In 2024, regulators around the globe introduced a myriad of proposed cybersecurity- and privacy-focused policies and legislation to better manage emerging risks relating to emerging technologies such as generative AI (genAI), as well as those related to managing third-party relationships. Security and risk leaders sprinted to secure genAI, even as its use cases were still evolving; almost every industry experienced critical IT disruptions due to lack of resilience planning; and despite downplaying third-party risks, organizations globally saw an increase in software supply chain breaches.

With cybercrime expected to cost $12 trillion in 2025, regulators will take a more active role in protecting consumer data while organizations pivot to adopt more proactive security measures to limit material impacts. This year’s cybersecurity, risk, and privacy predictions from Forrester for 2025 reflect how organizations need to evolve to address these emerging risk domains. Here are three of those predictions:

• CISOs will deprioritize genAI use by 10% due to lack of quantifiable value. According to Forrester’s 2024 data, 35% of global CISOs and CIOs consider exploring and deploying use cases for genAI to improve employee productivity as a top priority. The security product market has been quick to hype genAI’s expected productivity benefits, but a lack of practical outcomes is fostering disillusionment. The thought of an autonomous security operations center using genAI generated a lot of hype, but it couldn’t be further from reality. In 2025, the trend will continue, and security practitioners will sink deeper into disenchantment as challenges such as inadequate budgets and unrealized AI benefits reduce the number of security-focused genAI deployments.
• Breach-related class-action costs will surpass regulatory fines by 50%. Breach-related spending is no longer limited to regulatory fines and remediation costs. Historically, cyber regulations have not gone far enough to protect customers and employees — causing these same people to pursue class-action lawsuits and seek damages. Class-action costs are enormous in data breach litigations. And with the percentage of companies facing class actions at a 13-year high, CISOs will be asked to contribute toward the company’s class-action defense fund in 2025, making costs from class actions greatly exceed fines imposed by regulators.
• A Western government will bar specific third-party or open-source software. Software supply chain attacks are a top culprit for data breaches in organizations globally. Growing pressure from Western governments to require private companies to produce software bills of materials (SBOMs) has been a boon for software component transparency, but these SBOMs highlight the role of third-party and open-source software in the products that governments purchase. In 2025, a government armed with this information will restrict an open-source component on the grounds of national security. To comply, software suppliers will need to remove the offending component and replace the functionality.

Forrester clients can read the full Predictions 2025: Cybersecurity, Risk, And Privacy report to get more detail about these predictions as well as two additional predictions related to the EU AI Act and internet-of-things device security. You can also register for the upcoming client webinar.

If you aren’t a client, sign up here to receive our complimentary Predictions guide, which covers our top predictions for 2025, when it becomes available later this month. Get additional complimentary resources, including webinars, on the Predictions 2025 hub.

Related Forrester Content