By Byron V. Acohido
Today, part three of Last Watchdog’s year-end roundtable zeroes in on the regulatory and compliance landscape.
Part three of a four-part series
In 2024, global pressure on companies to implement advanced data protection measures intensified, with new standards in encryption and software transparency raising the bar.
From the push for quantum-resilient cryptography to Software Bill of Material (SBOM ) requirements aimed at bolstering supply chain security, this installment examines the regulatory changes and evolving technical standards poised to reshape compliance expectations.
Our experts discuss the impact of these standards and how organizations can position themselves to adapt to the shifting requirements of a complex, compliance-driven worl
Powell
Dr. Leila Powell, Head of Data, Panaseer
In 2025, more organizations will face increased pressure to measure and demonstrate their security posture, especially as regulatory requirements expand. With new regulations like NIS2, companies will need to prove they have the necessarysecurity controls in place to avoid penalties. This shift is expected to place significant pressure on organizations that haven’t yet developed trusted data to manage risk effectively.
Sherrets
Dane Sherrets, Innovation Architect, HackerOne
We’ll see greater industry adoption of AI security and safety standards. One example of is AI model cards, which inform users about how AI models are intended to be used . . . I’m also confident we will see more organizations become more concerned with responsible AI adoption and use adversarial testing methods, like AI red teaming, to identify safety and security challenges in GenAI.
Srivatsav
Ravi Srivatsav, CEO, DataKrypto
Non-compliance with regulations, such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), risks severe penalties. And industries like healthcare face persistent targeting due to their outdated systems and high-value data. To mitigate risks, businesses will invest in modern, privacy-enhancing technologies (PETs), such as trusted execution environments (TEEs) and fully homomorphic encryption (FHE).
Wojtasiak
Mark Wojtasiak, VP of Research and Strategy, Vectra AI
In the coming year, we’ll see the initial excitement that surrounded AI’s potential in cybersecurity start to give way due to a growing sense of disillusionment among security leaders. Vendors will need to demonstrate tangible outcomes, such as reduced time to detect threats, improved signal accuracy, or measurable reductions around time spent chasing alerts and managing tools.
Balonis
Frank Balonis, CISO, Kiteworks
By 2025, 75% of the global population will be protected under privacy laws, including U.S. state privacy laws, the EU’s governance of ethical AI deployment, and updated regulations in India and Japan. Similarly, software bills of materials (SBOMs) underscore the need for better accountability in third-party software. Fostering cross-department collaboration between compliance, IT and legal teams can help organizations stay ahead — and maintain stakeholders’ trust.
Taylor
Howard Taylor, CISO, Radware
The EU’s AI First regulation aims to protect individuals from AI-based profiling and decision-making. However, compliance officers must also address emerging risks from Generative AI, like unintentional copyright violations from copied protected content. With regulators unlikely to act soon, the risk management community must proactively define issues and establish rules to address these challenges.
Gupta
Vishal Gupta, CEO, Seclore
In 2025, cyber regulations will shift focus from privacy to geopolitics. Following decades of security control mandates and privacy rights protections, new laws will prioritize national interests amid rising geopolitical tensions. Policies like the CHIPS Act and stricter ITAR/EAR rules reflect a “country over collaboration” mindset, with regulations aiming to shield supply chains and counter perceived adversaries, reshaping the global cybersecurity landscape.
Ehrmann
Marielle Ehrmann, Chief Security Compliance & Risk Officer, SAP
The convergence of AI and cloud computing is reshaping the regulatory landscape. Key measures like the EU Cybersecurity Act, US software transparency rules, and AI-focused laws (e.g., EU AI Act) demand proactive adaptation. The SEC Cybersecurity Disclosure Rule highlights transparency in governance. To stay compliant, organizations should centralize compliance management, automate monitoring, conduct regular audits, and enforce AI governance to align with evolving global standards.
Barisoff
Wade Barisoff, Director of Product – Data Protection, Fortra
In 2025, new global regulations like the EU AI Act, GDPR updates, Malaysia’s privacy laws, and U.S. state privacy laws are reshaping compliance. Smaller businesses must now adhere to strict standards, focusing on tools and processes to protect data and partners. Failure risks fines or supplier bans. These rules, targeting first-party suppliers, will likely expand as attackers exploit vulnerabilities, driving evolving compliance requirements.
Seara
Jose Seara, CEO, DeNexus
Recent regulatory updates highlight a shift toward robust cyber risk governance, requiring organizations to adapt. The NIST Cybersecurity Framework 2.0 emphasizes governance, while the SEC mandates cyber risk reporting and incident disclosures. CISA updated its “Secure by Design” guidance, and the EU’s Cyber Resilience Act and NIS2 added new requirements. Proactive collaboration and cyber risk quantification are key to ensuring operational resilience and security.
Simberkoff
Dana Simberkoff, Chief Risk, Privacy and Information Security Officer, AvePoint
Thoughtful regulation can drive innovation by creating guardrails that foster trust and safety while maintaining flexibility. The EU’s AI Act exemplifies this balance, potentially inspiring global standards. New EU cybersecurity regulations, akin to GDPR’s transformative impact, will reshape defense-in-depth strategies. Heightened focus on third-party risk, spurred by incidents like CrowdStrike, underscores the urgency of supply chain transparency, SBOMs, and proactive vendor risk management to avoid costly vulnerabilities.
Hoff
Alex Hoff, Chief Strategy Officer, Auvik Networks
As technology evolves, regulations struggle to keep pace, especially around AI and data privacy. National and international organizations must navigate compliance complexities from differing state, federal, and global requirements. Adhering to frameworks like NIST or CIS can help, but compliance alone doesn’t guarantee security. Overemphasizing compliance risks diverting resources from advanced security challenges. Success lies in balancing regulatory demands with proactive security innovation.
hdsht
Dale Hoak, Director of Information Security, RegScale
By 2025, AI-driven compliance tools will dominate as regulatory demands grow, replacing manual GRC processes. Organizations will automate real-time checks, audits, and risk monitoring, fueled by stricter frameworks like GDPR and FedRAMP. Privacy law convergence will ease global commerce by standardizing rules, urging businesses to adopt agile GRC systems. Supply chain cybersecurity certifications will rise, driving demand for platforms offering vendor risk assessment, monitoring, and reporting.
Bruno Kurtic, CEO, Bedrock Security
By 2025, rising AI regulations and security risks will push organizations to prioritize data visibility, classification, and governance. Creating a data bill of materials (DBOM) for AI datasets will become standard, detailing data origin, lineage, and sensitivity to ensure responsible AI training. Scalable solutions and strict entitlements will enhance access control, advancing data governance and reducing exposure risks as data volumes grow.
Krull
Jeff Krull, cybersecurity practice leader, Baker Tilly
In 2025, stronger regulations like GDPR and CCPA, along with advancements in security technology, will enhance consumer device protection. Tech companies are adopting “cybersecurity by design,” embedding encryption, biometrics, and multi-factor authentication into products. Government initiatives and awareness campaigns will educate users on phishing and malware threats. Despite progress, the human element remains a challenge, underscoring the need for ongoing digital literacy to complement these evolving protections.
Owen
Dylan Owen, CISO, Nightwing
In 2025, cyber regulations will impact key sectors like Defense, Healthcare, Finance, and Energy. The Cybersecurity Maturity Model Certification (CMMC) rollout will require Defense contractors to upgrade systems, incurring costs. AI/ML regulations will address ethical concerns like bias and transparency, while federal and state efforts push for unified privacy laws. Critical Infrastructure reporting rules from CISA and TSA could also reshape compliance, highlighting cybersecurity’s bipartisan importance.
Kannan
Rahul Kannan, President, COO & Head of GTM, Securin
The recent CrowdStrike outage underscored the impact of flaws in development, demonstrating that secure coding practices are crucial to preventing disruptions. As breaches continue to escalate in frequency and cost, the demand for cyber insurance and heightened regulatory compliance will rise, pushing companies to not only protect their data but to prove adherence to evolving security standards.
Nick Mistry, SVP, CISO, Lineaje
Most companies work with 11 third parties — 98% of whidh have experienced a breach. Amazon’s third-party property management vendor came out as the latest victim in the MOVEit Transfer incident . . . . businesses need to proactively detect and address risks in the software supply chain and use solutions that provide frequent security audits, assessments, and ongoing third-party software monitoring.
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
