5 Pillars for Security Program Growth in 2025

The cybersecurity landscape has evolved dramatically, and the data tells a compelling story. With global breach costs averaging $4.44 million and ransomware attacks becoming increasingly sophisticated, organizations face unprecedented challenges. Yet, amid this complexity, five fundamental pillars emerge as critical for building resilient security programs. Let's explore the wisdom that separates reactive organizations from proactive defenders.

1. Observability is a Must: See Everything, Miss Nothing

The Challenge: Modern attacks move fast… really fast. According to the 2025 Data Breach Investigations Report (DBIR), organizations achieved a mean time to identify and contain breaches of just 241 days in 2025, the lowest in nine years. However, this improvement masks a critical reality: 50% of breaches were identified by internal security teams, while 19% were disclosed by attackers themselves.

The Wisdom: Layered observability isn't optional; it's foundational. EDR alone is insufficient when adversaries are increasingly sophisticated. Organizations leveraging SIEM and AI automation extensively in their security operations shortened breach times by 80 days and lowered average breach costs by $1.9 million compared to those without these capabilities.

Key Insights

• The extortion evolution: Data theft has become weaponized even before ransomware deployment. In 2025, 28% of organizations that had data encrypted also experienced data exfiltration, creating dual leverage points for attackers. ‍
• Detection matters: Breaches identified by security teams cost an average of $4.18 million, compared to $5.08 million when disclosed by attackers. ‍
• Speed is everything: Organizations with detection and response capabilities recovered faster, with 53% fully recovered within a week, up from 35% in 2024.

Action Items

• Deploy SIEM solutions for centralized log aggregation and correlation across your entire environment. ‍
• Consider Managed Extended Detection and Response (MXDR) services to augment internal teams with 24/7 threat hunting and response capabilities.
• Implement AI-powered threat detection to identify anomalies and indicators of compromise in real-time.
• Focus on reducing mean time to detect (MTTD) and mean time to respond (MTTR) as key performance indicators.

2. Secure the Identity: The Crown Jewel Attackers Crave

The Challenge: Identity has become the new perimeter, and adversaries know it. The 2025 data reveals a troubling picture: 83% of attacks compromised the identity infrastructure, yet only 60% of organizations maintain dedicated Active Directory-specific backup systems, and just 66% include AD recovery procedures in their disaster recovery plans.

The Wisdom: Stolen credentials remain the second most common initial attack vector at 22% of breaches, costing an average of $4.67 million per incident. More concerning, the rise of infostealer malware has created an underground economy where credentials are commoditized at scale.

The Identity Crisis in Numbers

• Infostealer impact: 30% of compromised systems identified in infostealer logs were enterprise-licensed devices, and 46% of systems with corporate logins were non-managed devices. ‍
• MFA isn't enough: Attackers are bypassing MFA through prompt bombing, adversary-in-the-middle (AiTM) attacks, and token theft, with 4% of breaches involving MFA bypass techniques. ‍
• Hybrid complexity: Organizations face identity challenges across Active Directory, Entra ID, and SaaS applications like Okta, creating multiple attack surfaces.

The Phishing Problem Persists: For the third consecutive year, phishing emerged as the top initial attack vector in 2025, accounting for 16% of breaches with an average cost of $4.8 million. But the threat has evolved: 16% of breaches now involve attackers using AI for enhanced phishing campaigns and deepfake attacks.

Action Items

• Implement phishing-resistant authentication methods like passkeys and hardware tokens. ‍
• Deploy Identity Threat Detection and Response (ITDR) solutions with continuous monitoring and automated response via SOAR.
• Establish dedicated backup systems for identity infrastructure with regular restoration testing.
• Monitor for credential exposure in paste sites, dark web forums, and infostealer logs.
• Apply least privilege principles rigorously across all identity platforms.
• Implement conditional access policies that consider device trust, location, and behavioral analytics.

3. It's Not Me, It's You: The Supply Chain Reality Check

The Challenge: Third-party involvement in breaches doubled from 15% to 30% year-over-year, making supply chain compromise the second most expensive attack vector at $4.91 million per incident. These attacks also took the longest to resolve at 267 days, a full week longer than any other attack type.

The Wisdom: Your security posture is only as strong as your weakest vendor. The 2025 DBIR highlights that 30% of security incidents involving AI occurred through supply chain compromise, including compromised apps, APIs, and plug-ins.

The Third-Party Threat Landscape

• Vendor vulnerabilities cascade: Software vulnerabilities from third parties accounted for 20% of breaches involving exploitation, with edge devices and VPNs representing 22% of exploited vulnerabilities. ‍
• The Snowflake effect: Notable breaches demonstrated how a single vendor compromise can cascade to 165+ organizations, with 54% of ransomware victims having their domains appear in credential dumps. ‍
• Supply chain attack speed: These breaches took 267 days to identify and contain—the longest of any attack vector.

Action Items

• Conduct thorough security assessments of all vendors with access to your systems or data.
• Require third parties to meet the same security standards as your organization, including MFA enforcement and security audit participation. ‍
• Implement network segmentation to limit lateral movement if a vendor connection is compromised.
• Establish vendor risk management programs that include continuous monitoring and regular reassessments.
• Include supply chain security requirements in procurement contracts and SLAs.
• Prepare incident response procedures specifically for third-party compromises.

4. Environment Hardening and Patching: The Unglamorous Foundation

The Challenge: For the third consecutive year, exploited vulnerabilities topped the list of initial attack vectors, accounting for 32% of ransomware incidents and 20% of all breaches overall. The median time organizations took to fully remediate edge device vulnerabilities was 32 days, yet for 17 critical vulnerabilities tracked, the median time from CVE publication to CISA KEV listing was zero days.

The Wisdom: You're racing against weaponization, and the attackers are winning the sprint. Edge devices and VPNs saw an eight-fold increase as exploitation targets, growing from 3% to 22% of vulnerability-based attacks. This is shown in recent targeted attacks of Sonicwall, Fortinet, Cisco, Palo Alto, and even F5 network security solutions.  

The Patching Predicament

• The remediation gap: Only 54% of organizations fully remediated edge device vulnerabilities throughout the year, leaving nearly half exposed. ‍
• Zero-day reality: Nine of 17 critical vulnerabilities were added to the CISA KEV catalog on or before their CVE publication date, giving defenders no head start. ‍
• Configuration failures: Cloud misconfiguration wasn't even a categorized threat a decade ago; today it's a prime target, with breaches involving multiple environments costing $5.05 million.

The Active Directory Attack Surface: Identity infrastructure hardening extends beyond patching. With 97% of AI-related breaches lacking proper access controls and 83% of attacks compromising identity systems, your Active Directory and cloud identity platforms require particular attention.

Action Items

• Prioritize patching for internet-facing systems, especially edge devices, VPNs, and firewalls.
• Implement vulnerability management programs that track time-to-patch metrics and risk-based prioritization.
• Harden system configurations using CIS Benchmarks and vendor security baselines.
• Regularly audit privileged account provisioning and disable dormant accounts.
• Segment networks to contain potential breaches and limit lateral movement.
• Implement application allowlisting and service hardening to reduce attack surface.
• Use automated patch management solutions for rapid deployment of critical updates.
• Establish isolated recovery environments that attackers cannot reach.

5. Governance and Policy: The Quietest Line of Defense

The Challenge: Shadow AI now affects 20% of breached organizations, adding an average of $670,000 to breach costs. More broadly, 63% of breached organizations either lack AI governance policies or are still developing them. This represents a new frontier in governance gaps that attackers are actively exploiting.

The Wisdom: What you can't see, you can't secure. The rise of shadow IT, now turbocharged by shadow AI, demonstrates that governance isn't about restricting innovation; it's about enabling it safely. Organizations with high levels of shadow AI experienced breach costs of $4.74 million compared to $4.07 million for those with low levels or none.

The Governance Gap

• AI adoption outpacing oversight: 97% of organizations that experienced an AI-related security breach lacked proper AI access controls. ‍
• The policy vacuum: Among organizations with governance policies, only 34% perform regular audits for unsanctioned AI, and 61% lack AI governance technologies. ‍
• Inventory ignorance: Security gaps organizations weren't aware of contributed to 40.1% of successful attacks.

Post-Breach Reality Check: Investment in security following breaches dropped significantly, with only 49% of organizations planning increased security spending in 2025 compared to 63% in 2024. This suggests either budget fatigue or a dangerous complacency.

Action Items

• Implement automated discovery tools for hardware, software, and now AI systems.
• Create clear frameworks for AI usage, third-party integrations, and data access that balance security with business enablement.
• Conduct regular tabletop exercises. 31% of IT/cybersecurity teams experienced staff absence due to stress after ransomware attacks. Practice incident response to build muscle memory and reduce panic.
• Use technologies like SOAR (Security Orchestration, Automation, and Response) to automate policy enforcement at scale without overwhelming your team.
• Review security policies on a quarterly basis to ensure they remain relevant as threats evolve.
• Document procedures, create runbooks, and automate repetitive tasks to help lean teams manage expanding attack surfaces.

The Human Element: Don't overlook the human cost. The 2025 Ransomware Risk Report revealed that 41% of IT/cybersecurity teams reported increased anxiety about future attacks, and 25% saw their leadership replaced following an incident. Good governance includes succession planning and mental health support for security teams.

The Bottom Line: Integration is Everything

These five pillars don't exist in isolation—they form an interconnected security ecosystem. Observability without identity security leaves blind spots. Supply chain diligence without environment hardening creates internal vulnerabilities. And governance without the other four pillars is just paperwork.

The Data Speaks

• Organizations using AI and automation extensively saved $1.9 million on average breach costs.
• Breaches identified by internal teams cost $900,000 less than those disclosed by attackers.
• Organizations with dedicated identity backup systems and recovery procedures recovered significantly faster.
• Proper vendor management prevented the cascading failures that characterized major 2024-2025 breaches.

Where to Start

1. Quick wins: Implement MFA across all systems, establish a vulnerability management program, and create an asset inventory. ‍
2. Medium-term investments: Deploy SIEM and MXDR capabilities, conduct vendor security assessments, and develop AI governance frameworks. ‍
3. Long-term transformation: Build security automation capabilities, establish continuous identity monitoring, and create a culture of security awareness.

The organizations that thrive in 2025 and beyond won't be those with the largest security budgets—they'll be those that strategically implement these five pillars with discipline and consistency. As former CISA Director Jen Easterly noted, the goal is to make ransomware "as infrequent as plane collisions."

We may not be there yet, but with observability, identity security, supply chain vigilance, environment hardening, and strong governance, we're building the foundation to get there. The question isn't whether you can afford to invest in these pillars—it's whether you can afford not to.

The insights in this article are drawn from the 2025 Data Breach Investigations Report (Verizon), IBM's 2025 Cost of a Data Breach Report, Semperis' 2025 Ransomware Risk Report, and Sophos' State of Ransomware 2025 Report.