Within the second half of 2025, safety and threat leaders in APAC and EMEA continued to grapple with acquainted pressures, however they reprioritized how they handle them. Whereas AI, governance, threat and compliance (GRC) and third-party threat administration (TPRM) stayed stubbornly on prime of the charts, software safety and safety group construction resurfaced with new urgency, and matters similar to quantum safety and human threat administration took a back-seat, for now. These shift mirror a always altering actuality: intensifying regulatory expectations in Europe, the emergence of agentic AI with much less predictable conduct and an increasing software program provide chain pushed by accelerated AI and low-code adoption. Our newest Government Highlight: Prime Priorities For APAC And EMEA Safety And Threat Leaders, H2 2025, analyses a whole bunch of requests for steering from our safety and threat (S&R) Forrester Selections shoppers to disclose the place leaders doubled down, and the place they deprioritized (see Determine 1).
The Prime Three Cross‑regional Priorities
Whereas leaders confronted lots of the similar pressures now as they did within the first half of 2025, the character of their steering requests shifted towards stronger governance, sharper AI threat administration, and a renewed give attention to software and software program provide chain safety. Three areas outline the priorities for APAC and EMEA safety & threat leaders in H2 2025:
- GRC rises to the highest as regulatory stress accelerates. Many could also be stunned to listen to AI slipped from prime place, making method for GRC as the highest precedence for EMEA and APAC S&R leaders. GRC dominated the headlines as leaders face accelerating regulatory obligations and geopolitical instability. Many are pissed off by GRC tech that’s costly, tough to implement, and underinvested in automation and AI. Their questions give attention to which applied sciences meaningfully enhance governance, tips on how to quantify cybersecurity program worth, and tips on how to report threat and efficiency to boards.
To make progress regardless of tooling limitations, S&R leaders ought to use FAIR‑based mostly quantification to articulate program worth, undertake regulatory intelligence to streamline compliance workflows, and implement steady management monitoring to switch outdated periodic audits.
- AI threat evolves from adoption to securing agentic techniques. Whereas AI stays on prime of the precedence charts, it shifted from leaders eager to know tips on how to undertake generative AI safely in H1 to H2’s key problem: securing agentic AI. This shift displays deeper operational and menace‑floor issues. Leaders are asking tips on how to design guardrails that stop extreme autonomy, tips on how to crimson‑workforce AI techniques, and tips on how to put together for AI‑particular incident response.
Use Forrester’s AEGIS framework as a sensible method to map agent dangers, implement least company, implement coverage‑as‑code controls, and monitor agent‑initiated entry. Overview your vendor‑offered brokers to make sure distributors have carried out satisfactory safeguards.
- API and software program provide chain safety surge in urgency. API sprawl, SBOM mandates (such because the EU Cyber Resilience Act), and stalled DevSecOps development have pushed software safety onto the precedence listing in each areas. Leaders wish to distinguish significant API safety from vendor noise, combine API safety with WAF and DDoS capabilities, and handle part threat as software program strikes from growth to manufacturing.
Map required API capabilities to their architectures, use SBOMs for transparency and compliance, and undertake pragmatic DevSecOps practices that embed safety earlier and make clear workforce obligations.
Geographic Variations That Matter
My workforce and I work throughout 5 international locations and three continents, which provides us front-row seat to how geography continues to form safety and threat priorities. Whereas APAC and EMEA leaders shared 5 of the highest six priorities in H2 2025, regional regulatory stress, working fashions and workforce capability nonetheless influenced how these priorities had been weighted and sequence. Two variations stood out particularly:
- TPRM splits the areas. EMEA leaders are closely prioritizing third‑celebration threat administration resulting from DORA, NIS 2, GDPR, and rising litigation stress. In APAC, the place third‑celebration threat is often addressed by outsourcing or operational resilience tips moderately than prescriptive regulation, organizations really feel extra in a position to deprioritize it. Smaller S&R groups additionally make the procedural weight of TPRM tough to soak up.
- APAC priorities are extra fragmented. EMEA submitted 170 H2 requests clustered round a couple of dozen themes, making it simpler to determine clear precedence areas. Not so for APAC leaders who submitted 81 questions unfold throughout 42 themes starting from software to endpoint to quantum to IoT and cloud. This breadth signifies that APAC CISOs are sometimes required to deal with a wider set of dangers concurrently, growing the significance of deliberate prioritization.
Let’s Join
Use these insights to benchmark your roadmap towards these priorities, and refocus your efforts, and strengthen sequencing. Forrester’s APAC and EMEA S&R shoppers who’ve questions on risk-, security-, or privacy-related matters can join by way of inquiry or steering session to our consultants: Jinan Budge, Paul McKay, Tope Olufon, Madelein van der Hout, Enza Iannopollo, and Meng Liu.
