Cybersecurity Month Spotlight: 7 Urgent Cyber GRC Challenges Of 2025

Introduction

Every October since 2004, Cybersecurity Awareness Month has united public and private sectors to emphasize the importance of protecting our digital world. This year, the Cybersecurity and Infrastructure Security Agency (CISA) highlights the need to secure critical infrastructure, which includes sectors like energy (power grids, oil and gas), water and wastewater systems, healthcare, food and agriculture, transportation (public transit, logistics), communications, financial services, chemical industry, and others. Today, critical infrastructure extends beyond core systems to include vendors, suppliers, and other supply chain partners, all of whom play a crucial role in maintaining resilient cyber systems and safeguarding the infrastructure we rely on every day.

This is especially important and urgent as the threat landscape shows no signs of slowing down. The 2025 Cost of a Data Breach Report estimates the average global costs of a data breach to be USD 4.44 million. In fact, a growing number of high-profile breaches in the past year have been traced back to third-party providers, making ecosystem risks one of the most pressing challenges for CISOs.

Just last month, a ransomware attack targeted Collins Aerospace, a provider of check-in and boarding systems, leading to widespread disruptions at major European airports, including London Heathrow, Brussels, and Berlin. The attack forced airlines to revert to manual check-in processes, resulting in significant delays and cancellations. In August 2025, Jaguar Land Rover (JLR) experienced a cyberattack that halted production across its three UK factories, affecting approximately 1,000 vehicles daily. The shutdown, which lasted nearly a month, cost the company at least £50 million ($68 million) per week and disrupted the broader automotive supply chain.

In this blog, we explore the biggest cyber risks shaping 2025 and the strategies organizations must adopt to build resilience in the face of escalating threats.

7 Urgent Cyber GRC Challenges Of 2025

Cybersecurity is no longer just about fixing a few isolated vulnerabilities. The attack surface has rapidly expanded across cloud ecosystems, third-party service providers, the internet of things (IoT), and AI technologies. This makes oversight and accountability far more complex.

Here are some of today’s biggest cyber GRC challenges:

1. Rapid Adoption of AI

   While AI introduces powerful ways to prevent and contain cyber threats, it’s also being leveraged by cyber criminals to launch faster and more sophisticated attacks at scale. Nearly 47% of organizations surveyed in the WEF’s Global Cybersecurity Outlook cite adversarial advances powered by generative AI as their primary concern. The fact that AI-driven cyberattacks are uniquely adaptive – i.e., capable of analyzing a system’s security defenses in real time, and then finding a way around it – make them all the more dangerous.

2. Growing IT and OT Risks

   Historically, cyber criminals have targeted IT systems for data. But today, OT systems are also under attack. Fifty-five percent of cybersecurity incidents reported by US companies under SEC Form 8-K in 2024 were direct attacks on OT (Wilson Sonsini). With IT and OT networks converging to improve operational efficiencies, attackers have gained new pathways to amplify the scale and impact of potential breaches. A Telstra International and Omdia report found that 75% of cyberattacks on OT systems in manufacturing started in IT.

3. Intensifying Geopolitical Conflicts

   Geopolitical tensions around the world are compounding cybersecurity risks. Digital spaces have turned into battle grounds where state-sponsored actors launch cyberattacks to freeze economies, steal sensitive data, and undermine national security. The threat only increases as critical national infrastructure is digitized, leaving many essential services such as power grids and transportation systems vulnerable to cybercrime.

4. Increasing Dependence on IT Vendors

   Organizations increasingly rely on third parties such as software vendors and managed service partners to keep their operations up and running. This means that a single breach in a supplier’s system can have catastrophic consequences – exposing sensitive data, disrupting operations, and inviting costly compliance fines. Verizon found that the percentage of breaches where a third party is involved has doubled from 15% in 2024 to 30% in 2025.

5. Complex Cyber Standards and Regulations

   Cybersecurity-related regulations such as the Digital Operational Resilience Act (DORA), EU AI Act, General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA) seek to safeguard data and digital operations. However, the rapid proliferation of such regulations, standards, and frameworks across industries, states, and countries has created a complex and fragmented compliance landscape. Many organizations end up spending more time and resources reconciling regulations than actually improving cyber defenses.

6. Lack of Real-Time Visibility into Cyber Risks

   The modern enterprise is marked by sprawling IT estates, interconnected OT systems, cloud services, and third-party vendors – all of which hampers cyber risk visibility. Many organizations rely on periodic risk assessments which provide only a point-in-time view of risks. They don’t spot emerging vulnerabilities, or adapt to shifting threat landscapes. Risks remain hidden until after a cyber incident occurs, eroding confidence in the organization’s cyber defenses.

7. Inability to Communicate and Measure Cyber Risk Exposure Easily

   Cyber risks are often measured in vague terms such as high/medium/low, where each category is subject to different interpretations. The challenge deepens when there are multiple risks lumped in the same category (e.g., ‘medium’). Which risk do you focus on first? Do you spend the same amount of time and resources managing all the risks labeled ‘medium’? It’s difficult to know for sure. Today’s boards and senior leaders want to understand risk exposure in simple, clear terms. That means moving beyond ambiguous ratings, and quantifying cyber risk in financial figures.

Trusted Best Practices for Cyber Resilience

With persistent and sophisticated threats being the new normal, constant vigilance is more important than ever. Organizations looking to strengthen their defenses should anchor their approach in robust cyber GRC best practices, enhanced by AI-driven insights for proactive resilience:

1. Conduct Regular Cyber Risk Assessments

   Frequent risk assessments based on recognized frameworks like NIST CSF and ISO 27005 help organizations prioritize resources on the threats, vulnerabilities, and risk areas that matter most. AI can accelerate this process by analyzing large volumes of risk data and highlighting areas requiring immediate attention.

2. Consolidate Cyber Resources

   The fewer cybersecurity tools an organization relies on, the more streamlined its cyber GRC efforts become. By unifying cyber risk and security technology stacks on a single platform, organizations gain a consolidated view of network and user activity. AI-powered analytics make risk detection faster and more precise.

3. Enable Continuous Monitoring;

   Regulators worldwide are trying to keep pace with the evolving cyber risk landscape by passing new laws and frameworks for improving cyber risk management and security. Data privacy and security is a key focus area and most regulations aim to ensure comprehensive data protection strategies, covering not only internal operations but also third-party interactions. Many regulations like SEC's cybersecurity rules for public companies and the Digital Operational Resilience Act (DORA) in Europe require organizations to report incidents and risks more transparently. This is necessitating a shift from decentralized data security measures to a more structured framework, with some organizations even appointing Chief Privacy Officers to ensure compliance.

4. Manage Third-Party Security Risks Proactively

   Vendors and partners with access to critical systems can introduce significant risk. Automated AI-driven monitoring tools track changes in third-party security posture and flag potential incidents early, enabling timely remediation before breaches occur.

5. Conduct Security Awareness Training

   Human error and insider threats remain major contributors to cybersecurity incidents. Regular employee training fosters a culture of cyber awareness, teaching staff to recognize and respond to phishing, social engineering, and other common attacks. AI can personalize training, identifying knowledge gaps and tailoring content to improve readiness across the workforce.

6. Establish Clear Incident Response Protocols

   A well-defined incident response plan ensures rapid, coordinated action when a breach occurs. It clarifies team responsibilities, communication channels, and required steps to contain attacks. AI can support response efforts by predicting likely attack vectors and recommending optimal containment strategies in real time.

From Reactive to Resilient: Transform Cyber Defense with MetricStream AI-first Cyber GRC

Cyber resilience isn’t a one-time project—it’s a continuous journey of vigilance, adaptation, and strategic investment in people, processes, and technology. Prepare today to stay ready for whatever tomorrow’s threat landscape brings.

MetricStream’s AI-first Cyber GRC is a connected, intuitive, and intelligent GRC solution that proactively identifies and assesses IT and cyber risks. Powered by agentic AI, it delivers automated insights that summarize risk exposure across your digital ecosystem. Your cyber program gains strength through continuous control testing, real-time validation, policy enforcement, and robust cloud governance. CISOs can unify cyber risk data from across the enterprise—including third and fourth-party vendors— and leverage actionable intelligence to make informed, data-driven decisions that drive true cyber resilience.

With Cyber GRC, you can:

• Detect and resolve IT compliance issues faster with AI-powered intelligent issue management and automated workflows
• Quantify cyber risk in financial terms to improve reporting, communication, and investment decisions
• Gain real-time visibility into IT compliance posture through intuitive dashboards and reports
• Streamline controls across multiple regulations and frameworks to reduce complexity, effort, and cost

See Cyber GRC in action. Request a personalized demo today.