Best of E36 - 66% Say AI Will Reshape Cybersecurity. Only 37% Are Ready.

Posted on January 14, 2025 • 8 min read • 1,522 words
WEF   World Economic Forum   AI   Supply Chain   Geopolitics   SMB   Regulatory   Best Of  
WEF   World Economic Forum   AI   Supply Chain   Geopolitics   SMB   Regulatory   Best Of  
Share via
WEF Global Cybersecurity Outlook 2025: The 29-point gap between AI expectation and readiness defines 2025. 60% cite geopolitical risk, 54% name supply chain #1 challenge, 35% of SMBs lack resilience, 69% cite regulatory complexity, $12.5B in cybercrime costs.
What You Need to Know   The Gaps That Define 2025   Geopolitics Is Now a Cybersecurity Input   Supply Chain: The Risk That Won’t Shrink   The SMB Resilience Gap   AI: The Accelerant and the Blind Spot   Regulatory Complexity: The 69% Problem   Eight Risk Areas for 2025   What Organizations Should Actually Do   What We’re Watching   The Bottom Line  
Best of E36 - 66% Say AI Will Reshape Cybersecurity. Only 37% Are Ready.

Originally published January 14, 2025

What You Need to Know  

The World Economic Forum’s Global Cybersecurity Outlook 2025 is the annual report that frames how global leaders think about cyber risk. Drawing on surveys and interviews across industries and geographies, it maps the forces shaping cybersecurity strategy at the highest levels.

The 2025 edition reveals a landscape defined by widening gaps — between large and small organizations, between AI ambition and AI security, between regulatory intent and operational reality.

66% of organizations believe AI will significantly impact cybersecurity within the year. Only 37% have processes to secure AI tools before deployment. That 29-point gap between expectation and preparation is the story of 2025.

The Gaps That Define 2025  

The Outlook’s data paints a picture of compounding asymmetries:

FindingStat
AI will reshape cybersecurity66% of organizations believe this
AI security measures in placeOnly 37% have pre-deployment controls
Geopolitical risk influences strategy60% of organizations
Supply chain is #1 challenge54% of large organizations
Social engineering success42% experienced successful attacks in 2024
SMB resilience insufficient35% of small organizations (vs 13% large)
Regulatory complexity a barrier69% cite this as a major challenge
Cybercrime costsExceeded $12.5 billion in 2023
Skills gap widening8% increase from 2024

Every number tells the same story: the threat landscape is outpacing the response. Organizations know what’s coming — AI disruption, supply chain risk, geopolitical conflict spilling into cyberspace — but the mechanisms to prepare are lagging behind the awareness.

INTEL [GLOBAL THREAT]: The 29-point gap between AI impact expectation (66%) and AI security readiness (37%) represents the defining vulnerability of 2025. Organizations racing to deploy AI without pre-deployment security assessments are creating attack surface faster than they’re securing it. This gap will be exploited.

Geopolitics Is Now a Cybersecurity Input  

60% of organizations report that geopolitical tensions directly influence their cybersecurity strategy. This isn’t abstract — it’s operational.

When nation-state conflicts escalate, cyber operations follow. The CrowdStrike data showed China-nexus espionage up 150%. The CERT-EU brief documented three nations hitting Western infrastructure simultaneously. The Forescout report found 48% of attacks are state-sponsored.

The WEF Outlook confirms this is now a board-level concern, not just a SOC-level one. Six in ten organizations are adjusting security posture based on geopolitical risk — factoring in sanctions, trade tensions, territorial disputes, and diplomatic breakdowns as threat intelligence inputs.

For security leaders, the implication is clear: threat modeling that doesn’t account for geopolitical context is incomplete. The adversary targeting you may be driven by a government’s strategic objectives, not just financial gain.

Supply Chain: The Risk That Won’t Shrink  

54% of large organizations identify supply chain vulnerabilities as their single greatest cybersecurity challenge. Not ransomware. Not AI. Not insider threats. Supply chain.

This aligns with what every major report is showing:

  • Verizon DBIR: Third-party breaches doubled to 30%
  • Mandiant M-Trends: Data theft in 37% of investigations — often targeting supplier relationships
  • Forescout: 73% of exploited vulns aren’t even in CISA KEV — many living in third-party software

The WEF data adds the strategic layer: this isn’t just a technical finding. It’s the risk that C-suites and boards are losing sleep over. When more than half of large organizations name supply chain as their top concern, it reflects a recognition that your security posture is only as strong as your weakest vendor’s.

INTEL [INDUSTRY PATTERN]: Supply chain risk has moved from a technical concern to the #1 strategic cybersecurity challenge for 54% of large organizations. The convergence of third-party breaches doubling (DBIR), exploitation outside KEV catalogs (Forescout), and credential theft pipelines (M-Trends/CrowdStrike) means supply chain exposure is compounding across multiple vectors simultaneously.

The SMB Resilience Gap  

35% of small organizations report insufficient cyber resilience — nearly three times the rate of large organizations at 13%. This gap has widened since last year’s Outlook.

The disparity isn’t surprising, but its persistence is concerning. Small organizations face the same threats as large enterprises — the Verizon DBIR showed SMBs absorb 4x more cyberattack victims — but with a fraction of the budget, staff, and tooling.

The WEF frames this as a systemic risk, not just an individual organizational problem. When small organizations form the majority of supply chains, vendor ecosystems, and critical infrastructure operations, their resilience gap becomes everyone’s risk. A breach at a 50-person supplier can cascade into a Fortune 500 incident.

AI: The Accelerant and the Blind Spot  

The AI findings reveal a dangerous mismatch:

  • 66% believe AI will significantly impact cybersecurity within one year
  • Only 37% have processes to assess AI security before deployment
  • 42% experienced successful social engineering attacks — a vector AI is supercharging

Organizations are deploying AI with urgency but securing it as an afterthought. The 37% with pre-deployment security controls means 63% are putting AI into production without structured security assessment. These systems become new attack surfaces — vulnerable to prompt injection, data poisoning, model theft, and adversarial manipulation.

Meanwhile, attackers are already using AI to scale social engineering. The 42% successful social engineering rate will climb as AI-generated phishing, vishing, and deepfakes become indistinguishable from legitimate communications.

INTEL [EMERGING RISK]: 63% of organizations deploy AI without pre-deployment security assessments. Combined with 42% social engineering success rates and AI-powered attack scaling, organizations are simultaneously expanding their attack surface (through unsecured AI deployment) and facing an adversary that’s using the same technology to exploit them faster.

Regulatory Complexity: The 69% Problem  

69% of organizations cite regulatory complexity as a major barrier to cyber resilience. The regulatory landscape has fragmented across jurisdictions — GDPR, NIS2, DORA, SEC cyber rules, state-level privacy laws, sector-specific requirements — creating a compliance burden that consumes security resources without necessarily improving security outcomes.

The risk is that compliance becomes the ceiling rather than the floor. When 69% of organizations identify regulation as a barrier rather than an enabler, the frameworks designed to improve resilience are instead diverting resources from operational security into audit and reporting.

Eight Risk Areas for 2025  

The WEF Outlook identifies eight converging risk areas:

  1. Escalating geopolitical tensions targeting critical infrastructure
  2. Supply chain dependencies and third-party vulnerabilities
  3. Sophisticated cybercrime including Ransomware-as-a-Service industrialization
  4. Fragmented regulatory environment creating compliance overhead
  5. Widening resilience gaps between large and small organizations
  6. Workforce challenges — skills gap widening 8% year-over-year
  7. Emerging technology risks — AI, quantum computing, decentralized systems
  8. Rising economic impact — cybercrime costs exceeding $12.5 billion

These aren’t isolated risks. They compound. Geopolitical tensions drive state-sponsored attacks through supply chains against organizations with widening resilience gaps, exploiting AI-powered attack vectors that defenders can’t match due to skills shortages, in a regulatory environment that diverts resources from operations to compliance.

What Organizations Should Actually Do  

The Outlook data points to five priorities:

  1. Close the AI security gap — If you’re deploying AI, mandate pre-deployment security assessments. 63% of organizations aren’t doing this. Be in the 37% — and build toward making it standard practice across your supply chain.

  2. Treat supply chain as your #1 risk — 54% of large organizations already do. Implement continuous monitoring of critical vendors, require security attestations beyond annual questionnaires, and map your dependency chains to identify single points of failure.

  3. Invest in SMB resilience if you depend on SMBs — If your supply chain includes small organizations, their 35% insufficiency rate is your risk. Consider funding security improvements, sharing threat intelligence, and establishing minimum security baselines for vendors.

  4. Integrate geopolitical intelligence into threat modeling — 60% of organizations recognize this influence. Build relationships with ISACs, subscribe to geopolitical risk feeds, and adjust security posture during periods of elevated tension.

  5. Simplify regulatory compliance to free resources — 69% cite complexity as a barrier. Map overlapping requirements across frameworks, invest in GRC automation, and push for regulatory harmonization through industry associations.

What We’re Watching  

The AI security gap trajectory. Will the 37% readiness number improve as AI deployment accelerates — or will the gap widen as organizations rush to ship?

Supply chain cascades. With 54% naming it the top risk and third-party breaches doubling, the conditions for a major supply chain incident are fully present.

SMB resilience divergence. The gap between large (13% insufficient) and small (35% insufficient) organizations continues to widen. Systemic risk accumulates in the weakest links.

Regulatory fragmentation vs. harmonization. NIS2, DORA, and SEC rules are layering on top of each other. Whether 2025 brings simplification or further complexity will determine whether regulation helps or hinders.

The Bottom Line  

The WEF Global Cybersecurity Outlook 2025 doesn’t reveal new attack techniques or zero-day vulnerabilities. It reveals something more fundamental: the structural gaps between what organizations know is coming and what they’ve actually prepared for.

66% see AI reshaping cybersecurity — 37% are ready. 60% recognize geopolitical risk — but response mechanisms lag. 54% name supply chain as their top challenge — while third-party breaches double. 35% of small organizations lack basic resilience — while they form the backbone of enterprise supply chains.

The threats in this report aren’t technical. They’re organizational, strategic, and systemic. And that’s what makes them harder to fix.

Find all editions: FIR Risk Tuesday

All newsletters and source materials: FIR Risk Intelligence on GitHub

On this page: