In the article “2025 IT Security Predictions,” Grant Bourzikas, Chief Security Officer at Cloudflare, outlines key cybersecurity trends and challenges organizations will face in the coming years. As the digital landscape rapidly evolves, Bourzikas emphasizes the need for businesses to adapt their security strategies. He warns that continued reliance on vendor lock-in, the rise of disinformation affecting AI models, ineffective cybersecurity regulations, and the growing role of AI in business will shape the security landscape in 2025. Organizations must transform their security approach to stay ahead of these threats and leverage emerging technologies for innovation.
- Vendor lock-in is a crutch that will lead to increasing breaches in 2025 – organizations must start their security transformation journeys. The deeply rooted foothold that vendors have in organizations’ environments has become one of the main drivers of complexity. The bottom line is that complexity creates chaos, and chaos distracts from the real priorities when it comes to securing an organization. Being held hostage by a vendor, to a point where moving off of them seems impossible, is the moment they begin to help shift the balance of power back in favour of threat actors. The hyper-focus on “digital transformation” over the past few years – implementing a myriad of new tools and vendors across the organization to rapidly innovate – has left security in the dark. In 2025, we will feel the full weight of having fallen victim to the cycle: shiny new tools, Wall Street’s buy-in, rush to implement, repeat. We must now shift focus to “security transformation,” and begin to remove the tools and vendors that are causing complexity vs. furthering innovation.
- In 2025, disinformation will transcend the Internet and social media, and move to poison and taint AI models. Information sharing exists at an order of magnitude faster, and more efficient than ever before. And in the world of AI, data is the only currency and organizations that have the most will win – but quantity doesn’t always equal quality. AI on its own will not solve the world’s most critical problems. The successful implementation and use of AI depends on data. But as disinformation continues to plague society, it will begin to trickle into AI models that are critical to making decisions – e.g., calculating goods needed to restock grocery store shelves, diagnosing sick patients or analyzing market trends to share financial risks with bankers.
- Broad brush cyber regulations legislated with good intent will have a reverse effect in 2025 – creating complexity and having no real impact on stopping attacks. In the past few years we have witnessed a cadence of record shattering, significant breaches that have drawn the eye of regulators. But while their attempts to raise the security resiliency of organizations are aimed to be helpful, they are often knee jerk reactions that require unrealistic efforts. This is a complete misstep, with much of today’s regulatory efforts ineffective and not focused on the most critical aspects of security controls. Regulators still fail to recognize what will make the biggest difference in moving the needle towards immutable infrastructure.
- In 5-10 years there will only be two types of companies: Those that leveraged AI to innovate, and those that no longer exist. With this harsh reality, CISOs must figure out how to be an enabler of AI, not a blocker. But with AI still in its infancy, very few have a strong understanding of the technology or the risks it may present… leading to extremely low levels of confidence that their organization is well-prepared. The lack of understanding around AI, is ultimately giving threat actors a leg up.
“While attempts to raise the security resiliency of organizations are aimed to be helpful, they are often knee jerk reactions that require unrealistic efforts.”
Grant Bourzikas, CSO, Cloudflare
About the Author:
Grant is a seven-time CSO with over 20 years experience leading global security programs that span the private sector, having worked at a Fortune 500 critical infrastructure company, an online trading organization and within the gaming space. Most notably, Grant spent several years in the financial services industry at both HSBC and Silicon Valley Bank. Grant holds a Master’s in Data Science and Artificial Intelligence from Southern Methodist University, and a Bachelor of Science in Accounting from the University of Missouri in St. Louis. He is a CPA (Certified Public Accountant) and CISSP (Certified Information Systems Security Professional).
