BCG

PRINCIPALINVESTORSANDPRIVATEEQUITY

AICreatesNewCyberRisks.ItCanHelp

ResolveThem,Too

ByBradenHolstege,

ClarkO’Niell

,

ColinTroha

,

VanessaLyon

,

AlexAsen

,YixingSu,SeanMitchell,Shai-LiRon,andHelenRhee

ARTICLEJULY30,20258MINREAD

AI

hasledtoawiderangeofnewapplicationsandsolutionstotransformbusinesses,butforchiefinformationsecurityo?cers(CISOs)andtheorganizationstheyprotect,italsocreatesnew

vulnerabilities.Infact,AI-poweredattacksarenowthemainissuekeepingCISOsupatnight.Asaresult,companiesareadjustingtheircyberbudgets—andinmanycasesincorporatingAI-enabledsolutionstokeeptheirorganizations,customers,anddatasafe.

?2025BostonConsultingGroup1

?2025BostonConsultingGroup2

BCGandGLCrecentlysurveyedCISOstounderstandtheirconcernsandprioritiesinanever-changingcyberrisklandscape.(See“AbouttheSurvey.”)TheresultsshowthatAI-poweredcyberattackshaverisentobecomethetopconcern,upfrom?hplacelastyearandcitedby80%ofCISOsinthesurvey.(SeeExhibit1.)Persistentconcernslikecloudrisk,third-partysecurity,andendpointprotectioncontinuetoholdsteady.

AbouttheSurvey

Toconductthesurvey,BCG’s

CenterforLeadershipinCyberStrategy

—alongwiththe?rm’sPrincipalInvestorsandPrivateEquityandTelecommunications,Media,andTechnologypractices—recentlypartneredwithGLG,aresearch?rmthat

primarilyservesthe?nancialindustry.Thesurveydrewresponsesfrommorethan300CISOsacrossgeographicmarkets,companysizes,andindustries.Wealso

segmentedrespondentsbasedontheircybermaturitytoidentifyhowleadingorganizationssetthemselvesapart.(Thisfollowssimilaranalysesin

2024

and

2023

.)

?2025BostonConsultingGroup3

Otherkey?ndingsinclude:

.ToprepareforAI-poweredattacksandevolvingcyberthreats,CISOsexpecttocontinue

increasingspendacrosscybercategories,especiallyinthreatintelligenceandapplicationsecurity.Overall,budgetswilllikelygrowbyabout10%thisyear,inlinewiththeincreaseinpreviousyears.

.CISOsareshowingstrongerinterestinadoptingnewcyberfeaturesfromexistingvendorsinsteadofnewvendors.

Our?ndingshaveclearimplicationsforallstakeholders.CISOs,C-suites,andboardsneedto

remainvigilantagainstthegrowingrangeofcyberthreats.Cybersecurityvendorsneedto

continuallyre?neandupdatetheiro?erings.Andinvestorsneedtoensurethatthecybersecuritycompaniesintheirportfoliocontinuetodevelopproductfeaturesandcapabilitiestoaddressthechangingcyberthreatlandscape.

TheRapidRiseofAI-EnabledThreats

Inourresultsfor2025,AI-poweredattackshavebecomethetopCISOconcern,withasharp19-

pointincreaseoverlastyear.Thatre?ectstherapidevolutionofAIoverall,creatingmorecomplexandunpredictablerisksthatmanycompaniesarestillstrugglingtounderstand.

Within

GenAI,

thebiggestconcernamongCISOsarethreatsthatexploitsocialengineering,citedby62%ofrespondentsasamajorconcernorcriticalthreat.Organizationshaveseenasurgein

automated,Gen-AIpoweredattacks,whichareincreasinglyeasyforattackerstoexecuteandcanbeextremelye?ectiveatdeceivingemployees,partners,orcustomers.Asonerespondentputit,

“We’veseenpersonalizedattacks,atspeedandatscale,targetingbothemployeesandcustomers.WeknowtheonlywaythiscanbedoneiswithGenAItools.”

CISOsarealsohighlyconcernedaboutAI-enabledfraudschemes,leakageofsensitivedataduringtheuseofGenAItools,andAI-assistedexploitationofknownvulnerabilities—allcitedbymore

thanhalftheCISOsinoursurvey.(SeeExhibit2.)

?2025BostonConsultingGroup4

CompaniesaretakingactiontomeettheAIthreat,butsomearestrugglingtokeeppace.

Speci?cally,CISOspointtoincreasinginvestmentsincyberawarenesstrainingandthreatintelligenceasthetoptwomeasuresagainstGenAIthreats.

BolsteringexistingcybertoolswithnewGenAIcapabilitiesisalsoatoppriority.MostorganizationsplantoadoptGenAI-drivencyberfeaturesfromexistingvendors(insteadofstartups),withhalf

expectingtoincreasetheirbudgettoadoptGenAI-cyberfeaturesandtheotherhalfexpectingtoadoptGenAIfeatureswithinthecurrentbudget.

Ontheotherhand,eventhemostcyber-matureorganizationsinoursamplearelaggingon

protectingtheirGenAIbusinesssystemsfromattack,withonly30%havingimplementedorpilotedcybersolutionsspeci?callytoprotectGenAI-relatedsystems.

ContinuedChangesinProductandVendorPriorities

Lookingatshisinproductsandvendors,threatintelligenceandapplicationsecurityproductshavebecomeincreasinglyubiqitousoverthepasttwoyears.Inbothcategories,citedadoptionrateshaverisenfromarangeof50%to60%in2023tonearly80%in2025.

?2025BostonConsultingGroup5

Areaslikezero-trustnetworkaccess,datasecurity,identityandaccessmanagement,andthreatintelligenceallshowprojectedspendincreasesof10%ormore.Regardingthreatintelligence,forexample,asorganizationsfacecontinueduncertaintyfromunknownthreats(especiallyfrom

GenAI),theyarelookingtogetasmuchintelaspossibleonwhatmightbecomingtheirwayandhowtoproactivelydefendthemselves.

Incontrast,CISOsexpecttospendlessonbaselineservicessuchasgovernance,risk,and

compliance,mobilethreatdefense,andbackupandrecovery—manyofwhicharebundledintobroadero?erings.(SeeExhibit3.)

Similarly,theconsolidationamongvendorsnotedinpreviousyearscontinuesthisyear.Acrossmostcyberproductcategories,farmoreCISOsexpecttoconsolidatethanexpandvendors.

Comparedtothesurveyresultslastyear,applicationsecurity,datasecurity,anduni?edendpoint

managementarethethreeproductcategorieswhereCISOsexpressedsigni?cantlyhigherinterestinconsolidation,potentiallydrivenbyvendors’platformstrategy.(SeeExhibit4.)

?2025BostonConsultingGroup6

Spendprioritiesareoneareawherethecybermaturitygapisnoteworthy.Advancedorganizationsinoursampletendtobemoreforward-lookinginhowtheyidentifyrisksandprioritizeinvestments.Speci?cally,theyarefocusedonriskssuchasAIthreatsandevolvingprivacydemands,alignedwithpotentialfuturethreatsandtheevolvingregulatorylandscape.Incontrast,less-mature

organizationslagonfoundationalinfrastructuresecurityandundervalueareassuchasmulti-cloudanddatacentermigration.(SeeExhibit5.)

?2025BostonConsultingGroup7

GrowingCyberBudgets

Inarecent

BCGsurveyofITbuyers,

aboutone-fourth(28%)expectanoveralldecreaseinIT

budgets,primarilyduetotari?-relatedcostpressures.YetCISOsseecyberbudgetsasrelativelyinsulatedfromreduction.CISOsexpectcyberspendtoincreaseby9%inthenext12months,

slightlylowerthanCISOs’expectationslastyear(11%).(SeeExhibit6.)What’smore,nearly80%expect

tari?s

tohavenochangeoronlyaslightshiincybersecuritybudgets.

?2025BostonConsultingGroup8

ThereareseveralpotentialexplanationsforwhyCISOsexpectcyberbudgetstoholdup.Oneis

thatcutscouldstillbecomingbutCISOssimplydon’tknowaboutthemyet.Anotheristhat

companiesaretakinga“waitandsee”approachtocostreductionsoverall,especiallygiventhe

uncertaintyaroundtari?sinthe?rsthalfof2025.Yetanotheristhatcompaniesseethecritical

valueofcybersecurityandarecontinuingtoincreasetheirinvestmentasthethreatenvironmentescalates.

TheBottomLineforStakeholders

Our?ndingshaveclearimplicationsforallstakeholdersin

cybersecurity

,fromC-suitesandCISOstovendorsandinvestors.

PrioritiesforCISOs,C-Suites,andBoards.Organizations,fromtheboardtotheCISO,should

increasinglyfocusoncybersecurityoutcomes.Giventheevolvinglandscapeofcyberthreats,

companiescannota?ordtorelax.ThatisparticularlytrueforAI-empoweredattacks,which

increasinglyrelyonsocialengineeringandfraudandareextremelycheaptoproduceconvincinglyandatmassivevolume.Althoughcostisafactorinassessingvendors,CISOsshouldfocusmoreoncybersecurityreturnoninvestment(ROI)thanpricealone—andremainabreastofconsolidationandotherdevelopmentsinthevendorlandscape.

PrioritiesforCybersecurityVendors.Forcybersecurityvendors,our?ndingsunderscorethe

importanceofcontinuallyrevisingandupgradingtheirproductcapabilities,especiallyregarding

GenAI-drivenfeatures.Whiletherearestillnichesforpointsolutionstosucceed,enterprise

customersshowaclearpreferenceforvendorconsolidationandacquiringnewcapabilitiesthroughadd-onmodulesandbundleso?eredthroughcurrentproviders.Accordingly,vendorsshouldaimto

?2025BostonConsultingGroup9

growthroughupsellingandcross-sellingtoexistingcustomersorattractingnewcustomersonthestrengthoftheiroverallplatform.

Inaddition,cybervendorsshouldcontinuetoemphasizethereliabilityandresilienceoftheir

solutions,bothwithintheirR&Dandproductdevelopmentlifecycleandasadi?erentiatingfeatureintheirgo-to-marketstrategy.

PrioritiesforInvestors.Forprivateequity?rmsthatcurrentlybackcybersecurityproviders—orseekto—ourdatashowsthefundamentalresilienceofthesector.Economicandgeopolitical

uncertaintyispushingcompaniestoscalebackITinvestments,butcybersecurityremainsa

budgetarypriority.Thatsaid,investorsneedtomakesurethecybercompaniesintheirportfoliocontinuetodelivervalue—throughfactorssuchastheoverallbreadthoffeatures,AI-related

innovation,andabedrockabilitytoprotectcompaniesfromevolvingcyberthreats—ratherthantryingtocompeteoncosts.InvestorsalsoneedtoworkwiththeirportfoliocompaniesonhowtobuildamarketingmessagearoundROItocustomers,todriveadoption.

Thegrowingscopeandcapabilitiesofbadactorsmeanthatallstakeholders—CISOs,boards,

vendors,andinvestors—cannotrest.AI,includingGenAI,isfuelinganeweraofcyberthreats,butotherdevelopmentsanddisruptionsarecoming.Our?ndingsshowthedegreetowhich

cybersecurityvendorsaremeetingthesechallenges—andthestepsthatCISOsaretakingtokeeptheircompaniesandcustomerssafe.

?2025BostonConsultingGroup10

Authors

?2025BostonConsultingGroup