Forecast 2025: Security Engineering

2024 brought some exciting developments in IT security: from the CRA coming into force to the CrowdStrike incident in summer. Now we are in 2025 and the question arises: What’s next? Of course, it’s impossible to answer this question completely - but our Practice Heads have dared to take a look into the crystal ball and give an outlook on what might be coming in the cybersecurity world in 2025.

Today in our interview: Michael Brunner, Head of the Security Engineering team

The year 2024 may be over, but let’s take a brief look back. In your opinion, what were the biggest challenges for companies from the perspective of cyber security?

Michael Brunner: Looking back, I can see that there is a lot of uncertainty regarding new EU regulations and their implementation. The deadlines of the EU’s NIS 2 Directive in particular and the unfortunately delayed transposition into national law - for example the NISG2024 in Austria, which has still not been adopted - have lost a lot of trust here. Especially among medium-sized companies.

As a result, I definitely see the risk that sensible and necessary improvements to cyber security will unfortunately be postponed again in many cases. Not least because of increasingly difficult financial conditions for entrepreneurs.

On the other hand, there is an increasingly dynamic threat landscape, new attack techniques and generally increased IT operating risks due to an ever-increasing dependence on IT systems and individual providers.

We are at the beginning of 2025 - which cyber threats do you see as particularly dangerous or relevant for 2025?

Michael Brunner: This is where I see the risks with regard to supply chains and, in particular, the threat situation in the area of software supply chains. We were actually very lucky in 2024 that the XZ Utils backdoor (CVE-2024-3094), for example, was discovered very quickly. What is particularly exciting in this case is how malicious actors have acted to infiltrate an open source project in order to introduce malicious code.

However, I do not want this to be taken as an argument against open source software. Rather, software manufacturers will have to pay greater attention in future to the third-party software components used in their own products - regardless of whether these are closed or open source.

How will the regulatory landscape in the area of cyber security change in the course of this year?

Michael Brunner: I assume that awareness of the European Cyber Resilience Act (CRA) will increase among manufacturers of networked digital products in 2025.

This has already come into force and requires initial security measures to be implemented by September 2026 and full implementation by the end of 2027. Among other things, the CRA calls for mandatory minimum cyber security standards for all networked hardware products and software: This includes, for example, Bluetooth-enabled children’s toys, desktop and mobile apps and smart kitchen appliances. Manufacturers of security solutions will also be affected - hopefully something like the CrowdStrike debacle won’t happen again.

Above all, I consider the demand for reporting obligations on the part of manufacturers to be an important step towards significantly increasing cyber security in Europe. From September 2026, all manufacturers will have to inform the respective market surveillance authorities and ENISA about actively exploited vulnerabilities in their products - within 24 hours. And it is essential that affected companies start building up the necessary skills and capabilities now, ideally by creating the technical, organizational and personnel framework for their own Product Incident Response Team (PSIRT).

What role will artificial intelligence (AI) play in cyber security in 2025 – both as a tool for defense and as a threat?

Michael Brunner: AI - especially GenAI - will play an increasingly important role in cyber security in the future.

These tools will continue to be used for attacks and it can be assumed that perpetrator groups will become increasingly professional in their use of these tools.

Cyber defense will be upgraded in terms of AI to the same extent and it can be assumed that we will have to prepare for a longer “trench warfare”. On the part of the defenders, I see adapted security awareness concepts as a particularly important instrument, as well as the ongoing further development of technical security measures by means of AI support and, increasingly, reactive measures.

Which developments in cyber security have surprised you the most in the last years and what do you expect for 2025?

Michael Brunner: Well, to be honest, few things really surprised me.

On the one hand, there is the cyber security strategy that the EU is now pursuing very stringently - 10 years ago I wasn’t quite sure whether it would be pursued in the same way.

On the other hand, there is the constant need to improve software quality and the security of software products. In this respect, I often get the impression that we as individuals and as a society have already capitulated to the effects of insecure and unstable software. It feels like the whole world is at a standstill because of an avoidable software error - and then it’s back to business-as-usual and no real work is being done to sustainably improve the overall situation. In this respect, I’m really hoping for the CRA …

Apart from that, there were a few surprises, but not directly in the area of cyber security. The rapid rise of AI tools was also somewhat unexpected for me. Of course, this has an impact on many areas. Ultimately, however, the use of these tools in cyber security didn’t really surprise me.

What would you advise companies to do to be well prepared for the year 2025

Michael Brunner: Pursue the following resolution for 2025: Systematically survey your own cyber risks, understand them in the context of your own company and work with due vigor to improve them.

There is no such thing as 100% cyber security, but you can proactively manage your own information security risks before they blow up in your face, for example as part of a cyber attack.

What do you wish for in 2025 from the perspective of your area of expertise?

Michael Brunner: Above all, I would like to see increased awareness in the area of security engineering - especially for secure software development.

All too often, I see capable but overworked software developers who know in principle what needs to be done to develop secure software, but unfortunately are not given the necessary resources. This often leads to a vicious circle where insecure software is delivered, avoidable vulnerabilities are identified far too late (often only in production!) and affected software developers have to be pulled out of their current project to fix them. The associated overhead causes immense frustration for those affected.

And precisely because we as a society are dependent on high-quality and secure software, I would like to see a greater understanding of the effort behind secure software products. And also an open ear for software developers who demand appropriate framework conditions for this.