AI will make ransomware even more dangerous

Ransomware is the top predicted threat for 2025, which is especially concerning given 38% of security professionals say ransomware will become even more dangerous when powered by AI, according to Ivanti.

In comparison to the threat level, only 29% of security professionals say they are very prepared for ransomware attacks – leaving a significant gap in preparedness (29%), highlighting the need for more robust security measures.

Strong understanding of exposure management among security leaders

A more sophisticated and adaptable approach to cybersecurity is necessary, one that takes into account the trade-offs between business risk and reward, rather than solely focusing on absolute protection. Exposure management offers a more effective solution for managing and mitigating risk in this complex environment.

Ivanti’s research shows that the concept of exposure management is well understood; for example, 49% of security professionals say their company leaders possess a high level of understanding for exposure management. Yet, organizations are not taking steps to embrace the practice; just 22% say they are increasing investments in exposure management in 2025.

Most organizations continue to operate business-as-usual when it comes to breaking down data and organizational silos. 88% of security professionals report significant data blind spots — areas with insufficient data to make informed security decisions — such as shadow IT, patch compliance, vendor risk-management information and dependency mapping.

44% say they struggle to manage security risks due to a challenging security/IT relationship. 40% say IT and security teams use diverging tools for the same activities.

52% of security professionals rate API and software vulnerabilities as high to critical threats, yet many organisations lack visibility into these risks.

“Business leaders are now having to get used to considering the impact that cyber risk has on broader business risk. Exposure management is a tool to help organizations evaluate vulnerabilities and risks across a range of objectives – including business goals – to deliberately balance security and operations,” said Daniel Spicer, Chief Security Officer at Ivanti. “However, for exposure management to be successful, organizations should ensure collaboration between security and other departments, conduct risk assessments that align with the organization’s risk appetite, and prioritize mitigation of the most impactful vulnerabilities.”

Tackling tech debt concerns

Even though 83% of security teams claim to have a documented framework for identifying risk tolerance, 51% of these individuals state that their current framework is not closely followed, rendering it nearly as ineffective as not having a framework at all.

Among security and leadership professionals, 1 in 3 say tech debt is a serious concern, which compromises security posture and hampers growth and innovation.

For instance, 37% say they can’t uphold basic security practices, and 43% say their systems are more susceptible to security breaches due to accumulated tech debt. Among those who name tech debt an “extremely serious” concern within their organization, 71% report slowed growth. And 43% say tech debt slows innovation.

Organizations are increasingly looking to their CISOs for strategic business advice, including guidance about AI adoption and managing supply chain risk. And boards are becoming increasingly involved.

The research shows cybersecurity is already a topic at the board level. 89% say cyber risk is discussed at the board level, and 88% say CISOs are invited to high-level strategic meetings about business decision making, organizational planning, etc.

And yet, many CISOs operate with a primary focus on downtime risk rather than seeing the bigger picture.