Jonathan Gill is CEO of Panaseer, a pioneering Continuous Controls Monitoring platform. He is a golfer, cyclist and keen photographer.
Technology predictions can often seem like reading tea leaves. But looking at 2025, I can guarantee two things. Companies will suffer cybersecurity breaches at an alarming rate. And most will have been preventable.
An in-depth survey into cyber breaches, security controls and the pressures CISOs face shows the cost of breaches keeps ballooning. U.S. businesses lose $30 billion per year from breaches caused by control failures—largely due to lacking visibility of fast-evolving IT landscapes, or the status of multitudes of cyber tools deployed to protect them. Understanding attack surfaces and security posture is simply too complicated against accelerating IT innovation, changing threat landscapes and evolving cyber tool offerings from thousands of vendors.
The interconnected nature of organizations’ technology and services, risks to critical national infrastructure and unpredictable global economic and geopolitical events mean regulators are raising the bar: insisting cyber comes firmly under business leaders’ microscopes.
In this evolution, CISOs can travel two paths. They risk being driven by these forces to become reactive, overwhelmed by growing complexity and drowning in disparate systems’ data. In this worst-case scenario, an inability to have visibility and take control of cybersecurity will steadily increase businesses’ vulnerability to preventable breaches.
On the other path, CISOs can harness existing data to build visibility and understanding of their security environment, enabling them to become more proactive—holding others accountable and enabling cyber to inform business decisions and increase its strategic impact.
The Fork In The Road
Cyber is becoming a vital strategic consideration for businesses, as regulatory bodies and regulations such as the SEC, DORA and NIS2, force organizations to pay close attention. Alongside this, technologies such as AI are contributing to a rapidly evolving threat landscape. And 2025 looks set to continue the unpredictable economic headwinds of the 2020s.
Against this background, CISOs are expected to deliver strategic counsel around risk so the business can make informed decisions and demonstrate that investment in security technology, people and processes is reducing risk as intended. It’s little surprise that CISOs bear ever-increasing responsibility for security failures, and 85% of security decision-makers already face greater scrutiny from the board.
This extra responsibility isn’t necessarily unfair—most CISOs think it’s perfectly justified, and many see an opportunity to ask for higher pay. Yet it still adds pressure. Seventy-two percent have taken out personal indemnity insurance to protect themselves from the consequences of security failures.
Visibility over and understanding of the security environment will be critical to meeting these challenges and determining CISOs’ path in 2025. With it, CISOs can understand risk posture; prioritize actions to improve that posture; and communicate effectively to deliver guidance, analysis and stakeholder engagement. This level of control will turn CISOs into enablers, helping businesses innovate faster and confidently adopt technologies such as AI.
Yet currently there is a split. Only 55% of security decision-makers are confident the data they present to senior management and the board is fully accurate, meaning full visibility and understanding are still out of reach for many.
The key is understanding what is “knowable” to a CISO (e.g., the IT and human estate, cyber controls coverage and those controls’ performance against the intended security policy). It might seem overwhelming, but all the data is there. Conversely, there will be “unknowns” such as questions from the board, regulatory expectations, customer and supply chain demands and the evolving threat landscape. These distinctions will be crucial to gaining control.
The Dark Path
Without visibility and understanding of their security environment, CISOs will find themselves overwhelmed by unknowns. They’ll have an incomplete understanding of risk, unable to confidently act to reduce it. In turn, they won’t have the tools to communicate effectively with the wider business.
The outcome is an organization that cannot make confident decisions. Communication, trust and collaboration will break down as the business loses sight of its security posture, making it harder to take effective action. These CISOs will be forced into a completely reactive posture, only able to respond to threats as they appear instead of increasing confidence by preempting them.
Regrettably, the likely result is an entirely preventable breach. Even if this doesn’t happen, CISOs will be much more susceptible to burnout, while organizations will miss opportunities because they don’t understand the risks involved. And if CISOs can’t hold others accountable, then the pressure and burden of responsibility will only increase.
The Light Path
At the opposite end of the scale, CISOs with the visibility and understanding they need will thrive, harnessing what is knowable to reduce risk from what is unknowable. Taking control of what is at their fingertips lets CISOs handle what’s less knowable or even unknowable—factors that might be outside a CISO’s circle of influence, but can still be managed. Knowing they have a fighting chance to meet the organizations’ risk appetite can be hugely empowering.
Crucially, these CISOs will be able to identify risk and the most effective course of action to reduce it. The essential ingredient is a single, golden source of truthful data trusted by the CISO—and organization—to be comprehensive, up to date and accurate. This trust is essential in sharing data and insights on demand, translated into language the rest of the business understands: such as alignment with crown jewel services and assets. This increases understanding of risk, helping create a culture of accountability with cross-functional collaboration.
When all stakeholders see and believe in the same source of truthful data, and understand what it means for them, they will start to do what’s necessary to get what’s needed—in this case, a residual risk position that meets their intended risk appetite. The business becomes more proactive, both in addressing threats and reducing risk, and in its wider strategy.
It’s often said that great events can hinge on apparently small factors. In 2025, creating a single, golden source of truthful data could be one of the most impactful decisions a CISO makes.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
