingly critical and yet another risk category we need to consider,” he says.

5. Ensure security investments are proportional

As organizations grapple with evolving threats, Joshi highlights the importance of adopting a “reasonable and proportionate” approach to security investments. He points out how recent regulatory actions, such as those designed because of the Medibank and Optus breaches in Australia, have reinforced this point.

“What does it really mean to have a reasonable, indefensible security? The investments we make and the efforts we put in need to be timely. This is where boards are leaning in, because it’s not just core for them, it’s also a liability for CISOs,” he explains.

6. Obtain directors and officers liability insurance

CISOs must also consider personal protection measures. Wouter Veugelen, head of cybersecurity Australia and senior managing director of FTI Consulting, predicts there’ll be greater scrutiny of individual accountability for CISOs in 2025. As legal cases involving CISOs become more frequent, he believes it’s time for CISOs to consider taking out directors and officers liability insurance.

“There is an increased risk for someone taking on a CISO role, where they may be subject to the same scrutiny [as CEOs] in the future. Traditionally, CISOs are not included in organizations’ [insurance] package … so having this type of insurance would definitely be part of my list,” Veugelen says.

7. Stay ahead of cybersecurity legislation

On the topic of legal preparedness, David Hull, CISO at technology research and advisory firm ISG, emphasizes the importance of CISOs staying ahead of incoming cyber legislation. “There’s a ridiculous amount of legislation still to come,” he says, pointing out that newly introduced laws are not always the clearest.

However, he acknowledges one of the strengths of the cybersecurity sector lies in its close-knit community, which often comes together to untangle and understand new laws. “You see the community come together, with everyone asking the same questions, and together you figure out how to interpret it.”

8. Educate executives about the costs of data breaches

But it’s not just CISOs that need to pay attention. While many executives understand the immediate impacts of a data breach, the long-term costs often remain underappreciated. Veugelen points out to how cases stemming from breaches in 2022 that are still in court today.

“CISOs should continue to educate executives the significance of all of these costs. As such, they should seek to optimize cybersecurity budgets for proactive cybersecurity defense as a means to reduce overall risk exposure and the likelihood of suffering such big cybersecurity and data breach,” he says.

9. Speak the language of business

But as Joshi argues, one of the biggest challenges CISOs face is knowing how to translate technical risks into business terms. He highlights the role that CISOs need to play in helping the broader business bridge that gap.

“You really need to understand how the business makes money … you have to as a CISO, otherwise you’re disconnected from what’s happening,” Joshi says. “If you can’t talk with some level of competence or authority about the primary things on top of mind of C-suites in terms of expanding into new areas, new products, or new strategies … you won’t be having risk conversations. You really can’t do cyber risk without incorporating business risk.”

10. Collaborate with other parts of the organization

Gone are the days when cybersecurity operated in silo. In 2025, effective cybersecurity will depend on long-lasting relationship with multiple business departments, from legal and procurement to marketing and operations.

“Make sure that cybersecurity goals are aligned with the business executives,” Veugelen warns. “I still often see cybersecurity seen as a broker source or a function that delays projects, but ultimately cybersecurity should be seen as a business enabler that helps deliver new digital innovations, but in a secure way.”

11. Tackle third-party risks head-on

Third-party vendors remain one of the weakest links in many organizations’ cybersecurity strategies, according to Joshi, who points to the Crowdstrike outage as a prime example. He advises CISOs to “think of a better way to manage supply chain risks, especially vendor risk assessments.”

“I think they need to get beyond these questionnaires and start to adopt some more leading practices, and a better way to do that is to actually collaborate,” he says. “Collaboration is not just getting together for roundtables; it’s also about focusing on having deeper conversations … [about] what does it mean for them, and actually contextualize and personalize that conversation.”

12. Put cyber recovery back at the top of the agenda

While not a new concept, recent cyberattacks have underscored the importance of prioritizing an organization’s ability to recover alongside its defense strategies. As Hull explains, “CISOs need to open their eyes a bit and say, ‘We probably need to do a bit better there and refocus our attention on recovery’.”

Huffman agrees, emphasizing that the speed of recovery is critical to retaining customers after an attack. “If it takes you two or three weeks to recover, you’re now an anomaly. The focus is shifting to whether you can recover within three days or a week. How prepared are you for a cyberattack? Can you recover within a socially acceptable amount of time?”