Eight Cyber Resilience Priorities for 2025
A version of this article was published previously on VMBlog
Organizations need to adopt a range of capabilities to remain competitive and secure in the evolving landscape of cyber resilience. For 2025, organizations should prioritize these eight cyber resilience trends — or risk being left behind in an increasingly complex and volatile cyber landscape.
1. Cyber Resilience Takes Shape
The term “cyber resilience” remains undefined in much of government and industry guidance, although it is frequently referenced. Too often, marketing buzzwords co-opt the term to refer to traditional cybersecurity measures, reducing its meaning to little more than bolstered defenses.
However, a more robust definition of cyber resilience is emerging, driven by thought leaders, business executives, and regulatory bodies. It refers to an organization’s ability to ensure “cyber survivability”—the capacity to minimize damage and quickly recover from a cyber event or outage.
This definition goes beyond merely hardening defenses; it also stresses the need for IT agility. Organizations need to pivot and transform their IT environments rapidly, allowing them to execute business objectives while simultaneously protecting themselves from threats.
This transformation requires automated, evidence-driven solutions that identify exactly where and how essential business functions operate within their IT ecosystems. These systems must provide real-time visibility into critical workflows, giving organizations the tools to respond to disruptions as they happen, and limiting the potential impact on operations.
By the end of 2025, organizations must have a solution in place that automatically identifies how to recover the critical functions of the business from a total failure, providing a step-by-step recovery plan based on the last known working state.
2. Operational Technology as the Focal Point of Attack Surface
As Gartner noted when it retired its Market Guide for Operational Technology Security, the attack surface is expanding as operational systems (OT/IIoT/IoT) become more interconnected with traditional IT.
Recent cyberattacks targeting OT environments—such as the Colonial Pipeline ransomware attack in 2021—highlight the increasing focus of cyber adversaries on critical infrastructure. But even organizations that aren’t “critical infrastructure” are at risk from attackers that can penetrate networks through insecure operational systems.
From legacy industrial control systems, to medical devices, to “smart building” technology, to physical security devices like cameras and turnstiles, any organization that is not 100% online has operational technology that creates significant risks. In some cases, this is due to lack of cybersecurity controls in historically air-gapped systems, while in others it’s due to improper implementation and/or oversight of network-connected devices.
Implementing security controls for individual systems is not sufficient. Organizations need to fully understand what operational technology they have, and whether and how those systems are connected within their network environment that powers their critical business functions.
By the end of 2025, businesses should have a complete, automated map of their compute infrastructure. This map should show critical assets and systems and highlight weak points where security measures need to be strengthened to avoid catastrophic failures.
3. Shift Away from Emphasis on Cybersecurity Endpoint Solutions
For years, the cybersecurity industry has shifted back and forth between focusing on network-based defenses and endpoint protection. The recent CrowdStrike outage has once again prompted a reevaluation of endpoint-focused solutions, with organizations changing their focus to addressing sophisticated, large-scale attacks.
The next wave of cybersecurity will likely emphasize solutions focused on attack surface management and using AI to detect patterns, anomalies and threats within their networks. Many of these solutions are cloud-based, and focus on organizations’ adoption of cloud environments.
While this reaction is understandable, it will create a gap of visibility in hybrid enterprise environments. Additionally, as organizations look to use AI-powered automation to support their security workflows, they will need to ensure that the AI systems have robust real-time data to act on – data that shows the truth of how their complex infrastructure actually functions.
By the end of 2025, organizations must implement solutions that provide insights into the complete compute infrastructure that powers their business functions and also deliver the rich, real-time data needed to fuel AI-based cybersecurity systems, enabling faster and more accurate threat detection and response.
4. Post-Quantum Readiness
The impending arrival of quantum computing poses a significant threat to current cryptographic methods. The U.S. National Institute of Standards and Technology (NIST) has warned that quantum computers could eventually break many of the encryption algorithms in use today, threatening the privacy and security of sensitive data. Government agencies are already urging businesses to prepare for the quantum future, advising them to evaluate their current cryptographic methods and develop post-quantum cryptographic strategies to protect critical data pathways.
Post-quantum readiness involves more than just adopting new encryption algorithms; it requires a comprehensive understanding of how and where encryption is applied within an organization’s systems. This includes developing an inventory of cryptographic protocols and encrypted pathways, identifying which business functions rely on secure communications, and ensuring these pathways are resilient against quantum attacks.
By the end of 2025, businesses must have a detailed inventory of all cryptographic methods and encrypted data pathways critical to business functions, ensuring that they can be updated to post-quantum encryption standards when the time comes.
5. China Isolation and Validation
Amid rising tensions between the U.S. and China, security and risk management companies note that many American companies are reconsidering their reliance on Chinese IT infrastructure and manufacturing. China’s cybersecurity laws, which often require companies to share sensitive data with the government, are driving businesses to decouple from Chinese technology providers. Additionally, there is concern that geopolitical events, such as a potential conflict in the South China Sea, could lead to a sudden and severe disruption of global supply chains.
This trend of “China isolation” highlights the need for companies to have a clear understanding of where their IT infrastructure is geographically located. Without this understanding, organizations may inadvertently expose themselves to geopolitical risks. Having a detailed map of IT infrastructure locations is essential to mitigating these risks and ensuring that sensitive business operations remain secure and resilient.
And it’s not just China – conflicts and natural disasters can arise anywhere. Businesses need to think about operational resilience from a geographic perspective.
By the end of 2025, organizations must have a complete map of the geographic locations of their IT infrastructure, including cloud data centers and third-party service providers, to ensure they are prepared for geopolitical shifts.
6. M&A Cyber Diligence
Cybersecurity risk assessments are becoming an essential part of mergers and acquisitions, as acquiring companies often inherit the cybersecurity risks of the target company. A failure to perform cyber diligence can lead to costly breaches or operational disruptions that could have been avoided. The SolarWinds supply chain attack, for example, demonstrated how vulnerabilities in one company can spread to others through interconnected systems.
While companies know they need this information, due to time constraints they too often need to rely on incomplete data in their analysis – which opens them up to risks post-acquisition.
M&A cyber diligence requires a detailed understanding of the business functions and systems of the target company, along with an evaluation of how resilient those functions are to cyberattacks. This includes identifying critical assets, vulnerabilities, and recovery capabilities, allowing the acquiring company to make informed decisions about risk management.
By the end of 2025, businesses must be able to automatically generate a complete map of the functions and systems of any company they acquire and assess how resilient those functions are to cyber threats. They should adopt solutions that rapidly collect robust data and use AI to generate the risk insights they need.
7. Third-Party Risk Maps
Third-party vendors play an increasingly important role in modern business operations, but they also introduce significant cybersecurity risks. A study by the Ponemon Institute found that 53% of organizations had experienced a data breach caused by a third-party vendor, demonstrating how critical it is for businesses to monitor third-party risks effectively.
Managing third-party risk requires not only visibility into vendor relationships but also an understanding of how these vendors impact the organization’s overall cybersecurity posture. Organizations need to be able to map third-party dependencies to critical business functions, identifying which assets rely on external vendors and ensuring that those vendors meet the same security standards as the organization itself.
Third-party risk oversight is about detecting risk, not just accounting for it. As organizations adopt new third-party suppliers and technologies to meet their business goals, they need a ‘radar screen’ that identifies risks to their business functions – not a spreadsheet of vendors and security policies. Automation will play a key role in managing these relationships, allowing businesses to continuously monitor vendor risks in real time.
By the end of 2025, organizations must have a complete understanding of which systems and business functions rely on third-party vendors, and they must be able to automatically map these dependencies to organizational risks, enabling proactive risk management.
8. Move Beyond Basic Asset Inventory
We’ve seen it happen time and time again—companies with basic asset inventories get hit hard by cyberattacks, and they’re left wondering how things went so wrong. Recent cases like the MOVEit and Log4j incidents show just how vulnerable organizations can be, even with asset inventories in place. The reason? Many companies rely on outdated or incomplete inventories that don’t dynamically update or integrate with real-time threat detection systems. They’re stuck trying to defend themselves with a static map, while the attack surface is constantly shifting.
In 2023, attackers exploited vulnerabilities in the MOVEit file transfer software used by various sectors, including critical infrastructure and IoT systems. Despite organizations having asset inventories, the interconnected nature of devices and the lack of immediate visibility into vulnerable software usage hindered effective mitigation. Progress Software, the tool's owner, issued patches, but the incident revealed how asset inventories can struggle to track all dependencies across systems
Similarly, in 2021, Apache Log4j, a widely used Java-based logging library, exposed millions of systems worldwide to potential attacks. Apache released multiple patches to address the issue, but mitigation efforts were complicated by the challenge of identifying all vulnerable systems.
The problem with these cases is that their asset inventories weren’t built for today’s cyber environment—fast, agile, and constantly evolving. You need more than just a static list; you need a smart system that not only shows you what you have but also tells you what’s at risk and how to protect it in real-time.
Even more importantly, organizations need to be able to prioritize remediation efforts – they need to know which critical business functions are most at risk from a given vulnerability so they can triage issues based on criticality to the business. Most asset inventory solutions only provide an IT-centric view of their infrastructure, without considering how each IT asset or system fits into the larger business context.
By the end of 2025, the companies that thrive will be those that move beyond basic asset inventories. They’ll adopt fully integrated, AI-driven systems that dynamically update, map critical dependencies, and provide continuous risk assessment – from the perspective of ensuring the resilience of critical business functions.
Organizations stuck with old, static systems will be left behind, vulnerable to the ever-growing threat landscape. The future of asset management is proactive, not reactive—make sure your inventory is built for what’s coming.
Learn tips for how to build an accurate IT asset inventory in our white paper
Conclusion
The evolving landscape of cyber resilience requires businesses to adopt a range of new capabilities by 2025 to remain competitive and secure.
From automated recovery solutions and rich AI-driven data to post-quantum cryptography inventories and comprehensive third-party risk maps, these capabilities will enable organizations to adapt to the paradigm shifts shaping the future of cybersecurity. Companies that fail to implement these solutions risk being left behind in an increasingly complex and volatile cyber landscape.
References:
Ponemon Institute, Data Risk in the Third-Party Ecosystem: Second Annual Study (2020)
National Institute of Standards and Technology (NIST), Post-Quantum Cryptography Standards (2022)
Department of Homeland Security (DHS), Cyber Resilience Guidance for Critical Infrastructure (2021)
CrowdStrike Incident Report, Impact of Recent Outages on Endpoint Security (2023)
Colonial Pipeline Attack Report, Lessons Learned from the Largest Infrastructure Cyber Attack (2021)
