Hajra Naz
As 2025 begins, CISOs are confronted with the ongoing reality that the fight against cyber attackers is relentless. Strong, well-planned cybersecurity projects remain the best defense to stay ahead of attackers and prevent them from gaining the upper hand.
“Urgency is the mantra for 2025,” says Greg Sullivan, founding partner of cybersecurity services firm CIOSO Global. “It’s not a matter of if you will be breached; it’s the reality of when you will be breached,” Sullivan emphasizes that risk mitigation is crucial. “This can only be accomplished through goal setting and continuous improvement of the security posture.”
Here are the key cybersecurity projects every CISO should prioritize in 2025:
1. Secure AI Deployments and Related Data
AI has revolutionized entire industries over the past year. To thrive in 2025, organizations must prioritize securing AI systems and the data they process, according to Archana Ramamoorthy, senior director for regulated and trusted cloud at Google Cloud.
“Traditional security measures focus on data at rest and in transit, but the growing reliance on AI and the need for secure collaboration highlight the critical need to protect data in use,” she explains. “By focusing on secure AI initiatives, organizations can protect their most sensitive data and foster trust in AI models.”
As businesses embrace agentic AI—systems capable of performing complex tasks involving planning, research, content generation, and actions—robust security measures become even more essential. Organizations risk operational failures and major security incidents without securing AI and ensuring data accuracy.
To secure AI workloads effectively, security teams should first understand how AI is utilized within their organization, including the data and models driving business processes. “Next, assemble a cross-functional team to assess risks and develop a comprehensive security strategy,” Ramamoorthy advises. “Adopting a secure AI framework and following best practices ensures that AI models are secure by default.”
Read More: World Economic Forum Releases Global Cybersecurity Outlook 2025
2. Adopt Third-Party Risk Management (TPRM)
Third-party risk management (TPRM) has gotten to be a basic cybersecurity approach, says Ben Saine, central consultant at innovation inquire about and advisory firm ISG. TPRM identifies, assesses, and mitigates dangers related to outsourcing assignments to outside sellers or benefit suppliers. “The significance of TPRM cannot be overstated,” Saine notes. “Making it a beat need is fundamental to shielding your organization from dangers postured by third-party merchants and partners.”
An effective TPRM program improves security pose, decreases vulnerabilities, and gives proactive control over outside dangers. TPRM too guarantees compliance with pertinent controls, making a difference organizations maintain a strategic distance from fines and legitimate issues. “Compliance demonstrates credibility and reliability to clients and partners,” Saine adds.
By implementing a strong TPRM program, enterprises can maintain continuity and reduce downtime caused by external disruptions. “Operational resiliency and uninterrupted business operations depend on this approach,” Saine concludes.
3. Safeguard Data Used by Third-Party AI Tools
Third-party AI tools are transforming business operations. However, without robust data security measures, organizations risk exposing their most valuable assets to breaches and compliance failures, warns Dan Glass, CISO at NTT DATA North America. “As AI adoption grows, proactive data governance and security integration will determine whether organizations gain a competitive edge or face catastrophic risks,” he explains.
Glass recommends that IT leaders evaluate how third-party AI tools access and utilise enterprise data. “Focus on encryption, access controls, and monitoring to secure these workflows,” he advises.
4. Strengthen Compliance with a Unified Risk Management Strategy
CISOs bear significant responsibility when it comes to regulatory compliance. Michael Fanning, CISO at Splunk, stresses the importance of collaboration in this area. “CISOs often take a conservative approach to compliance, such as limiting where company data is stored,” he notes. “However, they shouldn’t manage compliance efforts alone.”
Fanning suggests that CISOs partner with CIOs and general counsels to develop unified risk management strategies and establish organizational priorities. “These partnerships should include monitoring regulatory changes, assessing impacts, and implementing necessary adjustments across the organization,” he explains.
Successful collaborations also involve joint investment strategies, infrastructure decisions, and vendor selections to ensure compliance. “Shared dashboards and reporting tools will help teams stay informed and respond quickly to governance challenges,” Fanning adds.
Read More: The Role of Cloud Access Security Brokers in Modern Cybersecurity
5. Establish Asset Visibility and Strong Cloud Governance
Comprehensive asset visibility and effective cloud governance remain core challenges for CISOs, says Jim Broome, CTO at cybersecurity services firm DirectDefense. “Many organizations struggle to locate all their assets and data and ensure they’re properly managed and protected,” he explains.
Broome advises focusing on asset discovery, inventory management, and a robust cloud security posture. “You can’t secure what you can’t identify,” he cautions. “Regardless of where your information resides—on-premises, in the cloud, or over different platforms—you’re eventually dependable for its security and compliance.”
He recommends starting with at least 70% visibility and gradually enhancing discovery processes, controls, and operational efficiencies. “The goal is to establish a continuous improvement cycle that leads to comprehensive oversight and a resilient security posture,” Broome concludes.
6. Commit to Trust-by-Design Methodologies
According to Vikram Kunchala, Deloitte’s US cyber solutions and platforms leader, organisations should embrace trust-by-design principles, particularly when developing AI-powered systems. Trust by design integrates security into every development phase, reducing risks and protecting critical assets.
“By embedding security early in development, trust by design enhances resilience, safeguards sensitive data, and ensures compliance with regulatory standards,” Kunchala explains. He emphasizes the importance of aligning security goals with enterprise objectives and obtaining stakeholder buy-in.
“Involve both security and development teams from initial design to deployment and maintenance,” Kunchala advises. Conducting thorough assessments of development processes helps identify vulnerabilities and prioritize remediation efforts.
Read More: 10 Cybersecurity Trends and Innovations for 2024
7. Build an Integrated Cyber-Storage Foundation
Rather than treating storage as a passive repository, organizations should create advanced cyber-storage platforms with active security features, such as honeypots to detect and misdirect attackers, says Aron Brand, CTO at network security firm CTERA.
Brand advocates for using AI-based anomaly detection to identify threats early, employing immutability to protect backups from tampering, and implementing active disaster recovery to enable rapid restoration. “Reimagining storage in this way strengthens resilience against increasingly sophisticated threats,” he explains. “Investing in cyber-storage ensures data systems can defend themselves and recover effectively during attacks.”
Cyber-storage offers a self-defending, integrated system centered on data, addressing the demands of today’s security landscape. “It’s an essential addition to modern cybersecurity strategies,” Brand concludes.
