Richard Sorosina, CTSO and VP Solution Architecture EMEA & APAC, Qualys:
Prediction: The drive for consolidating security capabilities will increase, with a view to leveraging unified security platforms.
“Consolidation of security capabilities has been on the agenda of many organisations for a while, and this will only continue to increase in 2025. And now, organisations are increasingly moving towards a unified platform approach that can provide both a centralised view of risk across the organisation, and mechanisms to remediate that risk when found. This has primarily been driven by a need to reduce complexity, increase operational efficiency, enhance detection and response capabilities, and reduce overall cost.
A unified platform is not a single solution that does everything but is one that provides a strong set of core capabilities, with a well-integrated partner ecosystem of additional capabilities that provide additional context. A well-integrated security platform that allows organizations to discover, prioritize and remediate critical business risk will serve to eliminate the challenges of complexity, inefficiency and increasing cost of ownership, while allowing businesses to focus on what matters most to them.”
Richard Seiersen, Chief Risk Tech Officer, Qualys:
Prediction: In the next five years, AI-driven cybersecurity will enhance operational efficiency for defenders, but the human element will remain crucial in interpreting data and making decisions.
“Over the next five years, we can expect significant improvements in operational and capital efficiency for defenders, as AI continues to automate routine tasks and streamline processes. This will free security practitioners to focus on more complex challenges, particularly those involving "irreducible uncertainty"—situations where the risk cannot be fully understood through empirical data.
As the deterministic aspects of cybersecurity are automated, the role of experts will increasingly shift toward decision-making in uncertain scenarios. AI will aid in modeling these risks, but the effectiveness of these models will heavily depend on the expertise and assumptions of the security professionals using them. This means that while AI will enhance analytical capabilities, the human element will remain critical in interpreting data and making informed choices among plausible alternatives. Security professionals will continue to play a vital role in navigating complexities and uncertainties, underscoring the importance of their expertise in the evolving landscape of AI-driven cybersecurity.”
Prediction: Cyber risk quantification (CRQ) will be a core organizational practice for most CISOs in the next five years
“Measuring risk is a core capability, not a product. As cybersecurity maturity grows, the integration of financial metrics with technical security data will become critical. The industry calls this "CRQ" but I call it cybersecurity risk management. You can't extract quantitative measurement from the broader domain of cybersecurity risk management – they are one and the same. The good news is that the majority of CISOs will have CRQ capabilities in 2025 – in part or wholly integrated into their cybersecurity risk management programs."
Ken Dunham, cyber threat director for Qualys Threat Research Unit:
Prediction: Nation-state cyberattacks, long-term cloud compromises, and data leakage risks will increase, making recovery from breaches harder
“Nation-state attacks and cloud-based compromises with extremely long dwell times will continue to emerge at an increasing rate with large scale impact as security catches up with post-Covid and digital transformation efforts from the last few years, where adversaries are increasingly able to maintain ‘stealth for survival’.
Beyond that, complex DevSecOps, API, and integrated cloud solutions will emerge as one of the leading threats as an attack vector for significant impact. We’re also going to see more accidental disclosure and insider threat risks for exfiltration, and challenges with preventing data leakage, due to how companies are still adopting technology without adequate security controls and architecture in place.
Recovery from incident and breach will become increasingly difficult and take longer for organisations as adversaries become efficient at destroying backups and other resiliency measures that are in place, in an attempt to improve extortion payouts.”
Mayuresh Dani, Manager, Security Research for Qualys Threat Research Unit (TRU):
Prediction: Securing Agentic AI will be yet another key exposure occurrence:
“Agentic AI, AI that can autonomously make decisions and take actions, will become more prevalent in organisations. This will require additional privileged access. Since this is still an emerging field, security and privacy professionals will need to upgrade themselves to secure agentic AI end-to-end and ensure data is AI ready.”
