IT security in 2025: Rippling's CISO and IT pro talk data, trends, and tips

If you're an IT leader or admin, you know first hand how hard it is to stay on top of security. With cyber threats growing more sophisticated by the day, and the stakes for protecting data getting higher than ever, IT security has quickly become the top priority (and biggest headache) for organizations of all sizes.

But here's the good news: You're not alone in this fight. 

We recently sat down with two of our in-house experts—Duncan Godfrey, Rippling’s Chief Information Security Officer (formerly with Okta and Auth0), and Todd Horner, our IT Solutions Manager—to get their insights on the current state of IT security. 

They covered the biggest challenges facing organizations today and the strategies and tools leaders can use to stay one step ahead of malicious actors. Keep reading to see if your priorities and struggles align with your peers.

The state of IT security: Challenges, priorities, and concerns

To kick things off, let's take a look at some of the key findings from Rippling's 2024 State of the IT Leader Report, which surveyed over 400 IT managers and executives:

• 55% of respondents cited ensuring data security and privacy as their top priority for the year ahead, followed by automating IT processes (48%), and managing compliance (37%)
• However, 72% reported facing challenges with their current identity and mobile device management (MDM) solutions
• The most pressing security challenges included implementing robust controls and processes (51%), rolling out new IT software (40%), and achieving compliance certifications (32%)

These stats paint a clear picture of the uphill battle many IT leaders face as they work to keep their organizations secure. And when we asked attendees of our recent webinar to share their biggest security concerns, the results were equally telling:

• 34% cited human error as their top worry
• 24% pointed to staying on top of a the evolving cyber landscape
• 21% expressed concerns around data privacy and compliance

As Duncan explained, these findings underscore the fact that even as the world of IT security grows more complex, many organizations are still grappling with fundamental challenges around people, processes, and technology.

"Traditional tactics are still king," he noted. “That’s because they offer the path of least resistance for attackers. Everyone still needs to worry about falling victim to social engineering, particularly phishing, breached password data, and credential stuffing. It's a constant menace.”

The high stakes of IT security: Why every leader needs to pay attention

So why exactly should IT security be a top priority for every organization? Put simply, the consequences of a breach or attack can be devastating, and not just in the short term.

Consider the potential fallout of a major incident:

• Data loss: Whether it's sensitive customer information exposed in a breach, or critical business files locked up in a ransomware attack, losing data can be catastrophic for a company's reputation, operations, and bottom line. 
• Financial damages: The costs of a successful cyber attack can quickly add up, from paying ransoms and compensating affected customers to investing in remediation efforts and dealing with legal and regulatory penalties. In fact, the global average cost of a data breach reached a staggering $4.88 million in 2024—up 10% from just last year prior and the highest total ever.
• Reputational harm: Perhaps most devastating of all is the long-term damage a security incident can do to a company's reputation and customer trust. "Reputational harm is the squishy one that is hard to quantify, but it's a key impact" Duncan explained. "It's your customers losing trust in your brand, losing trust in your business.” And in today's digital age, trust is everything.

The scary part? No organization is immune to these risks—not even SMBs that may assume they're too small to be a target. As Duncan pointed out:

"Attackers are highly motivated and well-resourced. Small and medium sized businesses often think they're too small to become the target of a cyber attack, but they're just as vulnerable as large enterprises who have robust security. And they often lack the financial resources and skill set to combat new threats.”

Where to focus your IT security efforts

With so much at stake, and so many potential threats to guard against, it's no wonder  IT security has become such a daunting challenge for so many organizations. But according to Duncan and Todd, there are a few key areas where leaders should focus their time and resources to maximize impact.

Priority #1: Data security and endpoint protection

In today's work-from-anywhere world, securing employee devices like laptops and smartphones is more critical than ever. "Endpoint security has never been more important—particularly with the reality of ongoing ransomware attacks,” Duncan emphasized. 

To keep endpoints secure, he recommends investing in powerful endpoint detection and response (EDR) tools that can continuously monitor device activity, flag suspicious behavior, and automatically block and isolate threats. 

The latest advancements in artificial intelligence (AI) and machine learning (ML) are taking endpoint protection to the next level. AI-driven solutions can now detect and respond to threats in real time, even anticipating future attacks. For example, SentinelOne's platform, when integrated with Rippling, allows organizations to deploy advanced endpoint security across their entire device fleet effortlessly, ensuring consistent protection without manual intervention.

Priority #2: Automating the fundamentals

Another major pain point for many IT teams is the sheer volume of manual, repetitive work involved in managing security on a day-to-day basis. From onboarding and offboarding users to keeping software and systems up to date, these basic hygiene tasks can quickly consume your team's time and energy, while opening the door to human error and massive risk. For Todd, this issue has been a constant throughout his career:

“I’ve been in IT roles for more than 15 years, and in my career there's been one clear problem I've seen countless times across multiple companies; keeping HR and IT on the same page when it comes to hiring, transitions, and terminations. Consistency and communication is not as easy as it should be. ”

Todd explains that manual, error-prone processes, fueled by the adoption of numerous SaaS apps, lead to fragmented data and require significant effort to update employee information. This not only increases the workload for IT teams but also undermines data accuracy and operational efficiency. 

In such a segmented environment, employee data becomes outdated across systems, complicating efforts to maintain accurate and consistent records. Important information about employees, such as their department, title, and device security status, remains isolated across the business, preventing holistic decision-making and policy implementation.

“A lot of companies lack a truly centralized system to define and enforce security policies and this hampers the ability to manage compliance requirements effectively. Organizations that struggle with incomplete employee data, will have a more difficult time ensuring timely access management practices, accurate reporting, and the establishment of consistency across all systems, thus generally weakening overall security.”

The solution? Automation. By leveraging tools like identity and access management (IAM) and MDM software to streamline and standardize key workflows, IT teams can dramatically reduce the risk of oversights and inconsistencies while freeing up time and energy to focus on more strategic priorities.

Priority #3: Staying ahead of compliance

For a growing number of organizations, IT security isn't just a business imperative—it's a legal and regulatory one as well. As Duncan explains, managing compliance is a top priority for many organizations, with a significant portion finding it challenging to achieve.

The complexity stems from the evolving nature of IT infrastructure. "Systems are often actually not your own anymore. They're third-party applications," Duncan points out. “This shift has created a patchwork of disconnected tools, making comprehensive oversight more difficult.”

For companies looking to strengthen their compliance posture, Duncan recommends focusing on key frameworks like SOC 2, CSA STAR, and ISO 27001. Each serves a distinct purpose, from general IT controls to cloud-specific security measures. However, the real key lies in what Duncan calls "meaningful compliance." This approach integrates compliance efforts directly into security practices and company-wide risk management. Learn more about Rippling’s security posture here.

The case for integrated, unified IT solutions

As IT leaders look to the future, one thing is clear: the days of siloed, piecemeal approaches to security are over. In a world where data and applications are increasingly distributed and interconnected, organizations need solutions that can bridge the gaps and provide end-to-end visibility and control.

That's why, when we asked IT leaders about their priorities for the year ahead, the vast majority emphasized the need for more integrated, unified tools and platforms:

• 73% said their ideal setup for HR and identity management tools was either fully integrated or unified
• 90% said integration capabilities are a top priority when evaluating new software investments

The reality is, silos kill security. When you've got HR data in one system, IT data in another, and no way to connect the dots, you're always going to be playing catch-up. That's why we've built Rippling from the ground up to bring all that information together in one place, so you can automate key workflows, enforce consistent policies, and always know who has access to what.

At the heart of Rippling's platform is what we call the employee graph—a centralized data model that connects all your HR and IT systems, giving you a single source of truth to work from. What makes this powerful is the fact that all of our products share access to employee data through Rippling’s native cloud directory. With the graph, IT teams can easily map app permissions and device policies to specific user attributes, locations, and departments, so the right people always have access to the right resources.

This is further enhanced by Rippling's Supergroups feature, which allows for dynamic grouping of employees based on any attribute. For example, you could automatically provision specific apps to all staff software engineers in San Francisco, ensuring that new hires get the right access from day one (like AWS and GitHub) without manual intervention. You can also require the completion of security training before an employee gains access to sensitive tools—all handled automatically. 

It's really about giving IT leaders the power to manage security at scale, without sacrificing granularity or flexibility. Whether you're onboarding a new hire, responding to a threat, or rolling out a new compliance initiative, having that unified foundation makes everything so much easier and more effective.

Looking ahead: The future of IT security

As we look ahead to 2025 and beyond, one thing is certain: the world of IT security will only continue to grow more complex and challenging. With new threats emerging every day, and the stakes for businesses higher than ever, it's easy to feel overwhelmed by the scale and pace of change.

But as Duncan and Todd emphasized throughout our conversation, there is reason for hope (and even optimism) in the face of these challenges. By focusing on the right priorities, leveraging the power of integrated solutions, and empowering people at every level to be part of the solution, IT leaders can build the resilience and agility they need to stay ahead of the curve.

For more insights and guidance on IT security, download the full State of the IT Leader Report and watch the on-demand recording of our recent webinar with Duncan Godfrey and Todd Horner. And if you're ready to see how Rippling's unified platform can help you streamline IT management and strengthen your security posture, watch this product tour video.