The end of one year and the start of the next is a good time to reflect on how the world has changed and the direction of travel so we can prepare accordingly.
Based on countless conversations I have had with business, IT, and cybersecurity leaders around the world, and drawing on the expertise of my colleagues across Zscaler, I have come up with four predictions covering the risk and threat landscape, the imperative for mass zero trust architecture adoption, technological change, and the role of executive management and the board, that I believe CEOs need to keep front-of-mind in the year ahead.
Changing Risk and Threat Landscapes
The changing risk and threat landscapes will challenge even the most experienced leaders.
Businesses are firmly in attackers’ crosshairs. Financially motivated cybercriminals conduct ransomware attacks with record-breaking ransoms being paid by companies seeking to avoid business interruption. Others, including nation-state hackers, infiltrate companies to steal intellectual property and trade secrets to gain commercial advantage over competitors. Further, we regularly see critical infrastructure being targeted by nation-state cyberattacks designed to act as sleeper cells that can be activated in times of heightened tension. Companies are on the back foot.
Geopolitical tensions are driving a surge in cyberattacks as nation-states weaponize technology to disrupt infrastructure and gather intelligence. Russia’s war in Ukraine, conflicts in the Middle East, and rising tensions between China and Taiwan mean the risk landscape is changing on a daily basis.
Leaders must be confident in their cyber posture: Are defenses up to the job of keeping attacks at bay? Does the leadership team have a complete understanding of the threats and risks the company faces? How can CEOs seize the initiative to get ahead of threats?
Adoption of Zero Trust Architectures
There will be mass adoption of Zero Trust architectures to improve cyber defense.
In 2025, businesses that don’t embrace true Zero Trust will find themselves increasingly vulnerable to breaches and ransomware attacks.
The outdated firewall-based castle-and-moat security model has repeatedly proven ineffective. Once attackers infiltrate a network, they can move laterally and wreak havoc. Zero-trust architecture is no longer just a buzzword—it is a necessity. By treating the Internet as an open network and verifying every user and device before granting access, organizations can significantly reduce their attack surface. Segmenting offices, branches, and factories immediately stops attackers from moving laterally across the network from a single compromised device to access the organization’s most sensitive data.
As Zero Trust disrupts obsolete firewall and VPN-based security, legacy vendors are deploying firewalls and VPNs as virtual machines in the cloud and calling it Zero Trust architecture. This is akin to DVD hardware vendors deploying DVD players in a data center and calling it Netflix!
It gives a false sense of security to customers. Organizations need to make sure they are really embracing Zero Trust architecture, which treats everyone as untrusted and ensures users connect to specific applications or services, rather than a corporate network.
As countless corporate victims of cybercrime will attest, prevention is better than a cure. That’s why 45% of the Fortune 500 choose Zscaler already.
The Strategic Shift in AI Usage
A strategic shift in AI usage is creating opportunities and risks.
We are witnessing a strategic shift in how businesses use artificial intelligence, particularly generative AI, which provides us with an incredible opportunity to do something that was previously impossible. By using AI and machine learning, companies can sift through mountains of data, identify anomalies, and detect threats faster. A service like Zscaler Breach Predictor is a great example of what is possible to turn the tide against attackers.
Unfortunately, the business world’s harnessing of AI for cyber defense has been slow compared to the speed of threat actors harnessing it for attacks. Companies are held back by inertia due to the discomfort of moving away from the firewall-based castle-and-moat defense strategy that has been the norm for the last 30 years. The biggest share of enterprise security spend remains on firewalls and VPNs. To overcome this inertia, the leadership team needs to play an active role in managing the change and ensuring new ideas aren’t blocked simply because things have always been done a certain way.
Failure to grasp the potential of AI leaves us at a big disadvantage. We know hackers are using publicly available GenAI tools, such as ChatGPT, to speed up the reconnaissance phase of attacks by identifying organizations’ attack surfaces—the public IPs hackers probe for weaknesses that allow them to break in—and create realistic phishing emails to steal employee credentials.
Hackers are exploiting AI now. Organizations must leverage Zero Trust and AI as the most effective response to stay one step ahead.
Leadership Roles
The importance of the CEO, CFO, and board in cyber risk management will continue to grow.
I believe the biggest risk every organization faces is cyber, and therefore, I expect we will see even greater involvement from leadership teams and boards of directors in the coming year.
CEOs must actively involve themselves in cybersecurity strategies, oversee the testing of cyber incident response plans, and understand how cyber risks can impact critical business functions. In parallel, CFOs must quantify and track enterprise cyber risk effectively if they are to argue for lower insurance premiums. Our Risk360 product helps customers do exactly that.
Cyber and technology risk oversight is a large and complex topic that continues to challenge boards, but I have been greatly encouraged by the progress boards are making. Dedicated cyber risk committees will become more common, and CIOs and CISOs will regularly brief the board. More and more directors with specialist cyber skills will be recruited onto boards. I am pleased to see an uptick in interest among directors in educating themselves on cyber risk. Our ebook for boards of directors is a great starting point to learn more about cyber risks.
