As organizations formally embrace AI in 2025, they are also tackling related cybersecurity challenges like shadow AI, inadvertent data exposure, and more sophisticated AI-driven threats. Additionally, security and risk management teams continue to deal with supply chain threats and fragmented compliance requirements that are only getting more complex with time.
The following article explores some cyber risk and GRC trends in 2025, also touching upon the evolving role of the CISO – from tactical firefighter to strategic leader.
From AI Tool Testing to Enterprise-Wide Adoption
2025 is the year of formal AI adoption across organizations. Security teams are moving beyond testing and refining to making official choices and deploying tools for measurable performance gains. According to a Splunk’s 2025 CISO Report, 70 percent CISOs say that AI is “appropriately hyped,” and 21 percent consider it “underhyped.” Thirty-eight percent believe that they are not adopting AI tools fast enough.
Shadow AI and AI-Use Policies
Over the past year, there has been a proliferation in Shadow AI apps – AI tools used by employees without the IT department’s knowledge. Formulating and implementing well thought-through policies on AI-use can help prevent the use of unvetted tools and inadvertent data exposure. At present, however, most organizations don’t have adequate processes in place even for sanctioned AI models, so Shadow AI isn’t top of the priority list – at least for under-resourced orgs. “While 66% of organizations expect AI to have the most significant impact on cybersecurity, only 37% report having processes in place to assess the security of AI tools before deployment.”
AI-Enabled Social Engineering Campaigns
Threat actors continue to use AI for more sophisticated social engineering campaigns that extend beyond phishing to the clever use of deepfakes and chatbots. Corporate fraud attempts have become harder to detect and, with a large percentage of the attack lifecycle being automated, can be easily scaled up for wider targeting. Greater digital literacy, awareness and improved detection technology can help.
Cyber Risk and Business Outcomes
According to new research from Ernst & Young LLP, there is a growing acknowledgment of the connection between cyber risk and larger business outcomes. Eighty-four percent of business leaders say that their focus on cybersecurity has increased over the past three years, and 85 percent say it will continue to increase over the next year. EY research also shows a direct correlation between data breaches and share prices, with stock prices continuing to decline up to 90 days after an incident. The business impact of cyber is now well established, leading to a change in attitudes towards the security function. That said, there continues to be a disconnect between cyber and business leaders when it comes to an understanding of threats and priorities.
CISOs and the C-suite: An Evolving Relationship
More than 80 percent CISOs now interact directly with the CEO, and 84 percent board members / senior-level execs report being satisfied with the CISO’s performance, saying they meet expectations. However, there is a disconnect in how the two sides measure the security function’s KPIs. While board members rate security ROI and compliance status as top cybersecurity KPIs, CISOs consider reduced impact of cyber incidents and achievement of security milestones as key indicators of success. CISOs are also generally more worried about their organizations’ existing security state and incident preparedness than the business side is. Overall, boards look to their CISOs for “mature, strategic, proactive leadership and business enablement,” as opposed to just reactive measures after an incident occurs.
Concerns About Supply Chain Risk
The increasing complexity of software supply chains can prevent larger organizations’ from reaching their cyber resilience goals. While these organizations may themselves have a strong security infrastructure and smooth processes, limited visibility into supplier security and third-party software vulnerabilities can create weak links, giving attackers entry points into their networks. Over half of large organizations (54 percent) point to supply chain vulnerabilities as the biggest ecosystem cyber risk.
Inconsistent Compliance Needs Difficult to Navigate
While viewed as crucial for strengthening baseline cybersecurity and fostering trust, the growing number and inconsistency of regulations across regions and sectors present major compliance headaches. More than 76 percent of CISOs surveyed by the World Economic Forum view regulatory fragmentation across different jurisdictions as a major impediment to maintaining compliance. This is compounded by the difficulty of ensuring third-party compliance with their information security requirements. The complexity of compliance can be tackled with automation, investing in the right GRC tools, mapping overlapping compliance requirements across regulations, and careful planning.
It’s challenging to keep up with emerging security trends and mitigate the risks introduced by AI, evolving threat vectors, and complex compliance mandates. Developing solid policies and processes and investing in the right platforms can make the journey smoother for cyber professionals.
CYRISMA is just such a platform. By combining multiple risk reduction and compliance tools in a single product, CYRISMA makes life a lot easier for security professionals. Discover and patch vulnerabilities, manage compliance with multiple regulations, find and protect sensitive data, monitor the dark web, and assess AI readiness – without the usual headaches associated with managing multiple tools.