The IT Nerd

Here’s some forward-looking predictions for cybersecurity in 2025 from Dr. Leila Powell, Head of Data at Panaseer. These insights highlight emerging trends that will shape the cybersecurity landscape in the coming year.

1. The Regulatory Sphere of Influence Will Expand in 2025

Leila predicts that in 2025, more organizations will face increased pressure to measure and demonstrate their security posture, especially as regulatory requirements expand. With new regulations like NIS2, which extends oversight to more sectors and businesses, companies will need to prove they have the necessary security controls in place to avoid penalties. This shift is expected to place significant pressure on organizations that haven’t yet developed trusted data to manage risk effectively.

2. Hybrid Roles Merging Cybersecurity and Data Analysis Will Surge

Demand for data scientists and data analysts in cybersecurity will skyrocket in 2025. As cyberattacks become more widespread, businesses of all sizes will need to understand their security posture. Leila forecasts a growing demand for hybrid roles that combine data analysis with cybersecurity expertise, with companies looking to hire in-house talent and vendors seeking professionals who can help them navigate the increasing complexity of the cybersecurity landscape.

3. GenAI’s Security Challenges Will Emerge in 2025

As AI and Large Language Models (LLMs) become more integrated into business operations, the focus in 2025 will shift from safe usage to securing these models and their underlying training data. Leila highlights how organizations building their own AI capabilities will face new attack vectors targeting the training data and the models themselves. Companies must begin securing these assets to protect sensitive data and prevent manipulation of their AI systems.

Panaseer.  Continuous Controls Monitoring (CCM), today announced the launch of its new Cybersecurity Controls Scorecard. Available now for all existing and new customers, Panaseer’s Scorecard gives CISOs an ‘at-a-glance’ view of the coverage, effectiveness and performance of cybersecurity controls across business units, geographies and critical services – along with control failures that are contributing the most towards gaps in security. 

The Scorecard abstracts cybersecurity complexity by aggregating and distilling validated truth data into a single metric. Armed with a simple percentage score, CISOs can better communicate risk to both regulators and internal stakeholders – with the confidence that the data is complete and trusted. This enables business owners, security teams and senior management to better understand their level of compliance with security control policies, make informed choices, and track progress over time.  

Key features include: 

• Layered business context: The Scorecard layers risk scores with critical business context, such as breakdowns by business function, geography, or compliance regime, providing a deeper understanding of risk and control coverage to support informed decisions.  
• Accountability heatmap: The Scorecard’s company-wide heatmap enables CISOs to drive accountability throughout their organization, showing which teams, business units or functions present the most risk. Leaderboards can be created to incentivize employees.  
• Highly configurable: Self-serve capabilities enable customers to tailor the Scorecard metric to their individual business needs based on customer specific codified policies and data drive KPIs or drawing from existing best practice dashboards developed by Panaseer. 
• Actionable recommendations: Rather than simply showing where risk exists, the Scorecard gives details, such as accounts that need to be disabled or systems that urgently need patching, and remediation actions to enable organizations to actively reduce risk. 
• Ability to track progress over time: To track controls performance for compliance, customers can take a snapshot-in-time view, allowing them to compare historical trends as far back as they’ve had the Panaseer platform deployed. 

Panaseer’s Cybersecurity Controls Scorecard is integrated into the Panaseer CCM platform, which collates and validates data from multiple sources – including systems with data about assets, people, accounts and applications – to gain a single source of truth on which the scores are calculated. This strong foundation of data science sets it apart from other solutions that rely on external data or incomplete surveys, sampling and attestation.  

This approach enables greater levels of transparency and tailoring; the methodology behind the scores is fully accessible and configurable. Users can take a deeper dive into the Scorecard data if required, breaking the score down by specific controls – such as the percentage of assets patched – to gain a granular view of control performance across the organization. 

For more information about the Cybersecurity Controls scorecard visit https://panaseer.com/platform/cybersecurity-controls-scorecard/.  

Panaseer, a leader in security posture management powered by Continuous Controls Monitoring (CCM), has released a blog analyzing the increased focus on cybersecurity posture in reports to the Securities and Exchange Commission (SEC). Panaseer warns this growth in reporting will place CISOs at real risk of legal action if their organizations’ statements do not match reality.

The Panaseer investigation into organizations’ annual 10-K filings reported to the SEC shows that, from January-May 2024, at least 1,327 filings mentioned ‘NIST’ (National Institute of Standards and Technology) – a key indicator that cybersecurity posture is present in a filing. This compares to just 110 during the same period of 2023 – a 12-fold increase – and 128 across the entire year. On current projections, Panaseer predicts up to 2,600 such filings across 2024 – a more than 20 times increase. 

This will put pressure on CISOs for two reasons: 

1. The burden of additional cybersecurity reporting: December 2023’s new SEC rulings that incorporated cybersecurity risk into investor reporting mandated the inclusion of cybersecurity posture and processes in annual reports. Although CISOs won’t be directly responsible for compiling reports, they’ll need to work closely with the Enterprise Risk Management (ERM) team to ensure reports are accurate.
2. The threat of legal action: Accurate reports demand a deep understanding of cybersecurity posture and risk exposure. Any discrepancies between reports and reality will be tantamount to lying to investors, leaving CISOs potentially facing charges. SolarWinds’s CISO, Timothy G. Brown, has already been charged by the SEC for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.  

The new regulation applies to listed enterprises, with two separate SEC reports that apply to cybersecurity:

• A 10-K filing – a comprehensive annual report of critical information including financial performance. Now, organizations must detail their approach to cyber risk management, including cybersecurity strategy; board oversight; and management’s role in cyber governance.
• An 8-K filing – a report announcing major events shareholders should know about. This now requires businesses to disclose “material cybersecurity incidents” – which are likely to impact investors – in a timely fashion. These must be reported within four days after the determination of materiality.

To satisfy the SEC, these filings need to accurately portray cybersecurity posture. The new rulings also reflect an ongoing shift in the CISO’s role. While not solely responsible for organizations’ risk posture, CISOs need to accurately portray risk posture and security processes to the ERM team and the board. CISOs need to understand and communicate their company’s cybersecurity practices clearly, with a data-driven approach that enables factual filings.

As such, Panaseer recommends that CISOs direct their focus towards ensuring that there’s oversight and assurance over the security tool they have, verifying that they are working correctly across every asset. 

To find out more about the SEC’s regulations and its impact on CISOs, visit Panaseer’s blog.