5 strategic imperatives for cybersecurity and AI success in 2025

Reading Time: 9 minutes

The doomed Andrea Gail sank in 1991 when an extratropical system absorbed a tropical system and morphed into a tropical cyclone and then a hurricane with rogue 100-foot waves. This extreme, record-setting meteorological event was later dubbed the “Perfect Storm” in literary and film depictions.

Decades later, we’re facing an unprecedented storm of another ilk.

“All these things we’ve adopted for technology have done what? Created an increased attack surface,” NightDragon Founder and CEO Dave DeWalt explained at the recent SHI & Stratascale Summit: Cybersecurity and AI. “What’s the increased attack surface done? Created more vulnerabilities. Why do we have more vulnerabilities? We don’t have security by design, or resiliency by design. What did that do? That created more attackers, and now we have thousands of attackers.”

And with continued wars and geopolitical instability, tariff tensions, rapid AI advancements, simmering healthcare frustrations, and the ever-present allure of ransomware, the conditions are ripe for criminals to target organizations across every industry — the perfect cyber storm.

In such unpredictable conditions, what does your organization need to know to stave off attacks? Here’s five strategic imperatives to understand and act on this year.

1. Adopt a flexible cyber resilience mindset

“You can’t prevent a storm, but you can be ready when it hits.”
—Casey Corcoran, Field Chief Information Security Officer, Stratascale

According to a 2025 report on cyber resilience and business impact, 44% of organizations expect AI-driven attacks within a year, but only 32% feel prepared. And with the rise of AI-powered threats like deepfakes, synthetic identities, and automated phishing, it’s getting harder and harder to plan out defenses in advance.

So what can you do instead?

Casey advises organizations to shift from incident-driven mindsets to adaptive ones. We don’t always know where attacks will come from or what they’ll look like, but we can reinforce our cyber resilience — the ability to anticipate, withstand, recover, and adapt — despite our knowledge limitations.

Resilient organizations consistently apply their Cybersecurity Incident Response Plans (CSIRP) across their enterprises, align their cyber goals with business outcomes, and embrace zero-trust mindsets. They also leverage third-party intelligence to supplement their own and focus on reducing time to contain incidents. And they determine their minimum viable company (MVC) for business continuity and build their risk plans around it. What are the most essential services you need to keep your business running and protect your revenue and reputation? These functions should be the priority, rather than attempting to restore everything at once.

Unfortunately, the same resilience and cyber impact report reveals that 55% of organizations say that cyber resilience is not an organization-wide priority. These organizations are more vulnerable to attacks and less free to try new things. Conversely, leaders who champion proactive, AI-aware cultures of resilience are free to innovate more. By controlling for cyber risk, it’s easier to take on more creative risks.

Cyber resilience is not just about bouncing back. Your focus should be on defining your MVC and business continuity plans, which span technical, organizational, and cognitive readiness.

2. Build a modern security foundation

“The objective of any cybersecurity strategy should be an obsessive focus on protecting revenue generation, revenue opportunity, and company reputation while defending against loss via fines, fees, and other legal punitive measures. In the end, it’s always about dollars.”
—Jordan Mauriello, Chief Technology Officer, SHI

Become brilliant at the basics of cybersecurity

The basics work against every attack vector and breach. Security awareness, password security, multifactor authentication, privileged access management, vulnerability and patch management, configuration management, detection and response — and the right people, processes, and practicality.

But organizations often look at the results of penetration tests and think they should plug vulnerabilities with more money, more investments, and, potentially, more tool sprawl.

The truth is that in nearly every case, the basics would’ve made a difference. Consider that good security awareness training stops tailgating, proper network segmentation with strong access controls limits access, and proper configuration management eliminates unnecessary exceptions for leaky older systems.

To get it right, refocus on the fundamentals. Review and measure processes, configurations, and exceptions on a regular cadence. Align with a framework that your organization understands and regularly conduct executive tabletops using real-world scenarios to ensure your processes and responses work as you intend (more on that soon).

Perhaps most importantly, don’t just do penetration tests to check a compliance box. Invest in high-quality security testing and bring in smart testers who will help you find and fix your flaws.

That said, there’s still value in keeping up with the latest technological advancements while maintaining the basics.

Lean into AI to bolster your cyber defense strategy

Attackers are using AI to rewrite the cybercrime as a service playbook, and they’re making hundreds of millions of dollars thanks to their willingness to adapt to new technologies. The idea of matching old defenses against new offensive schemes sounds daunting, doesn’t it? Instead, it’s time to level up your defenses and embrace AI to create greater equality between offense and defense.

Autonomy and agentic capabilities offer unprecedented opportunities to scale your operations, process more data, and deploy rapid responses to threats. Organizations will soon be able to deploy highly autonomous defense services that simply weren’t possible prior to the rise of AI.

But attackers are also automating edge-based AI and cyber offense tactics. Defending your environment against adversaries that are coming at you with AI at scale is extremely difficult. Attacks are generated 24/7 in mere minutes. In order to have a chance, your defense tools should incorporate agentic SOC automation, and you must be able to measure your mean time to respond (MTTR) within minutes.

Building proactive defensive strategies that can keep up with offensive attacks is tough when millions of unknown new threats arrive each day. How do you make sense of so many signals? Which ones matter and which can be safely ignored? It’s best to work with cybersecurity and AI experts who are familiar with the ever-swirling winds of cybercrime and with agentic AI to protect your organization.

3. Decide how you’ll handle the widening cybersecurity skills gap

While the need for cyber experts continues to grow, many organizations are finding that the talent pool isn’t keeping pace. In a recent study, industry experts estimated the shortage falls somewhere between 2.8-4.8 million cybersecurity professionals. If left unaddressed, this skills gap could put your organization in a precarious position. But how do you solve this problem with a finite budget?

Start with education. Effective leaders offer regular learning and development opportunities to existing staff so they can continue to defend against cyber threats. Avoid knowledge hoarding, too. Have a star cyber defender in your ranks? Ask that person to lead a training for their peers to help level up the entire team. And if leaders find inefficiencies that can be solved by reorganizing teams, give them the autonomy to do so.

AI can help here as well. By delegating the easier work to the robots, you enable human teams to think. Asking smart people to do meaningful, engaging work will keep your team motivated and allow you to retain the talent you do have. No one wants to push buttons all day when they have more to offer.

Finally, recognize that your internal teams won’t catch everything. Engage strategic partners like SHI to help bridge the remaining gaps.

4. Test your incident response plans and sharpen regularly

Once you’ve established a flexible cyber resilience mindset, built a modern cyber defense strategy, and ensured you’re getting the most out of your talent, it’s time to test your incident response (IR) plans.

Regulators like the Federal Financial Institutions Examination Council (FFIEC) often require cybersecurity training for executive leaders and board members. This training must involve groups like human resources and marketing, because IT is not equipped to make all the decisions that may arise during an attack. If your website goes down and the media asks for a statement, your communications team needs to step in. And if your systems are inaccessible and your organization needs to decide whether to keep paying hourly contractors or send them home, you’ve got a payroll decision to make.

We recommend a regular cadence of executive tabletop exercise simulations to prepare for incident response and crisis communications. These realistic scenarios are tailored to common threats, like ransomware, supply chain attacks, or web application exploitation, and are designed to align with your specific levels of business risk.

Stratascale, SHI’s cybersecurity services division, simulates real-world, business-related cyber threat scenarios for customers across all industries. The frequency of our tabletop exercises can vary based on organizational maturity, budget, and executive availability, but the process remains constant:

• Review existing incident response plans and set goals.
• Prepare scenario guide.
• Facilitate tabletop exercise using Crisis Sim by Immersive Labs.
• Deliver after-action report.
• Explore opportunities for continuous improvement.

By regularly testing your IR plans, you can sharpen your organization’s ability to navigate a cybersecurity event.

5. Prepare for the arrival of quantum computing

We’ve discussed the AI threats that are already here, but what about the looming threats in the short-term forecast? For a long time, quantum computing seemed to always be ten years away; a moving goalpost that didn’t yet warrant meaningful attention. That mindset is over.

The quantum threat to encryption is accelerating, and it’s time to figure out which quantum-resistant solutions will secure your critical assets against present and future quantum adversaries.

Still unsure why you should be worried about the impact of quantum computing? The short version is that quantum poses a potential threat to our current encryption systems. Consider where you use cryptography today. What happens to your business and your wider supply chain if your current system fails? And how do you plan to transition to post-quantum cryptography (PQC) while accounting for impact factors like regulatory compliance and customers or suppliers who won’t transition at the same time as you?

Our experts recommend looking at NIST guidance in the U.S., which is also the basis for much of the global guidance we are seeing. We also urge you to consult with your supply chain vendors about their PQC plans. If you discover there will be a period where your respective organizations won’t be operating on a common cryptographic basis, you must plan for how to communicate with each other.

Keep in mind that adversaries are already operating on a “harvest now, decrypt later” basis, in which they’re stealing encrypted intellectual property and financial and health records and saving it until they have crypto-capable computers that can make sense of the data.

It’s a lot to consider, which is why engaging cybersecurity experts with quantum knowledge like SHI is your best first step.

How to take meaningful cybersecurity and AI actions with SHI

Cybersecurity Ventures projects that cybercrime will cost the world $10.5 trillion in 2025 — a frightening figure that dwarfs the GDPs of all but two countries (the United States and China). As countless organizations can attest, a cyberattack can be financially devastating and reputationally ruinous.

Unfortunately, just as there’s no off switch for meteorological disasters, there’s no way to guarantee cyber safety, but there are actions SHI and Stratascale can help you take this year to fortify your defenses, reduce your MTTR, and prepare to bounce back quickly if a cyber incident does occur:

• Book a penetration test with our security experts to identify and close vulnerabilities.
• Safely test and validate technologies in a closed setting that mimics your live environment in our AI & Cyber Labs.
• Sign up for an executive tabletop exercise simulation with Stratascale to test and sharpen your IR plans.
• Schedule a complimentary security posture review for an expert evaluation of your current security environment and recommendations for improvement.

We’ve helped thousands of organizations like yours become resilient by design. Reach out to us today to learn how we can help you build a modern security program to combat today’s perfect cyber storm.