Securing the enterprise requires wide-ranging initiatives — with an eye on the bottom line. Here’s what IT security leaders are prioritizing today.
Security chief Andrew Obadiaru’s to-do list for the upcoming year will be familiar to CISOs everywhere: advance a zero-trust architecture in the organization; strengthen identity and access controls as part of that drive; increase monitoring of third-party risks; and expand the use of artificial intelligence in security operations.
“Nothing is particularly new — maybe AI is newer, and the pace at which it’s all going keeps increasing — but we need to do better at all of it in 2025,” says Obadiaru, CISO at Cobalt, which offers penetration testing as a service.
Obadiaru’s priorities mirror those listed by other CISOs on multiple reports, including Foundry’s recent Security Priorities Study, that show security leaders doubling down on security fundamentals while also layering in newer elements — namely AI.
Despite overall similarities in objectives among security leaders, CISOs are also prioritizing based on their organization’s unique needs, based on the maturity of their security posture, as well as their market position, industry, and other differentiating factors.
Leading-edge CISOs are also implementing additional accountability strategies to ensure their teams know the organization’s security priorities and that other executives and business leaders do their part to help secure the enterprise.
Accountability as a priority is essential if CISOs want to finish 2025 in a stronger position than when the year started, says David Chaddock, managing director for cybersecurity at digital services firm West Monroe.
“It’s hard for CISOs to do all these things on their priority lists if they don’t own the people and talent to [implement and maintain them],” he says. “So it’s all about driving those priorities by using a governance framework which forces everyone else to put in their piece of the pie to make sure those things get accomplished.’
Top 12 security priorities today
Foundry’s recent Security Priorities Study polled 870 IT security decision-makers and found that today’s top directives are dominated by longstanding themes.
At the top of the priority list for CISOs is strengthening their organization’s security posture to better protect confidential and sensitive data, with 40% designating it a top priority for 2025.
Rounding out the top 5 are: upgrading IT and data security to boost resiliency; securing cloud data and systems; enhancing security awareness through user training; and simplifying IT security infrastructure.
Foundry / CSO
Additional items among on the top 12 priorities are perennial objectives for many security departments, including the need to enhance identity and access controls (26%), to improve threat intelligence (25%), to reduce security spending (20%), to streamline compliance and privacy efforts (19%), and to better leverage data for security purposes (19%).
Two big movers compared to the year prior were accelerating the use of AI to improve security effectiveness (25%), up to eighth overall from 12th in 2023, and improve management of third-party risks (23%) — two security issues that have grabbed more headlines of late.
Risk mitigation and management
The work happening in Obadiaru’s security department at Cobalt reflects most of those trending priorities.
As CISO for a company that has — like most organizations today — remote workers, Obadiaru has prioritized advancing a zero-trust environment. He sees zero trust as critical for mitigating security risk in a business that has employees, partners, and customers interacting with the company anywhere, anytime via digital channels.
This priority has Obadiaru’s security team reconfiguring pieces of the IT stack, tweaking the tech architecture, and implementing more authentication and access controls.
“The goal is to be in a very stable place with zero trust by the end of 2025,” Obadiaru adds.
He also wants to implement more AI capabilities for enhanced threat detection and monitoring, as well as more automation within the security function. To that end, Obadiaru is moving to an AI-powered security information and event management (SIEM) system.
And he plans to use AI for monitoring vendor risk. He says it will complement the security assessment vendors undergo when onboarded and will strengthen his third-party risk management practice.
“We want to be able to monitor and validate their security stances and know if their environment changes in a way that changes the risk,” he explains, adding that he uses security scorecards and benchmarking as part of this process. “We’re using it now, but not to the degree we should. We want to develop a process where we can take the information provided and use it over the course of the vendor’s contract.”
Additionally, Obadiaru is prioritizing work around regulatory compliance, work that includes renewing his company’s ISO 27000-01 certification this summer and ensuring his security organization keeps pace with all new regulatory and certification requirements.
The double-edge sword of AI
Adam Currie, global vice president and CISO for HCLSoftware, is also seeking to increase his organization’s use of AI to improve security effectiveness.
As part of this effort, Currie and team are focusing on better understanding how threat actors themselves are using AI — and studying how HCLSoftware’s internal use of AI could add risk.
It’s about “how do we leverage AI to protect ourselves from AI,” Currie says, highlighting the need for CISOs to train their teams to take on that challenge, in particular securing the data and models on which the company’s AI initiatives depend.
Likewise, Ken Knapton, who provides CISO and CIO services through his IT services firm Rocky Mountain CIO, highlights AI as a key CISO priority.
Knapton also sees the technology as a double-edge sword: It helps security teams “reduce friction and boost improvements” on the one hand but also “is bringing with it a lot of its own security concerns.”
To address AI, Knapton is crafting security policies for the use of AI and the data it requires and is putting in guardrails, procedures, and controls to enforce them.
“CISOs have to be very active in 2025 in defining how and when organizations should leverage AI while also protecting corporate IP and customer data, making sure we’re protecting all our nonpublic protected information,” says Knapton. “We all have to be cautious about what data we’re putting into the AI systems.”
Cloud security, compliance, and more
Brennan P. Baybeck, senior vice president and CISO for customer success services at Oracle and a board director with the IT governance association ISACA, is looking to use cloud-native capabilities to ensure “workloads are as secure as possible” — a move that Baybeck says will “cut back on the security infrastructure that needs to be managed.”
“We want to utilize as many of those native capabilities as possible as it reduces costs, simplifies security infrastructure, and cuts overhead,” he adds.
Another priority for Baybeck is enhancing identity and access controls — an objective that includes improving access governance, going to passwordless authentication, and beefing up API security.
Like many CISOs, HCLSoftware’s Currie is also keeping compliance top of mind. “We have hard and fast regulatory requirements we have to adhere to, so that’s baked into our top priorities,” he says, noting that compliance is “a business enabler for us.”
And all that needs to be undertaken with a close eye on the budget, Currie says.
“Operational efficiencies and cost efficiencies are high priorities for us,” he says.
Security maturity’s influence on priorities
Even with similar overarching goals, how CISOs go about executing their security agenda will vary based on multiple factors, says Steve Ross, director of cybersecurity for the Americas at S-RM, a global corporate intelligence and cybersecurity consultancy.
Ross says an organization’s security maturity level typically dictates the CISO’s priorities and plan of execution.
For example, those with a low level of security maturity typical focus on strengthening protection of confidential and sensitive data, Ross says, while also upgrading systems to boost corporate resiliency. Enhancing security awareness through end-user training, improving identity and access controls, and offloading responsibilities to MSSPs are other typical baseline priorities — all to be done while reducing spend.
Organizations with midlevel security awareness are more likely to be focused on streamlining compliance and privacy efforts, simplifying IT security infrastructure, improving management of third-party risks, and shortening incident response time, in addition to reducing spend, improving access control, and exploring MSSP options, Ross says.
Meanwhile, CISOs leading high-maturity organizations typically focus on improving their understanding of external threats and accelerating the use of AI to improve security effectiveness, Ross says. They’re also looking to do a better job leveraging data and analytics for security purposes, and they’re assuming responsibility for risks presented by both operational technology and IT systems. At the same time they continue to focus on doing better at the fundamentals, such as improving third-party risk management.
To be sure, Ross adds, some priorities — such as ensuring the ability to identify an attack and shorten response times — are universal. “Those are perennial priorities, because they’re critically important to the business and continuing operations,” he says.
Assigning accountability
There is, however, an emerging trend among top CISOs seeking to execute on their long list of perennial priorities, West Monroe’s Chaddock says.
The most effective CISOs recognize that they require cooperation, coordination, and compliance with security rules from everyone, he says. So they have put in place governance frameworks and performance-level agreements that drive accountability to the executives who oversee the people and work tied to each specific security objective.
That’s how they’ll successfully get through their priorities year after year, he says.
“It’s not all CISOs, but leading CISOs, who put more back on the other teams, not to wash their hands of it, but to put accountability where it belongs,” Chaddock explains. “It’s the only truly sustainable way to allow a CISO to secure the things they’re accountable for.”
