Let’s Stop Kidding Ourselves: My Anti-Predictions for 2025

By Phil Dunkelberger

I’ve been making cybersecurity predictions for decades. Here’s what I’ve learned: we’ve been consistently wrong – not about things getting bad, but about just how bad they’d really get. Most of the predictions have been wrong by magnitude. It’s worse than we ever thought it could be.

So, let’s not sugar coat it. Let’s talk about some harsh realities we’ll face in 2025:

Government Infrastructure at the Breaking Point
Our government systems have reached a critical juncture. The 30-year-old PIV card and CAC systems are good places to start thinking differently about how we can improve the status quo. In 2025, there’s no more kicking this can down the road; modernization is critical as recognized in the recent executive order from former President Biden.

The Death of Passwords
SMS OTP is really bad. It’s been actively exploited by hackers for years, with countless examples of SMS harvesting across the internet. Antiquated security and people buying into those ideas is worse than no security at all. 2025 will be the year passkeys move from buzzword to baseline, not because we want them, but because we absolutely need them. The old authentication playbook isn’t just outdated – it’s dangerous.

The Breach Fatigue Crisis
The breaches are more egregious, they’re more damaging yet appear like the classified ads in the back of a newspaper now, if anybody remembers newspapers. We’ve become numb to it. The numbers don’t lie – breaches are up 30% from last year, but our collective will to address root causes diminishes. Information is currency, and we’re hemorrhaging it as we’ve seen for years in data breach cost studies.

The End of Manual Security
You can look at any major company now – their systems that give us efficiency and openness are great, but they come with massive risks. 2025 will be the year we finally admit that human-scale security is dead. The battle lines are being drawn between those who can automate security at scale and those who will become headlines for their lack of readiness.

The Stakes Have Never Been Higher
The whole point of these systems that we use every day for business or personal use – from banking to healthcare to the defense of the country – is that it is all part of our critical infrastructure now. All of those systems are built on these evolving electronic systems. Every compromised authentication system becomes a potential funding stream for hostile actors. The transformation from cybercrime to nation state tools – as many writers and pundits have been covering for years – has happened under the noses of those not paying attention.

I’ve been singing the same song for a lot of years. But, here’s what makes 2025 different: we’re not playing for table stakes anymore. These aren’t dumpster divers we’re defending against. The scams will continue, and they’re now on a pace and scale we’ve never experienced before.

One prediction I know that I can make with absolute certainty? If we don’t fundamentally change our approach, it’s going to get worse. And that’s not fear-mongering – that’s reality based on decades of watching the same patterns repeat with increasingly devastating consequences.

The question for 2025 isn’t whether we’ll see more breaches – we will. The question is whether we’ll finally do something about it.

2024 Security Industry Predictions: Consolidation, ROI, and the AI Hype Train

By Phil Dunkelberger

Why is the security industry still thriving, why do we have so many claiming to be the ultimate protector of your precious data? Maybe there is a reason why malware seems to be multiplying. In January 2020, just before the pandemic I was a guest speaker at CES, I talked about how in 2019 just over 8 billion devices connected to the internet. As of the end of 2023 that number has almost doubled to 15 billion devices. That is people and things connecting and accessing data – all of which need to be authenticated and protected. This is why phishing, malware and other bad actors make the security industry so necessary and important.

So, as we lean in into 2024, it’s time to see what might be in store for this ever-evolving realm of digital defense. Spoiler alert: it’s a mixed bag of consolidation, ROI pressure, AI hype, and regulatory crackdowns. While you may be looking for the silver bullet, there is no cure for constant vigilance training and awareness of security issues.

1. Further Consolidation? Groundbreaking!

We can’t avoid it, it is almost a constant now in our industry – consolidation. It’s like a never-ending game of cybersecurity Tetris, where the bigger players gobble up the smaller ones, and we all pretend to be surprised. What’s next? Well, expect even more consolidation (remember Symantec or McAfee), especially among companies dabbling in machine learning, AI, and encryption. First quarter of 2023 alone there were 10 announced consolidations! But what started out looking like a lot of activity, overall 2023 was actually a slow year for M&A in the security industry. 

You see, there are so many of them out there, all claiming to be the superheroes of security. But here’s the rub: they often have overlapping technologies, creating a cacophony of confusion for customers. So, it’s survival of the fittest, and the biggest fish in the cyber-pond will swallow up the minnows. Just remember, when your favorite cybersecurity startup disappears, it’s probably because they got gobbled up by a larger fish. Bon appétit!

2. ROI: Prove It or Move It

So when the M&A market is slow, as a company you need to focus more on proving ROI so you can garner customers – the pressure is on. Gone are the days when a snazzy logo and some jargon-filled marketing materials were enough to convince businesses to part with their precious dollars for cybersecurity solutions. In 2024, the name of the game is “Show me the money!” or more accurately, “Show me the ROI!”

It’s not enough for companies to claim they can save you from cyber-calamities; they’ll need to demonstrate real-world results. No more smoke and mirrors, folks. Cybersecurity providers will be under intense pressure to prove the effectiveness of their solutions. Fancy algorithms and buzzwords won’t cut it anymore. If they can’t show how they’re actually preventing breaches or mitigating threats, they might as well pack up their snake oil and hit the road.

There will also be the need to demonstrate ROI across more teams within your overall organization. Gone is the day that the CISO alone can make the decision. With so many projects in motion with companies and security needing to integrate into almost every application – the “Prove it and Show me” tour internally is a longer road.

3. AI and Machine Learning: Hype and Reality in a Three Sided Coin?

AI and machine learning, the darling buzzwords of the tech world. Every cybersecurity company wants you to believe that they’ve trained an army of sentient robots ready to defend your data. But hold your cyber-horses, because in 2024, the AI hype train might just run out of steam.

Sure, AI and ML have their place in cybersecurity, but they’re not the magical panaceas some claim them to be. Their effectiveness needs to be proven in real-world scenarios, not just in glossy brochures. So, while companies will continue to ride the AI wave, users should keep their skepticism shields up. After all, no algorithm can replace good old-fashioned human vigilance and common sense when it comes to staying secure.

Be forewarned – AI is a three sided coin. There absolutely is benefit in AI that both the attacker and defender need to learn how to take advantage of – but it is the one who learns best to take advantage of the “edge” – finds the margin – that will win using AI in the security world. 

4. Regulatory and Privacy Demands: Brace for Impact

Now, here’s the sobering part of our prediction party – on a global and regional basis. Brace yourselves for more regulatory and privacy demands in the cybersecurity landscape worldwide. Meeting regulatory requirements is no longer a broad checkbox item, it is regionally and vertically critical that security vendors address the regulations. As if navigating the labyrinth of cybersecurity compliance wasn’t already fun enough, we can expect even more rigorous standards and potentially more severe consequences for companies that fall short.

This too is not unlike the consolidation shifts we see every so often – this is a pendulum swing that follows the pace of new technology. We see AI burst onto the scene along comes regulation, some might call it a knee-jerk reaction but when you are dealing with personal identifiable information (PII) or corporate information – intellectual property (IP) – the road is complex. We have some examples that have helped along the way like PSD2, the FIDO standard and the recent introduction of passkeys. But there is a long way to go. Just as seatbelts (or airbags) didn’t stop people from being injured in car accidents.

With cyber-threats becoming more sophisticated and data breaches making headlines, governments and regulators need to be on top of the latest new technologies.. They want to ensure that companies take data protection seriously. So, don’t be surprised if you find yourself buried in a mountain of compliance paperwork and facing hefty fines for non-compliance. It’s the price we pay for playing in the digital sandbox, folks.

The security industry in 2024 promises to be a whirlwind of further consolidation, ROI scrutiny, AI skepticism, and regulatory headaches. As businesses and individuals rely more than ever on digital platforms, the pressure on the cybersecurity industry to deliver real, measurable results is mounting. While there may be challenges ahead, it’s all in the name of keeping our digital world safe. So, stay vigilant, demand proof, and keep your cybersecurity wits about you in this brave new era of digital defense.