This guest article was contributed by Matt Hillary, CISO at Drata What should cybersecurity and compliance leaders expect in 2025? The short answer – and the one you'll likely encounter frequently within the "looking ahead" articles that proliferate around this time of year – is changes related to the way businesses secure and use AI.
But the longer answer is that 2025 is set to unleash a wide variety of changes – including but not limited to those associated with AI – with significant consequences for cybersecurity, compliance and risk management.
To prove the point, here's a look at seven trends or innovations to expect in the realm of Governance, Risk and Compliance (GRC) and cybersecurity in 2025.
AI-powered detection and response for security and compliance alerts
Businesses are increasingly adopting GRC tools (which complement already-in-place security detection and alerting solutions) that can automatically flag and alert on potential compliance control violations within their systems and processes. Doing so has notably helped GRC teams identify and fix problems faster and with less manual effort.
However, responding to all of these alerts can demand significant daily time and effort due to the need for human analysis in many cases.
This is why I expect 2025 to be a year where we see increased adoption of AI-backed capabilities to help manage alerts across the board – from security detection and response to compliance monitoring tool alerting. AI-backed tools and capabilities can do things like find and consolidate redundant alerts, help set alert priorities and summarize alert data in context. They can also recommend the ideal course of action for responding to risks, allowing teams to operate more effectively.
Expanding current compliance automation capabilities to accelerate ongoing continuous compliance operations
In general, many compliance automation solutions continue to focus on automating generally accepted best practices (like not configuring cloud storage resources to be accessible to anyone on the Internet), as well as on meeting the increasingly complex and rigorous standards and controls defined by regulations, control frameworks, and GRC standards.
However, regulations are growing in complexity and the necessary controls can vary from one context to the next. Commensurately, the compliance operational burden continues to increase on GRC teams. For that reason, I expect that businesses will continue to invest in GRC automation solutions that target, automate, and support ongoing compliance with these regulations, standards and framework requirements.
Increased audit frequency
Traditionally, audits occur once every year or two, a schedule that reflected the choices of standard-making bodies. This level of frequency made collecting and analyzing audit data prior to and during audits more manageable because audits didn’t take place all that often,.
However, organizations increasingly want more regular compliance assurance from their vendors. Some assurance reports are over a year old when used to verify compliance, which is less than ideal. I therefore foresee standards bodies considering increasing the frequency of assurance activities in some way to help provide more regular assurance on compliance. All of this will happen with the purpose of keeping the “freshness” of assurance alive for companies to make more informed risk-based decisions during third-party risk management activities.
As compliance automation technologies have advanced, conducting audits has become much more efficient – so much so that I believe we'll start seeing a trend toward more frequent assurance activities for even the leanest of GRC teams, allowing them to support more regular check-ins with their auditors. Some audits will still occur on an annual or less frequent basis, but don't be surprised if some audit cycles involve much more frequent reviews.
Demonstrating the ROI of cybersecurity
Traditionally, the rationale for investing in cybersecurity has boiled down to warnings by some of the most capable story-telling CISOs that bad things – like compliance fines and reputational harm – will result if breaches or other impactful security incidents occur.
Increasingly, however, business leaders want to know exactly how much value cybersecurity solutions offer, and how much they stand to lose if they underinvest in security. They'll also want to know which solutions they're paying for that aren't delivering a reasonable ROI.
To that end, expect to see a greater focus on quantifying the ROI of cybersecurity, privacy and GRC investments. For example, if you don't manage data privacy risks for a certain type of application, what will the fallout be – measured in specifically quantifiable terms, like Annualized Loss Expectancy (ALE)? Those are the types of questions I think businesses will want to answer in 2025 and beyond to ensure that investments at the tactical level match the strategy and risk appetite of the organization.
Advanced cybersecurity attacks grow more prevalent
The frequency of cybersecurity attacks has been steadily growing on a year-over-year basis for a number of years now, and I don't expect that to change in the near future (sadly). However, what will likely change in 2025 is the types of attacks that are successful. I am heartened by our collective ability to learn from weaknesses and improve over time. However, our adversaries continue to iterate and innovate their attack methods, which means companies will need to do the same for their defense techniques.
By now, the typical business has finally become adept at adhering to basic cybersecurity standards and best practices. As a result, threat actors are increasingly focusing on more novel means of attack.
But this means that, in 2025 and beyond, businesses that want to be as secure as possible must focus on identifying and blocking new and emerging threats, in addition to sticking with the basic best practices that are at the heart of guidance from organizations like OWASP and NIST. Many organizations continue to take advantage of capable tooling that allows them to get the most ROI on their security efforts – especially those tools that provide the necessary context around identified vulnerabilities, misconfigurations and security research conducted by those security services / product organizations.
Decreasing SOC costs (thanks to AI)
Staffing a Security Operations Center (SOC) function and provisioning it with capable tools has long been expensive. But AI aims to make the scaling of these teams more cost-effective by allowing security analysts to do more in less time.
Well trained AI-backed tooling can further accelerate and automate many of the time-consuming processes that would otherwise require large and experienced SOC teams. In addition to capabilities like summarizing and managing alerts, AI can automate responses to security threats by, for example, automatically quarantining endpoints that security analytics tools deem likely to have been compromised until a human can confirm it is legitimate.
Similarly, many new and emerging technologies require additional knowledge and understanding. Well-trained LLMs are becoming increasingly more capable of summarizing knowledge to the point of teaching SOC team members on the fly – making knowledge and skills more accessible than ever before. Although it remains important for humans to double-check the outputs of LLMs, these continue to improve to the point of providing more reliable guidance.
On balance, I should note that AI tools (or cybersecurity tools infused with AI features) will become another type of solution that SOCs need to purchase, increasing their software budgets. But when security teams use these tools effectively, they'll save money overall.
Cybersecurity tool consolidation
The types and categories of risks that cyber security teams need to manage today has become truly dizzying. As a result, many companies maintain a long list of point solutions designed to address the various risks. For example, to secure cloud environments, organizations now deploy a number of cloud security tools (which has become a bit of a an alphabet soup of acronyms) including CSPM, CIEM, CNAPP and CASB solutions (to name only some of the "C" acronyms at the heart of modern cloud security).
I have a hard time envisioning the typical organization remaining willing to acquire and deploy each of these types of tools separately. That's why I expect that we'll see greater consolidation of cybersecurity point solutions into integrated platforms.
Conclusion: The future of GRC and cybersecurity
In short, expect GRC and cybersecurity innovations in 2025 to center on unlocking new efficiencies, thanks in part to more available AI-backed capabilities embedded in tools that support these teams. I’m heartened to see these innovations continue to iterate and grow to meet the increasing demands that these compliance and cybersecurity teams face, especially in the face of greater pressure to operate more efficiently and effectively while also contending with new types of challenges.