Boardroom Action Plan: Cybersecurity in 2025

A new year is dawning, bringing challenges and opportunities for cybersecurity. Artificial intelligence (AI)-powered attacks, escalating geopolitical tensions, and increasingly sophisticated cybercrime will demand heightened vigilance from every organization in 2025.

As cybersecurity threats evolve, board members can lead the way by actively participating in and sponsoring security initiatives. This engagement is essential to build strong defenses and ensure the organization's future success.

Just as individuals assess their priorities and set goals for the year ahead, boards should also resolve to stay ahead of the curve. While many trends will continue from 2024, we are also seeing some new trends emerging. AI is moving beyond pilot programs into full-scale production, impacting both cyberattacks and defenders' strategies. The rollout of post-quantum cryptography, confidential computing, and advances in generative AI will continue to reshape security practices, while evolving regulations will demand a strong grasp of security controls implementation, including for third-party vendors.

Effective cybersecurity is the front line for protecting all aspects of a business, from its operational efficiency and financial assets to its customer relationships and brand reputation. Therefore, a strong understanding of cybersecurity is crucial across the organization, especially at the board level, to ensure appropriate risk management.

Cybersecurity Trends

According to the Cybersecurity Forecast 2025 report, the following are the key trends boards and corporate leaders should watch in the new year:

• AI-powered attacks: Cybercriminals are increasingly leveraging AI to launch more sophisticated and deceptive attacks, including hyperrealistic phishing scams, deepfakes, and rapidly evolving malware.
• Nation-state threats: Russia, China, Iran, and North Korea remain prominent threat actors, but their tactics and targets are constantly evolving. Geopolitical conflicts will continue to fuel cyber-risk activity and create a more complex threat landscape.
• Ransomware and extortion: Ransomware remains a significant threat, with attackers employing increasingly sophisticated tactics such as data theft and multifaceted extortion.
• Digital transformation: As organizations adopt new tools and technologies to fulfill their business strategies, security environments and controls (e.g., training and resources, change management, access and monitoring controls) should also evolve to effectively address related cybersecurity risks.
• Regulatory compliance: New regulations, including the updated Network and Information Security Directive across Europe, the Middle East, and Africa, place greater emphasis on cybersecurity risk management and incident reporting.

Putting Insights into Action

As technology evolves and risks become more complex, the relationship between business strategy, technology, and risk management will become even more critical in 2025. This collaborative approach to risk management starts with open discussions and a commitment to finding comprehensive solutions.

By actively engaging in dialogue with the C-suite and fellow board members, boards gain a more comprehensive understanding of their organizations’ vulnerabilities and can help develop more effective mitigation strategies. The following questions are a starting point for boards to take a deeper dive into their organizations’ technology strategies and risk postures:

• Technology modernization: Have we modernized our technology sufficiently to create a more defendable environment in 2025? How are we leveraging cloud computing, automation, and other advancements to enhance security and resilience?
• Security baseline: Have we implemented a robust baseline of security controls, including multifactor authentication, zero trust segmentation, and threat intelligence, that can be demonstrated to regulators? Can these controls be demonstrated by our critical, third-party providers?
• AI risk management: As we integrate AI or other innovations into our operations, are we equipped to manage the unique risks they present? How are we addressing data privacy, algorithmic bias, and the potential for misuse?

Key Takeaways for Board Engagement

Cybersecurity is not a static destination but a continuous journey that will extend far beyond 2025. By fostering a culture of inquiry, challenging the status quo, and demanding measurable progress, boards can ensure that their organizations remain adaptable and resilient in the face of evolving threats. In this spirit of continuous improvement, boards can take the following actions:

• Understand the "why.” Go beyond technical jargon and understand the rationale behind security decisions. How do these choices align with business objectives and risk appetite?
• Challenge assumptions. Don't accept "industry standard" as a sufficient answer. Encourage critical thinking and explore innovative approaches to security and risk mitigation.
• Demand metrics. Require measurable indicators to track the effectiveness of security controls and demonstrate progress toward a more secure environment.

This proactive approach will enable boards to navigate the evolving threat landscape and maximize the benefits of technology in the new year.

Google is a NACD partner, providing directors with critical and timely information, and perspectives. Google is a financial supporter of the NACD.

David Homovich is a seasoned cybersecurity leader within Google Cloud's Office of the CISO, specializing in advising boards, chief information security officers, and C-suite executives on secure and compliant digital transformation strategies.

Alicja Cade is the global director of financial services in the Office of the CISO at Google Cloud.