Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
Reflecting on this past year’s cyber breaches has been a shocking insight into how vulnerable our personal data is. It is (unfortunately) also a useful way for us to learn from what we see in the ‘rear-view mirror’, while anticipating what we might encounter as we look forward, into 2025.
As we do each year, the Huntsman Security Leadership team across the UK and Australia have come together to scrutinise the current technology landscape, review the incidents from the past year, and provide a barometer on what 2025 will bring from a cyber security perspective.
This year we find ourselves in a less certain position regarding the wider economic and political picture than usual.
The UK recently elected a new government – changing a 14-year-old government focused on removing regulations to one promising a new approach.
Across the Atlantic, the US has just navigated the November Presidential elections. The new US government and President will, of course, continue to influence global affairs including, cyber security and the adoption of AI. But it is too early to say whether the economic heft and promised business first approach of the US will truly change their familiar security perspective.
From a regulatory perspective, we see data and cyber security regulations maturing and moving at pace.
Technology is also leaping ahead, as Artificial Intelligence (AI) intertwines with operational technology and our expanding range of interconnected devices – the so-called “Internet of Things” (IoT). We’re seeing innovations and productivity improvements continuing to face scrutiny over concerns around how to manage dataflow.
2024 Data Breaches
AU – Personal data equivalent to around half of Australia’s population was disclosed in a data breach within MediSecure, a prescription service.
UK – The hospital system in the UK suffered mass disruption to over 10,000 patient appointments, and approximately 2,000 operations following a cyber-attack on an NHS provider.
US – A major US based data storage and processing company was hacked impacting their customer base, including AT&T who later announced that ‘nearly all’ of their 109 million wireless customers were compromised.
Mergers & acquisitions within the cyber security space have also been a hallmark of late 2023 and 2024, which will impact the coming years. This past year has seen three major Security Information and Event Management (SIEM) vendors change ownership – the impacts of which are yet to be realised.
Getting a better handle on third party risk remains a priority for effective cyber security management. Upstream supply chain participants have now, logically, expanded to include the resilience of the digital products and services that support the operations of our enterprises. Continuous Threat Exposure Management means organisations need to better protect themselves against assessed vulnerabilities; while recently introduced Secure-by-Design principles seek greater collaboration between the manufacturers and “consumers” of digital products and services.
Boards and technologists still contest on how risks are best managed, investments made and assurance achieved. We’re hearing of executives faced with increased cyber security overhead arguing it’s just another operational risk to be managed. At the same time, IT and security teams are wrestling with the increasing reliance by organisations on the resilience of their IT systems and the business operations they support. Nothing is surer – legislation, corporate governance and organisational resilience will converge.
Looking to 2025 and beyond, we anticipate the following five areas will have noteworthy impact on the cyber security landscape:
1. The growing adoption of threat exposure management in large and small organisations.
2. The disruption in the SIEM market leads to adjustments in cyber security strategy.
3. AI will introduce new issues for cyber security management.
4. The success of secure-by-design will depend on the approach taken.
5. An increasing focus on compliance, driven by regulatory change.
Cyber security risk management is currently shifting to become part of a broader governance function thanks to regulatory pressures, financial risks and stakeholder demands. With this development we anticipate that threat exposure management will bring change to the risk management practices of many organisations in 2025.
Although laws and regulations currently lean heavily towards rules-based security standards and frameworks, there’s a shift towards newer risk assessment models that automate the measurement of cyber resilience against best-practice guidelines. The benefit being that these data-driven processes provide more current and reliable measures of cyber resilience even when experienced cyber security resources are limited.
For some, a rules-based approach to cyber security management is seen as a blunt instrument to manage their particular risk requirements. They argue that a risk-based approach to prioritise and protect key business assets and data helps focus risk management resources on the relevant mitigations required to maintain their resilience.
THE BENEFITS OF RE-ASSESSING CYBER RISK
Some corporate consultants argue that once cyber security is embedded in the risk management framework of the enterprise, management efforts can become more risk-based and cost effective.
The benefit of regularly maintained frameworks and checklists, however, is that they remain current and informed of the latest threats and concerns. So, with a set of base-line controls and the latest information about the changing threat environment, organisations can optimise their selection of mitigation strategies to protect their resilience.
The fact that rules-based management techniques can become increasingly cumbersome with ongoing updates that may not be relevant for an organisation is obviously a resource allocation problem. An absence of recent threat information for organisations seeking to maintain their cyber resilience level is equally problematic. Especially when cyber security best practice forms the basis of most frameworks and standards.
Cyber security agencies have for some time recognised the requirement for different cyber security maturity levels across different enterprises, and so encouraged this “hybrid” cyber security risk management approach.
An organisation providing soap to the defence department obviously requires a different level of cyber maturity to one providing aircraft navigation systems. A hybrid risk management model delivers a base line level of established cyber hygiene, and focuses on specific assets to be particularly secured against adversaries.
RECOMMENDATIONS UNDER CTEM
Identify the vulnerabilities relating to important IT assets and systems, and then prioritise their importance before “mobilising” mitigation efforts to limit the risk of disruption from an anticipated threat.
The concept of CTEM has entered the cyber security lexicon. Not dissimilar to a risk-based cyber security management approach in many ways, the CTEM “process” articulated by analyst Gartner1, recommends that organisations methodically identify the vulnerabilities relating to their important IT assets and systems, and then prioritise their importance before “mobilising” mitigation efforts to limit the risk of disruption from an anticipated threat.
This shift towards the systematic identification and prioritisation of cyber security threat exposure data, to then guide appropriate mitigation strategies is logical and will continue to gain traction.
Gartner argues that by 20262, “organizations that prioritize their security investments based on a continuous exposure management program will be 3x less likely to suffer a breach”.
As we head into 2025 CTEM will undoubtedly improve cyber security readiness, and while risk-based management practices are not new, the concept of continuous and systematic risk assessment certainly is one to apply within your organisation.
The disruptions we’ve observed in the SIEM marketplace following recent M&A activity seem as much about vendors consolidating product offerings and market share than addressing the necessary evolution of SIEM.
As cyber security becomes a key component of operational governance activities, 2025 will see SIEM solutions emerge as the data-driven threat intelligence platforms that support and inform the ongoing enterprise resilience efforts.
Traditional Security Information and Event Management (SIEM) solutions enjoyed widespread adoption around 20 years ago. Since then, they’ve evolved into Next-Gen SIEMs, incorporated user and entity behaviour analytics (UEBA), and most recently added better end-point visibility through Extended Detection and Response (XDR). SIEM technology continues to endure, with the next challenge being to deliver relevant cyber security information to inform operational risk management and regulatory obligations.
Data types and volumes have changed, so too has the complexity of the cyber security threat environment. Organisations are therefore demanding greater speed, accuracy and reliability of their threat detection, investigation and response solutions. This will require greater efficiency in the collection and analysis of SIEM data to, most importantly, generate relevant intelligence to proactively inform analyst efforts.
These processes are taking place at the Threat Detection, Investigation and Response (TDIR) and Exposure Management interface (See Prediction 1). SIEM technology is being redefined as a quantitative risk-based information platform to guide security workflows and streamline SOC operations to more reliably inform corporate resilience decisions.
Organisations are currently battling increasingly large volumes of telemetry data and under-resourced teams are being asked to anticipate, investigate and respond to increasingly sophisticated attacks. Operating in a hostile threat environment means protective monitoring and threat detection demands the reactive interrogation of more and more data in the search for context and root cause. It means continuously investigating unusual events, suspicious network activity or AI “assistance” in the absence of asset vulnerability information, for example, that might close the logic process. This will change.
What we see is new cloud and XDR providers entering the SIEM market with “cost effective” AI and cloud offerings to suit your cyber security resourcing needs. But the future requirements of cyber security risk management and its relevance to broader operational resilience remain unmet.
These machinations in the SIEM market probably don’t present an immediate concern for most day-to-day security operations. It should, however, prompt you to undertake a review of your cyber security strategy and technology needs going forward. Skill shortages and platform costs might encourage some buyers to turn to the convenience of cloud-based SIEM solutions. However, governments and regulators everywhere are highlighting the importance of cyber security resilience and its relevance to the broader operating resilience of enterprises. Now is not the time to outsource cyber security skills without considering how they will inform the ongoing resilience information needs of your organisation.
2025 will continue to see the transition of cyber security from a support function to a key role in operational risk management, and we anticipate that market forces will push SIEM vendors to meet these changing needs and obligations. This is good for customers as they navigate regulatory demands for higher fidelity SIEM security information to streamline their cyber security management practices.
Hands-on interrogation cycles and the endless testing of hunches by analysts to determine contextual hypotheses will change. Evidence-based observations from automated data-driven SIEM analyses will direct SIEM outcomes.
The consolidation of the market and the role of SIEM technology in informing corporate risk management activities are not in synch right now. As more critical national infrastructure organisations discover the true extent of their operational risk management and disclosure obligations, we expect that more organisations in 2025 will turn to data-driven SIEM information, and cyber security risk management practices, to better integrate their cyber security resilience and corporate governance obligations.
Although the conversations around AI are becoming more focused, its full application in cyber security is not yet clear. The risks associated with AI’s development and subsequent ownership are increasing as guardrails emerge. We believe some organisations will feel pressure in 2025 as outcomes fail to match promises.
In cyber security, the rising threat (imagined or real) of AI risks is multi-dimensional. An obvious risk is that information (authorised or otherwise) is supplied to AI systems for their training. This could result in sensitive personal or commercial data being unnecessarily exposed. There are examples where large companies have been accused of using 3rd party data for training purposes or failing to protect information that has been shared through AI applications. More recently, some car companies have admitted to the unauthorised collection and use of customer data.
On the more positive side, the concept of using AI (including machine learning techniques) to improve detection of cyber threats and malicious user activity is a much more reliable capability within security functions. We believe CTEM practices too, will assist in mitigating vulnerabilities and improve enterprise resilience.
The rise of AI threat-detection software is leading to the emergence of cyber governance issues. Already saturation of data and information is occurring as large volumes of “AI generated assistance” is being delivered to security teams to aid their review and management of ‘threat information’. But without verification, this data adds little to alert fidelity nor does it assist in alert investigation. It just adds more noise.
A recent report from the US Department of the Treasury on Managing Artificial Intelligence-Specific Cybersecurity Risks in the Financial Services Sector3 cautioned at the over-reliance on AI generated information for cyber security risk management; particularly, during these early stages of adoption. The ‘black box’ nature of AI features in some security products (while a reasonable competitive initiative) brings with it, unless you are familiar with the provenance of the AI engine and its data supply chain, the prospect of introducing unknown 3rd party risk into your cyber security operations.
AI can undoubtedly assist SOC operators in detecting, analysing and responding (TDIR activities) to cyber threats quickly even in large security environments. AI assistance variants are offered by a number of vendors but it is important to ask a few questions:
It is becoming increasingly challenging to accurately understand data flows and the use of AI solutions, thus inhibiting understanding and verification of those AI systems’ fidelity of insights and decision making.
– U.S. DEPARTMENT OF THE TREASURY
AI is employed in the generation of code snippets, scripts, tools and to give advice and support research. But understand that both cyber heroes and cyber villains have the same access to those sorts of facilities
The recent AI governance treaty4 on human rights and the rule of law, signed by the UK, US and EU, highlights the impacts AI technologies might have on society. And recently, a voluntary AI Safety Standard has been released by the Australian Government to guide the use of AI supply chains5. We expect that guidance and advice will continue to emerge in this rapidly developing field.
In 2025 we will see other regulatory developments to accompany the EU AI Act that will provide a comprehensive set of regulations on the development, deployment and operation of AI systems within the EU.
With recent “guardrail” announcements, the AI sector is likely to be more disciplined in 2025. We anticipate that cyber security stakeholders will seek greater transparency between AI “assistance” and the decision at hand. Certainly, adversaries will use AI to enhance phishing emails, find vulnerabilities and exploit code, while defenders will adopt threat exposure management and ultimately AI techniques to better detect and understand threat attack patterns and outcomes.
Now that the foundations of Secure-by-Design (SbD)6 have been released globally, we expect to see changes in the level of cyber resilience to be built-in to the manufacture of digital products (and services), and the products themselves. How this, and similar standards, are interpreted and applied across the cyber security industry will be important to watch in 2025.
SbD brings cyber security into focus with the intent to improve the governance of the design, development and ongoing secure management of technology products. It will be especially relevant to organisations that design, manufacture and consume such products.
As organisations adopt these new principles, we expect to see systematic Software Development Life Cycle (SDLC) frameworks more widely adopted and the oversight of quality processes shifting from a “nice to have” to a requirement. Additionally, we’ll see design and development environments being better protected and governance and assurance processes formalised.
The benefit of this will be the improved resilience of digital products and their operation. Again, the provenance of components, including software Bills of Materials, will assist in verification, quality assurance and secure ongoing performance7.
Hardening the in-built security of products that support the resilience of our organisations is a logical extension for 3rd party risk principles, to now include the digital “building blocks” from external vendors, to maintain our digital environments. Reducing the number of warnings issued by security agencies about vulnerabilities found in digital products may even reduce the need for the annual reminders to organisations8 that yet again older vulnerabilities continue to threaten their resilience.
The SbD foundations will undoubtedly uplift the quality and resilience of digital products in 2025. But the sheer diversity of products and their various SDLCs means adjustments may need to be made to accommodate the expectations of all parties to the development cycle.
The speed of cyber security product development and consumption, for example is rapid, even by technology standards. Skilled adversaries, fast moving threats, highly competitive PE-funded products, MVP development cycles and uneven skill levels all shape SDLCs. So for some products SDLCs will need refining to address both the dynamics of the sector and ultimately the need for more resilient digital products.
Industry estimates indicate that organisations continue to use an average of 45 security solutions across their enterprise; and most are regularly updated. Invariably these products are not all “stand-alone” but need to be integrated into more complex IT-ecosystems in order to function as designed. So whether their resilience can be managed ‘building block by building block’ or whether their performance is dependent upon a broader IT eco-system is part of the adoption of SbD that the industry will be watching in 2025.
On the 19th of July, 2024 worldwide outages and blue screens of death impacted millions of Windows users as a result of a manufacturing failure at a major security software vendor9. This risk demonstrates the need for SbD principles across the design, manufacture and testing of cyber security products and services. It also identifies the tensions in the sector where even skilled and well-resourced manufacturers have difficulty in balancing the needs of patch expediency to improve their products’ resilience and the manufacturing disciplines and quality assurance processes that can’t be compromised.
Secure-by-Design will bring in some big changes in 2025. Already software design and development activities are being hardened and manufacturing facilities and the processes within them. Recent events, however, have confirmed the priority of the task; but getting the right balance between the sometimes-competing priorities of digital product manufacturers and consumers will be tricky. Secure-by-Design uplift programs will be something to watch over 2025.
Technology has been outpacing its regulation for some time and based on recent developments in new cyber and related laws in the USA, Australia, UK, and EU, we believe we will start to see adoption and enforcement of these cyber legislations later in 2025, as the impact of IT asset and data breaches is felt at every layer of society.
Right now, the Australian Securities and Investments Commission (ASIC), has warned they will be bringing charges against directors who fail to show cyber risk preparedness10.
Governments are increasing pressure on organisations to improve their cyber security, privacy, and data governance. Asset and data protection regulations particularly for the critical infrastructure (CI) industries have been under discussion for some time with a number of new and upcoming regulations due to come into effect in 2025 (see Box).
Despite these initiatives the light-touch application of cyber security regulations in both the UK and Australia remains at odds with vocal advice provided by their regulators and security agencies. The new Australian Cyber Security Bill 202411, for example, clarifies details around ransom payments and operational risk management reporting, but the effect of those changes on the cyber resilience of the CI sector will remain unclear until risk management reporting is due in September 2025. Similarly, the much-discussed UK Cyber Security and Resilience Bill will only now, be legislated in 2025.
The new UK government has recently promised a significant increase in foreign investor-led economic growth. But, for governments everywhere finding long-term investors to grow their economies invariably involves trade-offs. If they continue to deliver the promised stability and positive regulatory environments, investors will continue to invest in economic expansion.
The difficulty occurs when the prospective investors come from industries where governments are seeking to improve regulatory controls. In the tech space, for example, governments are looking to advance data security practices and moderate social networks of the very same behemoths that are promising to invest. Managing the tension between investors and the government’s desire to better protect the equity of social and commercial transactions of its citizens will be an ongoing balancing act.
Regulations: Recent and upcoming
EU – Digital Operational Resilience Act – Jan 2025.
EU – NIS2 – Oct 2024.
AU – Security of Critical Infrastructure Act – conclusion of grace period for security framework implementation Aug 2024.
UK – FCA PS21/3 Operational Resilience – “transitional period” ends Mar 2025.
US – SEC Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies – Dec 2023.
Protecting their communities from what they see as the increasing erosion of their cyber security and data protection rights is leading governments everywhere to legislate for organisations to review their cyber security and data privacy operating models.
An appraisal of the operation of GDPR in Europe may well provide lessons to other regulators as to how legislation can be introduced for the benefit all stakeholders. In the meantime, elsewhere, the success of many of these legislative initiatives is yet to be realised. Maybe, upcoming court cases in Australia in 2025, will provide us with some legal clarity.
Big companies, will always push back on more regulation and with some now the economic power of mid-order nations12, governments will be severely challenged in balancing the welfare of their citizens with the promise of maintaining a wealth creating environment for those investor companies.
The behaviour of Big Tech and the ever-tightening of critical infrastructure, personal privacy rights, and data protection rules will create tension between existing corporate business models and legislative compliance.
Globally there appears to be an appetite for more level playing-fields across many areas of economic and social endeavour. We expect to see more tangible penalties for non-compliance with cyber security regulations in 2025, to better establish guardrails for all stakeholders.
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.