Inside The Mind Of A CISO

Uploaded on 2024-07-05 in TECHNOLOGY-Key Areas-Artificial Intelligence, TECHNOLOGY--Developments, NEWS-Cybersecurity News, FREE TO VIEW

AI is a disruptive technology in more ways than one. A survey of 209 CISOs and security leaders globally shows security professionals struggling to reach consensus about what AI means for their organisation and their own roles. 

Despite a range of divergent and sometimes contradictory views, the report Inside the Mind of a CISO leaves little doubt that AI is a powerful force for change. What’s less clear is whether change overall will be good or bad. And perhaps it’s too early to expect CISOs - or anyone - to be able to settle that question.

As for disruption, the survey points to a worryingly high-level of burnout among security professionals, with as many as two-thirds of CISOs who believe that security practitioners experience a higher rate of burnout then other roles.   Aggravating factors for this include the hiring landscape: over half of CISOs say their teams are understaffed and 87% are currently hiring. 

However, there is growing confidence that AI will make a positive difference at least in automating some of the less skilled roles. Nearly a quarter of respondents (23%) say that AI tools have already enabled them to reduce or repurpose headcount, while 71% expect to have made cuts over the next three to five years. 

Gartner endorses this trend. They have gone on record to say that by 2028 AI will have closed the skills gap. However, and this is the critical point, the Gartner prediction refers to “entry-level skills”. That begs some big questions about the security workforce as a whole. What skills will be needed to address the next wave of AI-enabled threats? Will AI tools mitigate those too? Or will we just see the bar raised in future?

Not to leave those questions hanging, I believe the answers are “We don’t know yet”, “Not entirely” and “Yes”.

While it would be reassuring to think that AI will close the skills gap, I think it’s more accurate to predict that it will change it. The bottom line for organisations of all kinds is that finding the right people to mount an effective defence will be challenging for the foreseeable future.

CISOs are realistic about the threats facing their organisations. Asked about their top priorities, only 18% had the goal of “avoiding breaches at all times”. Most of the responses were more pragmatic than optimistic, with 17% voting for “balancing risk against business objectives” and 20% for “building resilience”. In other words, few CISOs believe they’re in a war that will be over anytime soon. The majority are settling in for a long campaign. 

The top priority for 31% of CISOs is “building a security brand”, reflecting their belief that effective cybersecurity is now a major factor in competitive advantage.

This is a significant finding reflecting a shift in attitudes from a “do enough” compliance culture to a business environment in which being seen to “do more” has become a critical measure of business viability and being a business enablement powerhouse.

Few CISOs in the survey believe organisations are doing enough today, however. Most believe that the majority of organisations do not fully understand the risks of being breached and, as a result, are not as well defended as they could be.

While they also understand that many of the decisions organisations make will be a trade-off between business benefit and security risk, CISOs have serious concerns that some may start taking risks that will compromise their customers’ long-term privacy or security for the sake of short-term savings. 

As for AI, while CISOs are currently split about its use, this is more a matter of timing than any deeply held conviction. 

Nearly eight in ten (78%) are already using AI in their security teams and of the rest only 3% say they will never use it. Does it outperform some of their security professionals in certain cyber processes? Yes, according to 44%, while most of the rest (47%) believe that it will eventually replace team members when the technology improves. This is not a view shared by ethical hackers, who believe that while AI adoption will increase, it will never replace human ingenuity. 

The picture may be more nuanced. As we saw earlier, there’s no doubt that AI will replace low-level security roles with certain operational type characteristics. What happens further up the skills hierarchy is less clear. 

Even with the benefits of AI from a hiring perspective, the jury is still out on AI’s long term potential. 58% of CISOs argue that the risks of AI outweigh the benefits. CISOs are scrambling to put defensive measures in place to prepare, with 95% of CISOs having already implemented AI-based defensive measures, including crowdsourcing and pen testing. 

In a sense this part of the debate is academic. The AI train is rolling and like it or not most CISOs are already onboard.  

Nick McKenzie is Chief Information officer and Chief Security Officer at Bugcrowd

Image: Jacob Wackerhausen 

You Might Also Read:

Helping CISOs Embrace Artificial Intelligence

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« UK vs. US: The Artificial Intelligence Landscapes Compared
Chinese Hackers Exploit Cisco Vulnerability To Deliver Malware »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

FDM Group

FDM Group

FDM Group is an international Professional services company with a focus on IT. Services offered include Software Testing, and Information Security with a focus on operational security and compliance.

CSO GmbH

CSO GmbH

CSO GmbH provide specialist consultancy services in the area of IT security.

Miratech

Miratech

Miratech is a global IT services and consulting organization offering a full range of IT infrastructure solutions and services including cyber security.

Protergo Cyber Security

Protergo Cyber Security

Protergo Cyber Security is the first integrated provider of cybersecurity solutions in Indonesia. We proactively protect our clients from cyber threats.

Digiserve

Digiserve

Digiserve by Telkom Indonesia is an end-to-end managed solutions provider committed to empowering enterprises in Indonesia.

National Accreditation Authority Hungary (NAH)

National Accreditation Authority Hungary (NAH)

NAH is the national accreditation body for Hungary. The directory of members provides details of organisations offering certification services for ISO 27001.

Altaro Software

Altaro Software

Altaro provide backup solutions that are intuitive, easy to use, well-priced and backed by outstanding 24/7 support as part of the package.

Horiba Mira

Horiba Mira

Horiba Mira is a global provider of automotive engineering, research and test services including services and solutions for automotive cybersecurity.

Consensys

Consensys

ConsenSys is a global blockchain company. We develop enterprise applications, invest in startups, build developer tools, and offer blockchain education.

Haechi Audit

Haechi Audit

Haechi Audit is a leading smart contract security audit firm. We provide the most secure smart contract security audit and smart contract development services to our global clients.

Brimondo

Brimondo

At Brimondo we help you to maximize and protect your brand value by being a proactive and strategic partner within brand protection with experts within intellectual property and digital assets.

Qmulos

Qmulos

Qmulos’ real-time continuous monitoring risk management suite, Q-Compliance, provides a massively flexible and scalable solution to optimizing operational security.

Tonex

Tonex

Tonex providing industry-leading technology training, courses, seminars, workshops, and consulting services to companies and government organizations around the world.

CyberXposure

CyberXposure

CyberXposure has been built by a team comprising of Cyber Security Professionals and SAAS experts in data backup, disaster recovery and cyber-security.

Aliro Security

Aliro Security

AliroNet is the world’s first entanglement Advanced Secure Network solution.

Karthik Consulting (KC)

Karthik Consulting (KC)

Karthik Consulting is a technology service provider specializing in IT services for the U.S. federal government.