Freely subscribe to our NEWSLETTER

© Shutterstock

Trend #1

AI, cybersecurity risk, and regulation – the new triad shaping data governance

In 2025, data governance will take center stage – in the wake of 2024, a year marked by waves of third-party-driven hacks, data breaches, and outages. The realisation that supply chain risks cannot be pre-empted or mitigated with slap-dash solutions or quick fixes has become clear. Data governance will re-merge as a critical business priority, shaping the future of risk management. Re-assessing vulnerabilities and developing robust data governance strategies will move to the forefront of security leaders’ agendas.

The need for and importance of this is already evidenced in the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework 2.0 (CSF 2.0), which places newfound emphasis on cybersecurity governance and risk management. The race to adopt generative AI technologies adds another layer of complexity to the data governance challenge. Organizations need to implement governance frameworks that are robust, transparent, forward-looking, and aligned with their cybersecurity risk posture. 

Furthermore, with public awareness of data rights growing, so is the volume of data subject access requests (DSARs). Against a backdrop of generative AI adoption, DSARs will put even more pressure on organisations to develop capabilities to manage and retrieve personal data efficiently. Streamlined data management will be crucial not just for data security, maintaining customer trust, and regulatory compliance, in equal measures.

Trend #2

From optional to imperative – MFA will underpin security and compliance
Multi-factor authentication (MFA) thus far a slow-burning trend, will gather steam in 2025 in enterprises. This rise in adoption will not only be driven by just security, but compliance and governance, as the world moves towards a password-less authentication future.

The catalyst for MFA adoption comes from multiple fronts. Cyber insurance providers, recognizing the critical role of MFA in risk mitigation, are already making it a non-negotiable requirement for policy coverage.

Government and regulatory bodies are equally influential in this push towards MFA. The UK’s National Cyber Security Centre (NCSC) has taken a bold step by mandating MFA for corporate online services. While data protection compliance doesn’t universally require MFA yet, the winds of change are blowing. France’s data protection authority, CNIL, has already outlined specific scenarios where MFA is deemed necessary for legal and security purposes, interpreting the underlying GDPR compliance principles to support MFA adoption. Similarly, ENISA, the European Union Agency for Cybersecurity, has thrown its weight behind MFA, recommending its use for high-risk access to personally identifiable information.

Microsoft is actively shaping this trend. Already, Microsoft has started enforcing mandatory MFA for all Azure sign-ins. As the dominant technology in the enterprise, Microsoft’s stance on MFA means that user organisations and software providers alike will be compelled to align their systems and practices with this new MFA-centric trend.