As the cybersecurity landscape continues to evolve, presenting increasingly complex and severe challenges, what critical insights do CISOs need to prepare for the year ahead? We hear from Max Vetter, VP of Cyber at Immersive Labs; Kev Breen, Senior Director of Threat Research at Immersive Labs and Dave Spencer, Director of Technical Product Management at Immersive Labs.
Max Vetter, VP of Cyber at Immersive Labs
GenAI will reduce (and drive up) cyber-risks – organisations need to be ready
We now have a clearer picture of how threat actors are utilising or could potentially leverage AI. At the same time, DevSecOps teams’ adoption of AI tools to automate and speed up vulnerability detection will help prevent exploitable code. I expect that with greater adoption of AI will come increased cyberthreats, and security teams need to remain nimble, confident and knowledgeable. In fact, AI upskilling is already required for many teams. Heading into the new year, security teams must continue to prioritise learning and analysing how attackers use and manipulate the technology so that they can better prepare for when attackers inevitably strike.
The cyber skills gap will expand to more senior roles
The cybersecurity workforce shortage reached a new high of approximately 4.8 million this past year. Not only is there a need for more junior-level talent, but we are also seeing more and more senior leaders depart organisations, leaving vacant hard-to-fill spots in the workforce. Skills-first hiring can make a difference, but addressing the talent shortage will require a co-ordinated global effort across both public and private sectors. Additionally, companies are likely to focus more on upskilling their current teams and individuals to bridge skills gaps.
Savvy leaders will increasingly ditch ineffective legacy cyber training
With analysts in agreement that traditional cyber awareness training is ineffective, I expect to see more leaders move away from costly, mind-numbing legacy training programs. Instead, there will be a need and desire for more effective hands-on exercising and drills that gives their workforce practice and builds confidence in their cyberskills.
Kev Breen, Senior Director of Threat Research at Immersive Labs
Securing operational technology will be non-negotiable
I don’t expect to necessarily see an evolution of threats, but rather an emphasis on effectively mitigating the already existing threats. There is typically more focus on physical security or operational efficiency, so many industrial employees lack the knowledge, skills and judgment needed to recognise phishing attempts or suspicious behavior, increasing the risk of threats, both intentional and unintentional. This is why education will be the key to preparing for cyberthreats.
Beyond the ‘AI hype train’, it’s the more overlooked threats that will unleash the most devastating impacts
We continue to see organisations suffering from massive ransomware and supply chain attacks year after year – and 2025 will be no different. It is no longer a question of if it will happen to an organisation, but rather when it will happen. This is why threat preparation and knowing how to respond when the time comes is so crucial. Although these may not seem as exciting or dangerous, they will continue to drive the vast majority of costly breaches.
Dave Spencer, Director of Technical Product Management at Immersive Labs
The current upward trend of zero-day exploits will continue to rise
There are a few reasons for this, but organisations actually have more control over this than they realise. Threat researchers receive limited kudos and incentives for discovering bugs. Meanwhile, companies have strict NDAs and pay less than third-party bug bounties. For these reasons, researchers are less willing to work closely with these companies, and the companies then lack the speed and agility to detect and resolve vulnerabilities before they are leveraged by attackers.
Cyber warfare will continue with the current state of wars and growing global tension
Nation state-led attackers have two things that no other type of threat actors have: unlimited time and unlimited budget. This means they more often than not have the resources and time to successfully gain access wherever they want. With this said, there are ways to combat cyberwarfare. Organisations in regions with conflict should understand the threats that impact them. They can do so by conducting regular threat hunts across their network using the latest threat intel feeds. They should also regularly update their telemetry with data enrichment based on their assets, use the most up-to-date techniques, and train their defensive team to be proactive, and well-drilled on the processes.
AI investments will continue, but demand will surge for skills where AI falls short
In 2025, skills in blockchain, SOAR, OT, and DevSecOps will likely be among the highest in demand, shaping hiring and workforce development priorities. If security leaders want to strengthen these areas, they have to make sure they are finding the people that are passionate about cyber, and giving them the tools and exercising they need to excel.
