Season's greetings

December is the time to start looking forward to the next year. Looking at what predictions are made, at least one prediction is always a good start: major mishaps of this year determine the major trends for the next year. Here are four candidates: AI, supply chain, hacker collectives and cyber skills shortage.

AI

Artificial Intelligence has been the talk of the year, again. It promises both to change the life of defenders and victims. The defenders will get new and incredibly cool tools to combat hackers, while the victims will see increased sophistication of attacks, with deepfake bosses collecting the gold.

Truth is, security always comes late to the party, and, as it is not yet clear in most cases where the AI party will be, security is just getting ready to come into action.

Security is used to work with tools that produce false positives and false negatives, yet, dealing with unpredictable behavior is new. The AI position "trust me, I know what I am doing" is not helping.

There is a common concern about AI systems being contaminated during model building, or tampering with the model, or bypassing restrictions. Controlling these aspects is fundamental to start building trust in AI systems. It is not enough.

Supply chain

We got a couple of events that shook the (security) world. There will be in 2025 a trend based on the "crowdstrike effect" , the "exploding devices" magnifier, and the "broken cable/pipeline mystery" . Supply chain issues like these bring the point home that supply chain (security) matters. The three events are of a different nature, yet, there are still more instances of the same problem.

The trend might be to just focus on the "crowdstrike" case, and not opening the eyes for the other threats. Check what matters to your organization.

Hacker "collectives"

Ransomware attacks

For the past years it has always been the case that security researches track hacker groups. They study their methods, their targets, their locations and potential links with nation-states. Given that "getting rich fast" was the prime objective, cash flows were important to understand and stop.

The money printing machine or rather, the bitcoin pillage, fed by ransomware attacks, shows as a big deal with continued strong growth. The more money they get, the more professional and complex their attacks are bound to become.

Prevention, detection and recovery from such attacks must be on your wish list.

Geopolitics

For a number of years, nation-states have been building cyber armies, with a separate cyber force next to army, air force, and navy.

Events like commercial airplane navigation interference, denial of service on government institutions during elections shed light on these capabilities, and uncover a link with what was believed to be "just" organized crime.

The security officers of critical national infrastructure organizations got in the front line. Others may not yet realize they are next.

Cyber skills shortage

The challenges for security require skilled people, lots of them. There aren't enough security professionals, and it looks like the situation is not really improving. The wide variations in profiles and skills would suggest almost any person could find a job in security. Maybe we should not oblige them to wear hoodies, the movie's idea of the profession.

The disparity between different genders working in security is too big. Initiatives to bring more balance (by increasing the lower numbers) are very welcome.

Security should not just be an option in a curriculum, it merits its own spot. Make sure you cover all aspects, not just hacking and network security.