In our last blog post we asked Kirsten Davies (Founder of Institute for Cyber; three-times Fortune 500 CISO) and Umer Khan (CIO and Senior VP of Software Engineering at Relativity Space) to tell us about the cybersecurity developments that have surprised them the most over the last five years.
So now we’re getting our heads out of the past and looking to the future instead. We asked Kirsten and Umer to share one major change they expect to see in the field of cybersecurity over the next five years – and why they think it’ll happen.
Better cybersecurity awareness training and automated compliance reporting
Kirsten said that two things actually come to mind – “both of which are key areas of interest for me personally.”
The first is that there’s “a significant shift away from traditional awareness and training and toward Human Risk Management.”
She added that this is a welcome change – “even being a multi-time CISO, I’ve been long-tired of the annual cybersecurity training rollout. And there are some great companies at the cutting edge of Human Risk.”
In no particular order, she cited:
- Living Security
- ThinkCyber
- Abnormal Security
- Drip7
These companies, Kirsten said, “are integrating risk management into the everyday activities of employees as they interact with technology in the workplace. Many of these HRM companies are also effectively leveraging AI in the background in order to ‘get ahead’ of inadvertent risky behavior by an employee…
“and these solutions, when used appropriately and communicated effectively, are actually being welcomed by works councils and labor unions (approvals from which are no small feat!).”
With a focus on just-in-time training and awareness-building, this fresh approach to cybersecurity skills is incredibly valuable as organisations continue to lean heavily on employees as the first line of defence against attackers.
And the second trend Kirsten sees coming is the growth of automation and tech-driven reporting solutions for compliance – both to internal policies, and external regulating bodies.
“I have high hopes that within the next few years, the days of hundreds of management hours being spent every quarter on building compliance reports for internal and external audits will be long gone.”
In particular, Kirsten urged us to keep an eye on the investment and venture groups she mentioned in our last blog post, and the startups they invest in across the compliance reporting space.
Restructured cybersecurity teams to handle complex threats
For Umer, “The obvious one is Artificial Intelligence and the impact it is and will have on both attackers and defenders.”
“But AI is just one of many themes that are part of growing complexity of technology that make traditional approaches to cybersecurity insufficient,” he added. “I expect that the organisational structure of cybersecurity teams needs to evolve, and this will happen over the next few years.”
“Many environments now encompass on-premise and multi-cloud environments, operational technology (AI), heterogenous tech stacks, and a need to implement security at each layer of the application and infrastructure, as well as at the system level.”
And this means that a centralised cybersecurity team is, increasingly, not fit for purpose: they “cannot possibly possess the granular knowledge necessary to secure such a diverse ecosystem effectively while staying ahead of rapidly evolving threats.”
That’s why organisations need to change the way they structure their cybersecurity teams and operations. Centralised security teams are still needed, to set overall strategies, policies, and governance – but “they must evolve to work in concert with distributed cybersecurity subject matter experts (SMEs) embedded within individual teams. These SMEs, specialised in their individual areas, bring deep, domain-specific knowledge that complements the centralised team’s broad oversight.”
Umer said this hybrid approach will be characterised by decentralised expertise, centralised coordination, and cross-team collaboration; and critically, centralised teams will focus on enabling distributed teams to do their work effectively, rather than on attempting to control every aspect of the entire environment’s security. And to ensure this distributed system remains robust, stronger mechanisms will need to be established to make sure controls are implemented properly – with automation essential to continuously monitor and assess vulnerabilities.
“This combination of centralised and decentralised security will ensure organisations can scale their defenses without compromising depth or breadth,” he said.
“It will transform security from a siloed function into a distributed capability embedded throughout the enterprise, enabling faster, more contextual responses to threats while maintaining a cohesive overall security strategy.”
Future-proofing security
While Kirsten and Umer are focused on different aspects of industry development here, their perspectives share a theme: the changes they expect to see are all geared towards future-proofing security postures in a world where cybersecurity is constantly evolving and becoming more complex.
Improved training models will help to mitigate the risk of human error, and restructured security teams will rise to the pressure of diverse threats.
Join us at Black Hat MEA 2025 to share your perspective and meet potential partners – and shape the future together.