Richard Seiersen, Chief Risk Technology Officer, Qualys, makes six predictions for the Middle East region for the year ahead.
Oceans of clouds, containers, endpoints, IoT devices, first – and third-party networks – for the modern Middle East security team, there is a lot to watch and a lot to do.
As 2025 dawns, the CISO must question the status quo and ask themselves how things need to change in the coming year. Is AI a risk that requires a new security strategy? Could it also be the answer to facing down a threat landscape that is scaling up in terms of both volume and stealth capabilities? Would AI play the role of traffic cop, analyst, auditor, advisor? And what of the human factor? Will AI replace security professionals or augment their efforts?
Below, I try to answer some of these questions and others with six predictions that I believe will shape regional cybersecurity in 2025.
Prediction 1: The increasing use of AI will not alter the basics of cybersecurity strategies
While several regional enterprises are looking for the next best AI solution in an effort to fight fire with fire, I am reminded of the famous Alphonse Karr quote, “The more things change, the more they stay the same.”
As such, a better question is, ‘What do businesses stand to lose (i.e. what is the value at risk) from AI abuse and misuse?’ And what portion of this risk can be addressed with current security capabilities? For example, is securing an AI agent from threats like spoofing, tampering, information disclosure, denial of service, or escalation of privileges actually novel?
Does it require new investments to build up a dedicated ‘AI’ security stack? Similarly, consider that AI models consist of open-source and first-party code deployed on premises, in the cloud, or both. Infrastructure, software-pipeline, and supply-chain security practices still apply. So again, the question is, do we really need a complete security rethink?
My recommendation is that security teams proactively address these evolving threats by developing robust threat models and establishing guardrails – essentially, ‘secure by default’ solutions. Ultimately, the key challenge lies in balancing the desire for rapid digital transformation with the imperative of safeguarding enterprise assets against potential AI-related abuses.
Prediction 2: The ‘human factor’ will be key to guarding against the increase in hackers leveraging AI for offensive attacks
AI will enable bad actors to do what they have always done, but faster. Just like defenders, they will use AI to automate software development and expedite the analysis of reams of data to discover plausible vulnerabilities and select and execute exploits.
One critical area for improvement lies in addressing human vulnerabilities, often referred to as ‘layer 8’ in cybersecurity. Since humans are easily spoofed, it’s essential to implement stronger forms of multi-factor authentication and privileged access management. These measures can help mitigate risks associated with social engineering and wire fraud, which are likely to increase as attackers utilise AI for more sophisticated tactics.
Prediction 3: In the next five years, AI-driven cybersecurity will enhance operational efficiency for defenders, but the human element will remain crucial in interpreting data and making decisions
Over the next five years, we can expect significant improvements in operational and capital efficiency for defenders, as AI continues to automate routine tasks and streamline processes. This will free security practitioners to focus on more complex challenges, particularly those involving ‘irreducible uncertainty’ – situations where the risk cannot be fully understood through empirical data.
As the deterministic aspects of cybersecurity are automated, the role of experts will increasingly shift toward decision-making in uncertain scenarios. AI will aid in modeling these risks, but the effectiveness of these models will heavily depend on the expertise and assumptions of the security professionals using them. This means that while AI will enhance analytical capabilities, the human element will remain critical in interpreting data and making informed choices among plausible alternatives. Security professionals will continue to play a vital role in navigating complexities and uncertainties, underscoring the importance of their expertise in the evolving landscape of AI-driven cybersecurity.
Prediction 4: Automation and orchestration will grow in importance in 2025 to centralise risk telemetry across cloud, endpoints and IoT devices
Landing all your risk telemetry into one place will become common. Many organisations are already aggregating IT, OT and cloud-native risk data into security data lakes, including asset state and changes over time, along with threat and vulnerability intelligence. Note that telemetry consumption is not the same as risk measurement. At a minimum, assets must be normalised, and scores must be rationalised. From there, automation will enable organisations to measure operational efficiency in controlling attack surfaces and implement ‘policy-as-code’ using AI copilots. AI-driven tools will drive down risk in both a capital and operationally efficient manner.
Prediction 5: Cyber-risk quantification (CRQ) will be a core organisational practice for most CISOs in the next five years
Measuring risk is a core capability, not a product. As cybersecurity maturity grows, the integration of financial metrics with technical security data will become critical. The industry calls this ‘cyber-risk quantification’ (CRQ), but I call it cybersecurity risk management. You can’t extract quantitative measurement from the broader domain of cybersecurity risk management – they are one and the same. The good news is that the majority of CISOs will have CRQ capabilities in 2025 – in part or wholly integrated into their cybersecurity risk management programs.
Prediction 6: The relationship between CISOs, the C-suite and boards will evolve toward more strategic collaboration, driven by a focus on economic and operational efficiency
The CISO that focuses on economic and operational efficiency will be fast friends with business focused leaders. The modern CISO will see risk management as minimising business impact without breaking the bank. It’s that simple in theory. In practice, the CISO must do this in a structured manner that is explainable to business stakeholders and executable by operators, which goes back to measurement as a career skill and core security capability.
Clear, measurable communication will be essential, allowing CISOs to translate complex security strategies into actionable insights for business leaders. In short, our relationship with business folks who are focused on winning will be improved to the extent we adopt the right concepts, objects and methods of measurement. This approach will foster stronger partnerships with the C-suite, enhancing decision-making and driving business outcomes, while managing cyber-risk effectively.
Resolution revolution
The transition to a new year is often punctuated by resolutions, which are invariably commitments to ‘do better’. CISOs’ resolutions for 2025 will involve cultural shifts in risk management and collaboration between security and other functions, from IT to the C-suite. To ‘do better’, security leaders must focus on business-oriented measures backed by data, and holistic solutions that help target resources where they can make the greatest impact.
