Cyberspace is becoming more complex – but why? Here’s what top cybersecurity officers are saying

The growing complexity of cyberspace is exacerbated by escalating geopolitical tensions, overlapping supply chains, the rapid adoption of emerging technologies and the proliferation of regulatory requirements, according to a new report.

This week, the World Economic Forum released its latest edition of the Global Cybersecurity Outlook, the culmination of an annual survey and one-on-one interviews with C-suite executives and leaders from across industries and organizations. The report concluded that the increasing complexity is widening the cyber skills gap and fuelling increased cyber inequity.

The report also found that increasing complexity of supply chains, coupled with the lack of visibility and oversight into the security levels of suppliers, has emerged as the leading cybersecurity risk for organizations. In fact, of large organizations (annual revenue of more than $5.5 billion), over half (54%) identified supply chain challenges as the biggest barrier to achieving cyber resilience.

“As cyberspace becomes increasingly complex, it has the potential to exacerbate cyber inequity for organizations that are unable to meet growing challenges,” the report states.

Despite the obstacles, the report notes that organizations that embrace proactive risk management, prioritise collaborative approaches across ecosystems and invest in scalable, equitable solutions can reduce disparities.

Given the various elements complicating the cyberspace, the World Economic Forum asked five chief cybersecurity leaders from around the world to identify the aspect of complexity that presents the greatest challenges or concerns for their respective organizations.

Here’s what they had to say:

Complexity creates chaos, and chaos distracts from the tangible priorities of safeguarding any organization.

One of the largest drivers of complexity, and greatest barriers to achieving resilience, is when chief information security officers (CISOs) develop a "hostage mindset" around tech that is old and antiquated. CISOs often continue to use vendors because it is easy – i.e., it's already a part of their infrastructure – but easy is rarely synonymous with secure. The moment a CISO considers moving off of a vendor impossible or too difficult, is when the balance of power begins to shift back in favor of threat actors.

If organizations do not start their security transformation journeys to remove the tools and vendors that are causing complexity vs. furthering innovation, it will be the major crutch that leads to breaches. With novel vulnerabilities discovered daily and new emerging threat actor groups, tactics and malware, CISOs must be bullish in asking themselves the question: are the tools we're using and renewing necessary to combat today’s threat actors?

The rapid adoption of emerging technologies such as automation, cloud and AI has led to hyperconnectivity in critical infrastructure segments. This has expanded the attack surface and increased dependencies among stakeholders, including technology providers, asset owners, and suppliers.

With this pretext, new and complex challenges have resulted. Firstly, while Schneider Electric systematically follows "Secure by Design" principles through its Secure Development Lifecycle (SDL), there is a growing need to build on this foundation and focus on "Secure by Operations." Clearly defined roles and responsibilities for stakeholders are essential to drive the implementation of security controls, such as patching, in multi-technology operational environments post-deployment.

To add to this effort, authorities are demanding increased transparency and reporting in response to critical infrastructure being targeted by malicious cyber actors. The regulatory landscape is expanding, with key regulations like NIS2 and CRA having a global impact. Schneider Electric continues to embrace digitalization and its benefits but must also collaborate with value chain stakeholders to secure operations and meet regulatory obligations—a significant undertaking.

We are increasingly reliant on our supply chain for technology and digital services.

This is particularly true as we adopt disruptive technologies, notably cloud, big data, artificial intelligence and quantum computing.

Some aspects of the old paradigms for managing supply chain risk may need to be re-imagined to address this aspect of the complexity.

The growing sophistication of cybercrime operations compounds the existing challenges that security teams worldwide already face. As malicious actors harness new technologies like AI to increase the volume and velocity of the threats they deploy, they continue building a resilient and profitable ecosystem, posing new risks to businesses and critical infrastructure.

Looking ahead, adversaries will embrace bigger and bolder activities, setting their sights on fresh targets and launching meticulously planned attacks crafted to fool savvy end-users. While organizations often think in terms of additional tools required to counter an increase in cyberattacks, building alliances is one of the most effective—and often overlooked—actions to take to combat cybercrime.

Creating relationships and exchanging information fosters trust and integrity, and when public and private institutions have more trust in one another, intelligence can be shared not just to keep pace with but to help everyone stay ahead of and collectively disrupt cyber threats.

Right now, three main things are driving complexity in our cybersecurity landscape:

Since we don't have much IT legacy, our main challenge is to keep improving the security, architecture, and operations of our cloud-based platform. This is crucial to maintain observability, avoid technological debt and keep our systems stable and secure as we add new solutions, integrations, or functionalities. This is especially important given the fast pace of development of new business-driven AI-based solutions.

Personally, I think a critical success factor for cybersecurity experts and CISOs in 2025 is not just managing and communicating cybersecurity and digital risk, but also proactively reducing complexity in every task. Automate wherever possible and prioritise simplicity. Connect with sector peers, vendors, authorities, and other relevant organizations to collaborate and share knowledge regularly.