Security and technology leaders are being forced to choose: where to focus, what to let go, and how to manage the risks they can’t avoid. To help them focus, Gartner has identified eight cybersecurity projects worth prioritizing in 2025. Each one targets a known risk, addresses a real operational need, and can be completed within a year.
Below is a summary of all eight, written for decision-makers who need to move quickly and get results.
In 2025, tariffs are a growing source of risk for cybersecurity teams. New trade policies can impact the cost and availability of hardware, software, and security services — often with little warning, meaning delays, budget overruns, and disruptions to ongoing projects.
The goal of this project is to get ahead of those problems. You’ll need to look at how tariffs could affect your current and future security spending, and make adjustments before they cause serious downtime or cost spikes.
Start by reviewing your existing vendor contracts and products. Note when renewals are due and which suppliers might be exposed to tariffs. Check the country of origin for key tools and systems — not just where the vendor is based. If a supplier’s pricing or delivery has already changed, look into alternatives.
Once you’ve mapped the risks, work with your procurement team to adjust your sourcing strategies. That could involve buying some equipment in advance, negotiating clauses in vendor contracts around tariff changes, or identifying open-source alternatives for specific capabilities.
Also, consider updating your long-term planning. If tariffs are likely to affect certain regions or categories of tools, build that into your multi-year roadmap so you’re not reacting last minute each time.
What success looks like:
You’ll have a clearer picture of where your cybersecurity program could be impacted by tariffs — and a plan to manage it. You’ll reduce purchasing delays, avoid unexpected costs, and improve supply chain resilience in a more volatile trade environment.
Zero trust has become a top priority for many security teams, but moving from interest to action can be complicated. Misunderstandings about what it is — and what it’s not — often lead to inflated expectations, unclear goals, or wasted time and resources.
What you want isn’t a perfect plan, but a practical one.
Start with a clear strategy that connects zero-trust principles to real company objectives. Identify risks that block those goals — for example, too much access for remote users, or weak visibility across cloud systems. Then, choose a formal framework to use as a reference. This gives your teams a shared language and structure.
You don’t have to build everything at once. Run a pilot to get quick wins, build confidence, and guide your longer-term roadmap.
It also helps to set up a small cross-functional team — a “zero-trust working group” — to lead and oversee the changes. This team should include people from cloud, IAM, data protection, and DevSecOps, and should report regularly to senior stakeholders. If your teams are already stretched, this group should be sized appropriately — just enough to stay focused without creating overhead.
What success looks like:
In six months, you’ll have a clear path forward, supported by a framework and backed by business needs. You’ll understand what needs to change, what already fits, and what priorities matter most. And instead of trying to fix everything at once, you’ll be focused on building trust where it’s most needed — one step at a time.
Good governance is now a central part of how we think about cybersecurity — not just compliance, but how risk is understood, shared, and acted on across the organization.
Version 2.0 of the NIST Cybersecurity Framework adds more structure to this, especially through the new “Govern” function. It helps leaders move from loose oversight to a more deliberate model that links security decisions to business risk.
For teams already using NIST CSF 1.1, this project means reviewing what’s changed in the new release and updating your reporting and processes accordingly. For others, it’s an opportunity to adopt just the parts of the framework that fill gaps or simplify what you already do.
Start by involving key stakeholders, including your chief risk officer or whoever owns enterprise risk management. Look at where your current security posture sits, where it overlaps with broader risk functions, and how decisions around security are made and tracked.
The goal here is to build a governance model that works across departments, sets clear roles and expectations, and can flex with the needs of the business.
Use what’s useful: NIST provides tools and templates to speed things up, and CSF 2.0 is flexible enough to work with other frameworks like ISO, COBIT, or CIS.
What success looks like:
In six months, you’ll have a stronger and more consistent governance model for cybersecurity. It will be built around your real risk priorities, not just technical signals. And it will help leadership teams make better-informed decisions — not just about threats, but about the trade-offs that come with every investment.
Generative AI is moving fast, and most companies are adopting it before they fully understand the risks. From data exposure to embedded AI features in everyday tools, security teams need to act now, not delay until something goes wrong.
This project focuses on embedding cybersecurity directly into the governance structure for GenAI. That means putting the right policies and responsibilities in place so AI adoption happens safely — and in line with your existing risk posture.
Start by reviewing what governance already exists. If you’ve got policy templates, steering committees, or acceptable use guidelines, update those to reflect GenAI use cases. Don’t create a whole new governance structure if you don’t have to; build on what people already know and use.
Set clear short-term, midterm, and long-term steps:
Also, keep in mind that users won’t always know when they’re interacting with AI. Governance frameworks need to assume that GenAI is built into many systems, often by default.
What success looks like:
In two to four months, you’ll have GenAI risks covered within your broader security governance. You won’t need to build a separate system for AI — you’ll update the processes you already have. This helps keep GenAI adoption aligned with company policy, reduces blind spots, and builds trust with leadership and regulators.
Generative AI tools rely on enormous amounts of data, including the unstructured data stored across your organization: documents, emails, presentations, customer messages, shared folders, and more. That’s where the risk is.
If security, privacy, or governance teams don’t act early, AI could end up pulling from places it shouldn’t — exposing sensitive information, violating data policies, or creating compliance issues you didn’t anticipate.
This project is about protecting that data before it’s used by GenAI. The key steps are: find it, organize it, and control access to it.
Start by identifying where your unstructured data is. Use discovery tools to scan file shares, cloud drives, and business applications for sensitive content. Then, assess whether existing access controls are still appropriate or need to be tightened, removed, or rewritten.
It also helps to reduce how much data you keep. Use retention policies to remove what’s no longer needed, making your environment easier and cheaper to manage.
Prioritize tools that offer more than one function — like discovery, classification, masking, and entitlements — rather than stitching together point solutions. Many security teams are also adopting Data Security Posture Management (DSPM) tools to catalog and track data over time.
What success looks like:
Within about 100 days, you’ll have better control over where your data is, how it’s used, and who can access it. You’ll reduce the risk of GenAI pulling sensitive content into public or unauthorized use, and you’ll cut costs by storing less and managing vendors more efficiently.
Backup alone isn’t enough anymore. Ransomware and insider threats now target storage systems directly, not just production environments, but the backups that you rely on to recover from attacks.
This project focuses on upgrading storage security from passive protection to active defense. That means adding threat detection, automated response, and built-in safeguards into how your data is stored. It also helps meet growing compliance expectations around integrity, availability, and accountability for data at rest.
Start by looking at what your current storage vendors already provide. Many now offer cyberstorage features — things like immutable backups, anomaly detection, and integrations with SIEM tools that let you catch storage‑level threats in real time.
From there, define your storage security plan. Assign ownership, write clear policies, and build a shared view between infrastructure and security teams. Consider centralizing how you monitor for vulnerabilities and risks — a dashboard that covers all your storage systems can speed up response and highlight where improvements are needed.
This project also includes making sure any new storage tools work with what you already have — systems, policies, and operations — so security doesn’t slow down your teams or introduce new risks.
What success looks like:
In two to four months, you’ll have stronger protection for the data your business depends on. You’ll stop treating storage as just a backup task and instead make it part of your active cyber defense. With better visibility, smarter tools, and real-time alerts, you’ll be better prepared to detect and prevent storage-based attacks before they spread.
Many critical systems — in factories, infrastructure, healthcare, and supply chains — were never designed to be connected to the internet. Now they are. That shift introduces new risks, especially as more operational technology (OT), IoT, and industrial control systems get pulled into modern networks.
This project focuses on finding, tracking, and protecting those connected systems. These devices often control physical operations, so a breach here can mean more than data loss — it could stop production or threaten safety.
Start by deploying a tool designed for cyber-physical system (CPS) environments. These tools detect assets, map networks, and monitor activity with the detail and context that general-purpose platforms often miss. They also spot vulnerabilities and abnormal behavior in real time.
You’ll need buy-in from operational teams — security can’t do this alone. Form a steering group that includes engineering, maintenance, production, and site managers. Get a clear view of which systems are in use, how they’re connected, and what’s most critical to keep running. Choose a tool based on risk reduction and practical integration, not just features.
Once deployed, analyze what the tool finds and decide which fixes matter most. Then plug the system into your broader IT security stack for centralized monitoring.
What success looks like:
In two to four months, you’ll have eyes on systems that were once invisible to IT. You’ll understand where the risks lie — and have a platform in place to monitor threats, limit downtime, and protect critical operations. It’s a major step toward closing security gaps in environments that can’t afford to fail.
Security is often seen as a blocker, slowing down projects or adding complexity to tech decisions. This perception hurts the credibility of security teams and limits their influence. But it can be changed.
This project is about updating how cybersecurity is seen within the organization. Instead of a gatekeeper, security becomes a trusted partner: proactive, enabling, and connected to business outcomes.
Start by building a simple message: what cybersecurity does, why it matters, and how it helps the business succeed. Tailor that message by audience — the board, department heads, and everyday employees each care about different things.
Talk to leadership in business terms: risk to operations, cost of downtime, impact on transformation programs. For department leads, show how security supported a project, not just how it enforced policy. And for staff, shift training and awareness from “what not to do” to “how to protect what matters” — teams, systems, even customers.
This isn’t something you run once and move on. It works best when the message shows up regularly: in all-hands meetings, project briefings, even planning discussions. Consider partnering with internal comms or marketing to help shape and spread the message clearly.
What success looks like:
Over six to 12 months, you’ll begin to see real change in how security is treated across the business. Stakeholders will bring you in earlier. Project teams will see you as a resource. And the board will better understand your role in protecting — and enabling — the organization. You’ll shift from defending the business to being part of how it moves forward.
These eight cybersecurity priorities reflect where the pressure is highest in 2025 — not just for IT and security teams, but for business and transformation leaders too.
They also show where it’s possible to make progress this year: closing security gaps, reducing cost and complexity, and improving trust across the company.
At Revolgy, we work with technology leaders to turn plans like these into real outcomes — whether it’s building secure cloud environments, helping teams adopt AI responsibly, or making security part of transformation agendas, not a blocker.
Try our free security auditor tool, developed by our security experts, to get a better idea of your security posture.
If these areas are already on your 2025 roadmap, we’re always open to a conversation.
Read next: Managed SOC: Why DIY security is a risky gamble
Read also: Cloud identity sprawl: What it is and how to prevent it