In this episode of Cyber Thoughts, Lucas Nelson and Mike Privette of Return on Security dive into their top cybersecurity predictions for 2025. From AI-driven data loss prevention to the rise of personal cyber insurance and the evolving IPO landscape, they break down key trends shaping the industry in the year ahead.
Welcome to the Cyber Thoughts podcast, where we explore the world of cybersecurity through the eyes of practitioners and leaders in the field. In each episode, we invite a guest from the world of Infosec to share their insights and expertise on the latest trends and developments in the cybersecurity market.
Whether you're a seasoned Infosec professional or just starting in the field, this podcast is for you; our guests will provide valuable insights and perspectives on the challenges and opportunities facing the Infosec market.
Join us as we delve into the world of Cybersecurity and learn from the experts on the Cyber Thoughts podcast.
PODCAST TRANSCRIPT
Lucas Nelson
Hi, and welcome to Cyber Thoughts, the podcast where we explore the industry of information security through leaders in the field. Today, it's my great pleasure. Welcome back, Mike Privette of Return on Security. In this episode, Mike and I are going to do some predictions for 2025. Every other podcast seems to be doing that and we're not immune. So here we go. Mike, great to see you.
Mike Privette
Hey, thanks Lucas. Thanks for having me on again.
Lucas Nelson
Our pleasure. So I'm going to kick it off to you for the first prediction of our podcast. What do you have going on in 2025?
Mike Privette
Well, so I think there's a lot that could happen in 2025 based on like the way the year shook out. And so the first one obviously has to be about AI because you can't say one of these prediction episodes without talking about the word AI. But I'm going to be a bit more narrow and I'm going to say, I think that 2025, the prediction is that this is the year that AI helps DLP or data loss prevention technologies become real for the very first time.
People will have a light bulb. Aha. It actually could be working this time.
Lucas Nelson
So I love that because the historical problem with DLP is you have to get all of your users to actually mark their data,
Mike Privette
Yep. Classification. it's, it's a very heavy lift, in terms of like actually getting people to agree on the data classification, terminology and levels. Not, not even to mention like the handling procedures associated with each. but then there's kind of no good way to historically introduce DLP that doesn't just like break somebody's workflow, like break an email, break a transaction. would just generally be a pain. but I think.
At least I hope for basically some of the startups I've seen in some of the conversations I've had, think that this is getting smarter and a lot more targeted instead of like a broad rule that captures maybe a social security number and a phone number and like a national insurance number. They can get really detailed around like, what's company secrets versus what's an &A document versus what's just a personal social from your W2.
So I think, I think this is, I think LLMs will really shine here since it's all text.
Lucas Nelson
So I've got a question. You mentioned startups, but this one feels like know, incumbents might have the big advantage to distribution, Microsoft or Google or Salesforce. You know, where do you think startups slot in or do you feel like this is one of the ones where like, no, Microsoft is going to eat everyone's lunch?
Mike Privette
Mm-hmm.
You know, I think it's possible that the big ones like Microsoft will have like a very long head start on many of these things. if you're already using the whole office suite, then you're already very well in that environment. Now you see Microsoft has done really well over the years of just turning on features that didn't exist before. And then it's already there. Doesn't mean it's the best feature. Doesn't mean it's the most baked out or thrown out, but it's available to play around with.
But I think it's going to be similar to other kind of iterations where the big players can turn it on, especially like your CASB or like your SASE kind of vendors who are already kind of intercepting network traffic to and from, you know, endpoints. But then startups are really good at navigating around those for very specific use cases and like typically better applications because they're not weighed down by all the other products and all the other kind of
institutional inertia that comes with large companies. So I think we'll see a bit of a distribution curve there, but I think it'll, I think we'll see both the early and the big companies like start enabling this.
Lucas Nelson
Awesome. All right, so I'm going do my first one.
Mike Privette
Yeah, what do you got?
Lucas Nelson
Well, so as a venture capitalist, I have to say the IPO window is opening. But in this, I'm speaking to kind of the right guy. You have all the data. So I'm going to say we've got a bunch of those zombie corns, right? Those unicorns that were flat that kind of needed to cleaned up. A lot of that cleanup has happened, right? So we've already seen a good bit of the companies kind of get removed if they're not going to make it. And so we've got high quality companies left with large amounts of revenue.
Mike Privette
Yes.
Mm-hmm.
Lucas Nelson
And so I think this is the year they go out, but I'm going to turn it to you because you've walked this market much more closely than almost anybody.
Mike Privette
Well, I would say, yeah, I would agree with you largely here. Like the IP market has been, been waiting. You know, we saw last year, we saw the first cyber adjacent company and Rubrik go, go live. And I think to be honest, like that was a very much a nod to like, if I were to pick like a word of the year for 2024, I would say like resilience. like disaster recovery, resiliency, recovery, all those things, um, Rubrik fit that very well, uh, in that space.
And so you see a lot of disaster recovery and, know, uh, BCP kind of companies coming out of the woodworks and, and, and doing it very well now. Um, cause it's not a matter of if, but when and how well you recover. Um, but to do that in, like, I think that was a good step in the, you know, the dip in the pool, so to speak, like dipping your toe in, um, there's been a bunch of companies who've been rumored probably like every year since I can remember, like, you know, titanium.
like all these big ones have had all the right signals, like from the outside and from the right kind of rumor mill of like, yes, they have market share. Yes, they have the right level of AR. Although I will say that the ARR numbers have gone up every year now since the bust or since like the expense management era, I call it since like 2022 has occurred. But I do think, yeah, I think we'll see several.
Lucas Nelson
Okay.
Mike Privette
coming to the pipeline, but I also think, um, many, you know, nobody likes to be first in these unless they lesser, kind of a really sure shot. Um, so I think, I think we'll see not a flood, but I think we'll see between 2025 and 2026. I think we'll see like a pretty much healthy rate.
And I was actually doing some analysis on, you know, just how many companies per year used to IPO and cyber back in all the way back from like 20, yeah, 1999 up to like to current date.
And it's been about two to three companies, cyber companies a year. That's just the, like the pure play cyber companies. It wasn't every year, you know, 2018, 2019, 2020 had much, had more than, than two or three a year. Uh, and then it was very silent, you know, for 2022, 2023, uh, well then 2024, you know, Rubrik came up. Um, but that, and that's kind of a parallel to the broader tech industry as well. Uh, so I think once that flood gate, the tech flood gate opens a bit more. I think we'll.
We'll see cyber follow kind of soon.
Lucas Nelson
Cool. Just for our identification, what's the growth rate and what's kind of the level of revenue you need to go public? And I know it's a scale, right? The faster growing, the less revenue you need, so on and so forth. What does that kind of look like today?
Mike Privette
Yeah, well, I'll say like what it, what it used to look like was like, basically once, once a company hits a hundred million ARR, that was the magic signal for the markets. Like start shopping your banker to go IPO effectively. Like if that was in the play and the goal was to go from there, like that's when you effectively got your house in order, so to speak. that is now like nowhere near enough. And honestly, many of these private companies are well past that. some of the ones we talked about and.
So I think people are really looking closer to that 300 to 500 mil ARR, which is kind of mind boggling when you, when you think about it. Um, and whoever, yeah, yeah. And honestly, whoever comes out first, like it's going to set a, different benchmark for some of the other ones. Um, especially like if it's a pure, uh, play cyber and not one that's like, you know, one part IT, one part security kind of company like Rubrik is. Um, but that's yeah, that's typically the growth.
Lucas Nelson
Installation is a real thing.
Mike Privette
And I'm hearing even higher numbers than that from other conversations too. Like they really would rather you have five to six. if, you, if you can get us obviously within the expectation to grow into a multi billion dollar ARR company. but I think that's gonna be hard. I think, expectations on the street and like for investors have changed a lot. So I think that's gonna be really hard to, to come true.
Lucas Nelson
Yeah, well, it has been a lot easier for companies to get those larger rounds done in the private markets. So I guess it is less important for the company to go public to get $100 million, $200 million of funding. So that probably is part of it, right? That you can now do that in the private markets. Cool.
Mike Privette
Mm-hmm.
Yeah.
When look at Databricks too, like there is a 10 billion series J, which I didn't even know what went that far. I've never seen a serious J. so I've heard somebody jokingly say like series J is the new IPO. but yeah, 10 billion value to 62 billion. like that's, it's hard to like unsee those numbers.
Lucas Nelson
Well, there's that, and we now have ways for founders and even regular employees to get liquidity in the secondary market. And so it really takes a lot of pressure off of companies to go public, right? Like, no, can make sure my employees can cash out. I can do it in a manner that I get to decide who the new investors are. Kind of famously, Facebook was forced to do an IPO because their cap table got too large. But had it not been for that, they might have stayed private longer.
Mike Privette
Yes.
Hmm.
Lucas Nelson
At least that's what they said at time.
Mike Privette
I bet the
interesting, I bet Zuck wishes he was still private now without all the regulatory oversight and having to buddy up to whoever's in office.
Lucas Nelson
Yeah, know, having to go to Congress every few years, probably not ideal.
Mike Privette
How do you make money? know, ads, Senator. I'm sure he'd
love to not have that.
Lucas Nelson
Yeah, yeah, that definitely true. All right. So, for my next, prediction, I'm going to say that this is the year that personal cyber insurance becomes a thing. turns out you can buy personal cyber insurance. I didn't know that until I did some research here. No, but well, exactly. and you can, the, the, the obvious one is, life lock, right? So life lock, you know, if you get hacked, like, so that's personal cyber insurance.
Mike Privette
Interesting, I didn't know that either. What does that cover?
haha
yeah, okay.
Lucas Nelson
Though I'm starting to see some startups try to drive more down the, we're going to help you with your router. You buy hardware from us and if you get broken in through that, we'll take over. But with the oncoming of massive deep fakes, the fact that a CFO of a real company can get fooled, that doesn't bode well for us or our parents or your family members or whomever. I do think that that
Mike Privette
Hmm.
pay you out. Interesting.
Mm-hmm.
Lucas Nelson
That is an area where personal cyber insurance may become a real thing this year.
Mike Privette
Hmm. That's interesting too. And I think, you know, for me that that's kind of like another tool and like this broader, like personal digital sovereignty kind of like at an area where it's like, you know, people have to have, you know, they, don't want, their data to be sold or traffics, through legal matters, let alone like the black market stuff. so you got people watching or having, it's making companies that have companies help you delete personal information through like.
like regular legal various means. And then also watch for, you know, your data to be dumped in the dark web. And, and then at the same time, like making sure you have like all your personal devices personally checked and updated. I kind of see all that kind of converging around that space and I can easily see this being another kind of thing that either a company offers or just something that like, this, this is just, it's a good, just in case, you know, something goes terribly wrong.
Lucas Nelson
I mean, this would be, you know, Apple has clearly not done great thus far with their AI offerings, right? So Apple intelligence, not so much. Like I've got people turning it off because it just gets in the way, but you could see, you know, your, your conversations aren't recorded on your iPhone. In fact, other apps can't get into them. Uh, but Apple could very easily turn on the LLM and say, know, Hey, you know, this text message looks like fraud. You should not click on that link.
Mike Privette
Yeah.
Mm-hmm.
Lucas Nelson
And that would give them a really, you know, tie in nicely in their privacy story. So you can see a world in which Apple becomes, you know, kind of a player in that space.
Mike Privette
Yeah.
That makes sense. I've already got like the narrative like of they've shaped it so that they're the one seen as the privacy focused one over Google. Even though it's just like a variation of the same thing that Google does. Apple has always had better marketing. I think there's could easily, yeah, they could win a lot. mean, I honestly, I think they could still win the AI game because they're already on the hardware through much of the world. Like it could really be like the start of like a big tipping point.
Lucas Nelson
Yeah, I mean, the fact is that they could get paid by tech EPT or, you know, whomever, right? You want Google or whatever to be the, you know, I want to be in front of the, I don't know, 20 % of the most wealthy people in the world. I want my thing to be shipped on Apple hardware. You know, it's what they've done with, with cert to quite great effect, right? It just.
Mike Privette
Mm-hmm.
Yeah.
Lucas Nelson
It's money that drops right to their bottom line. It's a billion dollars a year that Google pays them to be the search engine. So why not have open AI or Gemini pay you a billion dollars a year to be the driver for their AI? So you can see Apple winning in that way or actually catching up and training their own models because they've got a massive data set that no one else has.
Mike Privette
That's true. They do have been very unique and I guess like, you know, with more models going open source and, you know, Meta kind of really forcing that at hand. it's, you know, the, obviously the measures of how good a model is or isn't is changing pretty much every day in the industry, but it's becoming cheaper and simpler and easier to use. that honestly, that kind of like brings me into my second prediction. It's actually an anti prediction.
And who knows, may get skewed for this later in the year, but I don't think, agentic AI for cyber is going to be a thing in 2025.
Lucas Nelson
why? This is a good one.
Mike Privette
So I mostly think the same reason that a lot of the LLM stuff hasn't truly taken off in cyber outside of a very few use cases like around the AI enabled SOC analyst or the AI agent for application security. And agentic will be the same thing, but perhaps worse because it requires so much infrastructure to be true. like companies are already historically bad at understanding their data.
Lucas Nelson
So.
So.
Mike Privette
having it clean, having it format, having it usable in a way that's like consistent and having all of the access to the data they need at all of the time. And if you don't give the agents the right context, you're going to just be fighting with it the entire time. So I think not that it won't be offered, but I think it won't be well received because it's a complex thing that companies were already not good at prior
to AI. Now the AI just shows how bad they are at it and what context is missing.
So I think it will come, but it will not be well received yet. I think it's like a 26, 27 thing.
Lucas Nelson
Interesting. So I've got this question about, so originally the LMS, the hallucination problem is massive, right? And, you know, it's basically a statistical next word, like, Hey, I predict the next word is going to be blah.
and the reasoning engines on top where it says, hey, here's the steps I would go down, that's proving to be pretty powerful. So I wonder if we go from a situation where the AIs really are not good at this because you're looking for needle in the haystack and statistically you don't find the needle, right? Most of the time there's nothing there so it can say there's nothing there. But the reasoning engine might get us there. My statement is there's a lot of money in cybersecurity.
Mike Privette
Mm. Yeah.
Lucas Nelson
people want this, so you're gonna see solutions. I still fall on the side of, I don't think statistical probability mapping is the right answer, and I haven't seen anything yet that leads me to believe you want that in a mission critical spot. With that said, people are letting AI write a whole bunch of code right now, and most of the code they train on is...
Mike Privette
yeah.
Yeah.
Right.
Yeah.
Lucas Nelson
Not great, right? Like most of the stuff in GitHub you have access to is not super hardened code. It's, yeah, that was my project for CS 252 or whatever.
Mike Privette
Yeah, it's a good point too. And I think as, as more software is written by AI agents and then read by AI agents, like, think we might see a bit of a scale improvement on, some of that stuff, but that it still assumes a whole bunch of context. And given that like, you know, a lot of the models are still like stochastic and they, they still, they could rewrite the entire code base every time theoretically. cause it's hard to make small changes and get the exact same thing.
you got last time and like prompt engineering has gotten better at that. The models have gotten better, but it's hard to make small edits on some of those things today. and so I think that'll be, that will be the trick. like, think AI agents can be true. I think once we kind of get like tiers of these AI systems, like one that is very good at the data wrangling side or like the normalization side and like fixing kind of like system of record side of things.
which requires like business changes and maybe business process changes and different, you know, ways we work. and then adding reasoning, then adding like context of like, not only what I have, but like what is known bad or false positive look like. but then like, it still won't quite be enough. like every security practitioner I talk to kind of wants, they want, they want the future idea of. I asked the AI agent tells me everything I need to know eventually.
And then me as a human, I know already if I have to take action or not, but it has to require like the entire business context. Like not just is this thing exploitable and not just as this thing on the internet, but who owns the applications and the systems themselves, who's on call right now that can respond to it or make a change. What kind of data does reside on it? Like how much money does this part of the infrastructure?
make us as a company to warrant whether or not I make a breaking change or like take something on or offline. Like there's just so much context I think that will be impossible to get at this point. Like we'll get there. So I just think it's just early. think we'll see like the first sprouts of agentic AI sprouts. I hope somebody quotes me on that through the year.
Lucas Nelson
I like it. All right, so I've got my final prediction. And that's that Dartner is finally going to recognize, or not finally recognize, is going to recognize the tie-in of cybersecurity.
and crypto, right? So they're going to create one of their, their famous charts, either the wave or a cybersecurity crypto. And my thesis is really simple. you know, with the kind of new administration coming in being wildly crypto friendly, cryptography is going to take off again on a tear and, know, cybersecurity is not immune to the, there's a shiny thing. and so that's my, my predicting is Gartner, you know, comes up with that.
Mike Privette
Hmm.
Breath.
Lucas Nelson
But my honest thought is, there are a bunch of places where some of those tools are really going to be valuable. Though the blockchain is often just a really slow kind of crappy database that comes with free public and private keys. And so like, you're like, I'm using the chain. And you're like, are you really like, well, I'm using public hierarchy cryptography. You're like, well, yeah, but you don't need the slow database for that. But I do think that's an area that's Gartner's going to
Mike Privette
Great.
Lucas Nelson
You know, to get some thought leadership around.
Mike Privette
Yeah, it makes sense. Honestly, I'm surprised they haven't done anything about it yet, just because like the sheer amount of money that has like exchange hands and has been like scammed like through crypto exchanges. And I, I agree with this, this, this prediction broadly, just because as long as people lose money, cyber will always have to be there like fraud and like crypto it's, it's, you know, wildly speculative betting in its best case and wholesale fraud in its worst case. and.
Like it's, there's, so many, examples of just fraud, Monday laundering, traditional like crime syndicate type thing activities that happen by way of these, immutable ledgers. But there's been a bunch of companies who've been tracking. They can just see like the illicit trade of drugs or illicit trade of, you know, washed funds. they're really surprised that the carton hasn't come out with this yet, but I think part of it is, is kind of the mystique behind the crypto.
Or is there any utility other than making like fake coins like behind this?
Lucas Nelson
Well, as it
turns out, one of the big utilities is paying ransoms, right? Ransomware has gone through the roof since digital payments became an easy thing to do, right? So, know, to cyber criminals for figuring that one out. With that said, I do think internet native digital money
Mike Privette
Hmm. Yeah. Successfully.
Yeah.
Yeah.
Lucas Nelson
is like, when you put it that way, it sounds sort of like a good idea. Like, oh yeah, I want internet digital money. But you know, like, like every technology, SIN, you know, adopts it first.
Mike Privette
Yeah.
Yeah, that's a good point too. And it's, it's also interesting too, from like an outside of the U S perspective is that it's still widely used in like much of the world. Like it's, for regular transactions, like I went to Switzerland over the holiday break and you could, it's a, it's a very Bitcoin first country. Like you can pay for Bitcoin. Yeah. You pay for a restaurant meal with Bitcoin in some places. Um, and they, you know, they have a lot of pushes for that. And that's just, that's just one example, but like there's many more in like
Lucas Nelson
Really?
Mike Privette
Southeast Asia, I think that's pretty much where all crypto security companies have originated from at this point is in that Southeast Asia region. And for good reason, because people still use it there. It's like a different, you know, transacting with so many different cultures and currencies. People find it, you know, useful. So as long as it's still going to be used for like legitimate things, and the longest people still get scammed or defrauded, like, you know, cyber is going to have to be there.
Lucas Nelson
You think Meta resurrects their what was their coin called? They had a coin they were going to make and then they backed away from it. But now that Zuck is in the masculine energy, you think they re-release that?
Mike Privette
haha
Yeah,
maybe who knows? That's, that's interesting. I guess it depends on like how favorable, like how far does the anti-regulation or deregulation go and crypto in the U S. cause it's, you know, pretty much all coin or ICOs or initial coin offerings have just ended up being like rug pulls for many people outside of like the basics. Yeah, there you go. So that's, that's one of the few that has had.
Lucas Nelson
I still have an ape. We're doing great. We're doing great.
Mike Privette
somehow has had enduring utility.
Lucas Nelson
Yeah, that would have been my first guess, right? Like four years ago, the apes, those are gonna be the worst ones.
Mike Privette
Yeah, I'm going to take a screenshot so I can have a copy.
Lucas Nelson
Stay with me. I'm going to let you wrap it up with a final prediction if you got one.
Mike Privette
I don't have one. I was just trying to think because we talked about some really good stuff. What else?
Lucas Nelson
All right, so then I'm gonna switch gears on you. New Year's resolutions, things you're planning on doing, like what's 2025, what has you excited in 2020?
Mike Privette
I don't, I don't really do new year's resolutions. I used to like many years ago, but then I just realized like I could start something anytime. So I just like kind of a, like, don't, don't need to wait to an arbitrary date. I'll just, I'll just do that. So, but so it's just, it's kind of fun when I read, remember that like, yeah, I can just do this. I'm an adult. But plans this year, honestly, it's just, I hope travel quite a bit more for fun and for return on security. I already got a couple of conferences lined up. Really excited about that.
I hope to add a few more along the way. And then really like, you know, I wanna make sure I'm pulling out as much as I can from what I'm already doing at Return of Security and turning into like new content, like formats or avenues or things that people can find valuable. Cause I think that that's a lot of fun for me to do personally.
Lucas Nelson
Have you thought of a NFT with an ICO?
Mike Privette
I have, I have, and actually I have a few, for a while I had a few NFTs. There were like jokes that I'd made and like, and I'd always put them in like one Ethereum and hoped somebody would just buy it. But of course that never happened. And then I think that the exchange I had it on went belly up. OpenSea. Yeah, it could be. Yeah. There you go. How about you, Ani?
Lucas Nelson
And that's a big collector's item. So go out there, find the early return on security NFTs and grab them.
Awesome.
so I do like to do new things at the beginning of every year, only just, think it's a, it's a nice time to reset, right? Like you can start your clock and you know exactly when you started. so this quarter I'm doing a kind of a deeper dive into AI technology, right? So I'm going to try to actually understand, maybe not the state of the art, but kind of the state of today on LLMs and you know, the trading. So I've been watching,
Mike Privette
Any plans?
Right.
Lucas Nelson
some of the videos on that and trying to read some of the books on it. So that's my January, like, get to the point where if someone starts kind of going down there, here's the architecture of LLM, I'm not just nodding sagely and internally going, I do not understand a word they're saying. So that's kind of my big one. then, yeah, no, but I like New Year's. I get a kick out of closing off the last year and saying, that
that year stunk, but this year is gonna be the year that everything comes up, comes up my way. So not the last year stunk. Yeah.
Mike Privette
Yeah.
Yeah, I do like the new energy a year brings
like that. That is fun. Even if no matter how you get into it, it's kind of exciting.
Lucas Nelson
Definitely. All right, boss. Well, thank you so much for joining us again. And where can we find you on the the Internet?
Mike Privette
Yeah, thanks for having me and return on security.com is the best place. And also Mike Privette on LinkedIn. So yeah, you can reach out there.
Lucas Nelson
Thanks Mike and Happy New Year to our listeners.
Mike Privette
Thanks.
Lucas Nelson
And we're out.
.