CISO predictions: What does 2025 hold for attack surface management (ASM)?

We’ve asked Outpost24’s CISO, Martin Jartelius, what 2025 is likely to hold for organizations using attack surface management (ASM) tools. Here’s what Martin had to say about what he predicts for ASM in 2025, as well as some thought on how the CISOs role might change.

1. What’s going to happen in 2025 with attack surface management (ASM)?

Organizations are increasingly dependent on third parties, which means attack surfaces grow larger by the day. ASM is in all essence tackling the old issue that if we do not know that we own, use, or depend on, it’s very hard to keep it safe. It’s a mediator between something which helps you discover and learn about your organization, but also something that collates what you already know into one place, so it becomes manageable.

The transition from identification of assets to identification of risk to those assets (and the prioritization of addressing those risks) will be the primary area of increased maturity. This is also what most organizations are in desperate need of.

2. How will chatbots impact attack surfaces? What should be done to secure them? 

They’ll have an impact in a few ways. When they’re used wrong, when they’re not isolated from sensitive data, and they’re not isolated from certain parts of a network. We need to learn from the mistakes of those that came before us – it’s naïve to think that new technology won’t be used in a careless manner. Having said that, I don’t predict huge amounts of incidents due to chatbots. They’ll likely be involved in some cases humorous which will garner a lot of attention and be an embarrassment to those involved. But it’s unlikely to bleed on a large scale.

3. Will organizations get better at ASM?

There is a rise in options on the market, so it’s important to find one capable both of efficient discovery, but also of risk identification and risk prioritization. Risk priority should preferably be driven by data on real-world issues and incidents, so we as a collective learn from each other. The most important part is that organizations start to wake up to the realization that a lapse in ASM over the years has led to a somewhat degraded state of security in many systems. These systems by their nature then impact the security of entire organizations.

The primary pain point will still be mobilization. Taking the increased maturity in discovery and assessment of risk, many organizations will still struggle to prioritize the correct remediation steps. This will mean they won’t be as efficient as they could be in mitigation.

4. How will cybercriminals adapt or evolve their tactics? 

Adversaries, just as normal organizations, are increasing their specialization. This leads both to better quality tools and tactics amongst them, but also the availability of a more complete suite of competent tools to less capable adversaries. Looking to the current political climate and learning from the transfer of prior government sponsored groups tooling to a wider attacker audience, we should also consider the impact of other regional or global conflicts intensifying. If that happens, we should expect further transfer of such competent tools to the hands of regular criminals, and the use of them on a wider scale against regular organizations.

5. Which other technologies will become more relevant to ASM? 

Red teaming (where you gather threat intelligence applicable to your organizations and you apply this to the scenarios enacted by the red team) could be used in tandem with ASM. Now, ASM has always been relevant to red teaming, as it starts with the recon phase. As defenders and attackers get increasingly potent discovery tools available to them, so will red teams. Vulnerability management should also be tightly integrated with attack surface discovery, as should transposition of relevant threat intelligence be to the results.

6. What challenges do you expect CISOs to be facing in 2025?

The CISO role is constantly evolving, so new challenges are to be expected. For example, the NIS2 directives and their focus on third-party vendors and supply chains will push a flood of paperwork on the CISO teams’ desks. Dealing with this increased need for both managing third parties in a much more structured fashion but also being able to respond to an increased inflow of requests for such data, will lead to increased automation but also focus on this risk domain. This will mean the CISO is engaging both in the partner, customer, and vendor lines more directly.

CISOs who are business enablers, working closely with their teams to ensure that they embrace change, but in a secure and structured manner, will also have room to greatly influence the security of their organizations. The age of the nay-sayer has come and gone for many, but it also puts demands for a more business-oriented mindset than the role traditionally entailed.

7. Will security budgets increase, decrease, or remain static in 2025?

This is always hard to predict. Spending on security has been increasing over time, but this will follow the overall economy. While security is an enabler for continued operations, it’s often via a risk reduction. The higher level of security an organization maintains, the more the cost for increasing it in relative impact. This means that when budgets are strained, security spend on components not tied with increased productivity or with higher complexity are the first to go, while security closer to users or production tend to stay. If your security solutions don’t aid productivity or make your security team more efficient, they’re likely to be the first to go.

Yes, the last few years of increased focus on destabilization including both government and private organizations means that the probability of incident impacting organizations ability to function have increased, thereby we must work to reduce impact of such events to maintain a risk balance

Interesting in getting started with Attack Surface Management or getting more out of your current strategy? Speak to an Outpost24 expert.

About the Author

Marcus White Cybersecurity Specialist, Outpost24

Marcus is an Outpost24 cybersecurity specialist based in the UK. He’s been in the B2B technology sector for 8+ years and has worked closely with products in email security, data loss prevention, endpoint security, and identity and access management.