When it comes to cybersecurity, it’s easy to get swept up in a sea of marketing noise and competition. But it’s absolutely critical to remember that security practitioners, IT teams, developers, and even competing vendors are all on the same side and should be working together to help keep our data safe.
“One thing that I can never overstate is the importance of knowledge sharing in this industry,” says Rohit Dhamankar, VP of Product Strategy at Fortra. “It’s a must to defend against the new threats and risks that we face collectively.”
To that end, Fortra recently released their 2025 State of Cybersecurity Survey, which collects insights from cybersecurity practitioners globally, so security teams can use that information to inform their own security efforts.
In an exclusive interview with Expert Insights, Dhamankar dives deep into the key findings of this report, including a major shift in perceived risks, an uptick in PenTest outsourcing, and the ongoing battle between security needs and budget constraints.
You can listen to our full conversation on the Expert Insights Podcast.
Zero-Day? Zero Worries!
This year has seen a dramatic shift in the risks that security practitioners are most concerned about. The first big change is that zero-day attacks are no longer one of the top concerns. However, this doesn’t mean that zero-day attacks are gone, says Dhamankar. Rather, we’re just getting used to dealing with them.
“Because we’ve dealt with zero days for a long time—kudos to the industry overall—, we are at a stage when […] we have well-defined playbooks, we have well-defined procedures, and we have really matured in handling a zero day.”
So, while dealing with zero-days has become part of the daily routine for security teams, other risks are pushing to the forefront of their minds—including emerging technology threats, like GenAI.
Growing Concerns About GenAI
When it comes to GenAI, security teams have two main concerns, says Dhamankar. First is the unregulated, ungoverned, and unsecured use of AI tools in the workplace.
“As every business is wanting to claim to use AI, the cyber folks are the ones who are worried about […] leaking sensitive data out of the company to these tools, and compliance violations,” he explains.
At the same time, security teams are becoming increasingly mindful of the fact that, just as organizations can use GenAI to improve productivity and efficiency, so too can threat actors. Across the industry, we’re seeing a rise in the use of AI-generated deepfakes, as well as threat actors using AI to improve tried-and-tested techniques such as phishing. With AI, threat actors can crawl their targets’ social media accounts for information that they can use to personalize their messages, as well as using GenAI tools to craft the messages themselves—both of which can make phishing attacks more difficult to spot.
The Need For New Initiatives…
The concern that security practitioners feel about these risks is helping shape their cybersecurity initiatives for this year, with top priorities including closing security gaps and improving security awareness.
Closing security gaps has always been a priority, says Dhamankar, because while security teams don’t know exactly when an attack will occur, they can take steps to reduce their attack surface in preparation of it. And as GenAI helps attackers reduce the time it takes them to carry out a successful breach, security teams are renewing their focus on identifying and closing potential entry points quickly and effectively.
The focus on minimizing human risk could also be due to concern about emerging technologies, as organizations strive to educate their end users on the risks associated with new tools they’re adopting. For example, businesses embracing the use of GenAI tools in the workplace may want to educate their users on the risk of leaking sensitive data to the LLM.
While security teams increase their efforts in these areas, other initiatives are moving out of focus. Securing data in the cloud is no longer a top initiative, having dropped from 63% in 2024 to 54% this year. As with zero-day attacks, this is likely because cloud security is becoming “part of the fold” for many practitioners, says Dhamankar.
“90% of people have some presence in the cloud today,” he explains. “Even if they don’t have that infrastructure in the cloud, if they are using SaaS apps like Salesforce or Office 365, their data is still in the cloud […] And as a result, it has also become an integral part of the common practices that we do for security, all the way from visibility to managed detection and response.”
…And The Challenges With Implementing Them
With any new initiative, you’re going to come across challenges with implementation. And in cybersecurity, budgets are consistently the biggest blocker, with more than half of security practitioners saying that funding constraints are their top challenge.
But there are ways to reduce that strain, says Dhamankar. It starts with going back to the basics.
“The NIST cybersecurity framework is a good one to see, from a data security perspective, what maturity an organization has in terms of assessing, preventing, responding, and detecting threats,” he says.
“So, I would suggest doing a ‘risk model’ on where you are in those stages of the NIST framework—where you are strongest, where you are weakest, where would you improve the most with additional tooling and staffing.
“Then you can look at what’s occupying your budget in all of these areas, and see where you have not been effectively using tools or processes and where it’s probably time to either replace them or consolidate them.”
Another top challenge is lack of staff—which could also go some way to explaining why the survey reported a huge spike in PenTest outsourcing over the past year. When it comes to high-skill tasks like PenTesting, it can be both difficult and expensive to grow your in-house resource by hiring and training staff. Outsourcing these types of tasks to a Managed Security Services Provider (MSSP) means that organizations can access top-tier security—often 24/7—, without having to manage it themselves.
Dhamankar’s final words of advice for security teams executing new strategies this year are to make sure they clearly communicate the need for cybersecurity with their business executives.
“This is a constant challenge that comes up, whether it’s investing in tooling or people for security. You normally see questions asked like, ‘We haven’t been breached for the last few years; why should I increase my spend in cybersecurity?’ Now, typically, the same people will not say, ‘My house was not on fire for the last five years, so let me get rid of the fire hazard insurance on my house.’ So why is that a mindset for cybersecurity? It’s because they don’t relate to the situation in the same fashion.
“It’s not about sitting them down and giving them a cybersecurity training course. It’s learning their language, it’s learning their mindset, how they operate the business, and then making sure that you’re plugging in the cybersecurity elements in a very similar framework so they can relate to it.”
Thank you to Rohit Dhamankar for taking part in this interview.
Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.
For more interviews with industry experts, visit our podcast page here.
