Forecast 2025: Process Consulting

2024 brought some exciting developments in IT security: from the CRA coming into force to the CrowdStrike incident in summer. Now we are in 2025 and the question arises: What’s next? Of course, it’s impossible to answer this question completely - but our Practice Heads have dared to take a look into the crystal ball and give an outlook on what might be coming in the cybersecurity world in 2025.

Today in our interview: Christoph Zajic, Head of the Process Consulting team

The year 2024 may be over, but let’s take a brief look back. In your opinion, what were the biggest challenges for companies from the perspective of cyber security?

Christoph Zajic: One major challenge was certainly preparing for the multitude of regulatory requirements such as NIS 2, DORA and CRA. And the delay in the adoption of the NISG 2024 was clearly counterproductive. This made it difficult for those responsible for security and NIS2 projects to maintain internal pressure during the course and implementation of the project in order to ultimately ensure the necessary security.

We are at the beginning of 2025 - which cyber threats do you see as particularly dangerous or relevant for 2025?

Christoph Zajic: I think that the following three threats - which also need to be seen in context - will be of massive concern to us this year.

1. Attack on the supply chain: third-party service providers must be held accountable and companies must ensure that their minimum security standards are contractually agreed and demonstrably adhered to.
2. Deep fakes: In my awareness training courses, I use several examples to show how the quality of deep fakes has changed massively within the last 12 months. Sophisticated attack scenarios will follow the technological leap.
3. Deep learning systems harbor both technical and social threats. The creation of malware, the deception of people through realistic-looking emails, fake news and social media manipulation will make it even more difficult to detect fraud.

How will the regulatory landscape in the area of cyber security change in the course of this year?

Christoph Zajic: The year starts in January with DORA, which has already demanded a lot from the companies concerned in the last 12 months. This will be followed in the middle of the year by NISG2024, whose implementation projects will pick up speed again in Q1/2025.

In addition to the mandatory operational topics, both aim in varying depth to ensure that ICT risk management is established, third-party risks are considered and processes for the detection, handling and monitoring of ICT-related incidents are established.

What role will artificial intelligence (AI) play in cyber security in 2025 – both as a tool for defense and as a threat?

Christoph Zajic: See question 2 “Which cyber threats do you see as particularly dangerous or relevant for 2025?”

Which developments in cyber security have surprised you the most in the last years and what do you expect for 2025?

Christoph Zajic: I was surprised by the rapid development of AI and machine learning, on the one hand in attack but also reactively in defense. And the developments are certainly far from over.

I was also surprised that the faulty CrowdStrike update and the associated global IT collapse in air and rail traffic, in the healthcare sector and especially access to Microsoft services was forgotten so quickly. The paradox is that it was a faulty security solution that brought companies to their knees and revealed a global functional dependency.

What would you advise companies to do to be well prepared for the year 2025

Christian Zajic: Irrespective of whether a company is affected by NIS2 or not, I would recommend being able to present appropriate measures for the areas of action listed in Annex 3 of the parliamentary draft. In my view, addressing the points listed is part of proper corporate governance; top management must take responsibility.

What do you wish for in 2025 from the perspective of your area of expertise?

Christoph Zajic: The above-mentioned topics offer a broad field of activity. Recruiting cyber security talent will be a major challenge. For 2025, I hope that we can continue to expand our Process Consulting team with interesting personalities and talents, whether young or old.