News

CISOs Believe AI Has 'Already Surpassed' Their IT Security Teams: Survey

• By David Ramel
• 07/15/2024

AI has its naysayers, but many chief information security officers (CISOs) are not among them.

That's according to a recent survey of over 200 security leaders by cybersecurity firm Bugcrowd, which found CISOs are in general agreement about the benefits of using AI to protect their organizations. Many respondents even believe AI has surpassed their IT teams in effectiveness.

"Interestingly, 91 percent of CISOs believe AI will be better than members of their own security teams," said the writers of the report, titled Inside the Mind of a CISO. "Almost half of the CISOs believe Gen AI has already surpassed the abilities of their team."

Bugcrowd found that 78 percent of CISOs are already using AI to help their security teams while 20 percent are waiting for more powerful models and better AI security tools before they adopt. Either now or later, AI seems to be taking over the security world.

The report found that some organizations use AI for offensive security, but the most common use case is automating repetitive or tedious security tasks, such as using AI tools to help write data queries to more quickly get the security information they need. "This, in turn, lets them run analyses, communicate, and take action in less time," the report said.

Of course, AI is also being used by threat actors, as Bugcrowd noted in a June 27 blog post. "The jury is still out on how exactly security teams need to approach AI as a tool, a target, and a threat," the company said. "Teams are leveraging AI, which is already starting to affect headcounts, but many leaders are hesitant to become early adopters of AI. The one consensus is that AI is here, and it is the responsibility of security leaders to quickly build their AI strategy."

Competitive Advantage
The company said another key highlight of the report is the observation that security helps in the business world, boosting the bottom line.

"Security is more than just a best practice -- it is a competitive advantage. As threats become more serious and more ubiquitous, consumers are becoming more aware of the importance of security, and they use this as a factor in their buying decisions. As the C-suite and boards continue to recognize this fact, the pressure will be on security leaders to deliver a superior security experience."

Backing up that competitive advantage angle, the report noted that almost a third of respondents are prioritizing building a security brand to differentiate their organizations from their competition. "That's right -- they think it's even more important than avoiding breaches and creating an internal security culture," Bugcrowd said.

Top CISO Concerns
Top concerns of CISOs were summarized like this:

• Regulatory obligations: With regulatory obligations and government oversight of cybersecurity on the rise, CISOs need vendors who can provide solutions to these challenges.
• Cyber insurance premiums: CISOs want to demonstrate a proactive approach to security risk management to reduce insurance premiums.
• Legal exposure: Gartner predicts that by 2027, two-thirds of Global 100 organizations will extend D&O insurance to CISOs due to personal legal exposure.
• Burnout: 50 percent of current CISOs will have changed jobs in the next year as a result of burnout.
• Professional development: 69 percent of top-third CISOs prioritize recurring professional development time.
• Closing the skills gap with AI: Gartner predicts that by 2028, the adoption of Gen AI will close the hiring gap for entry-level skills.
• Risk vs. compliance: CISOs are taking a risk-driven approach to security in addition to ticking compliance boxes.
• Outcomes: Instead of approaching solutions through the lens of security silos and products, CISOs are focusing on outcomes.

Backing data points are presented in a graphic:

CISO Myths Debunked
Along with the data points, Bugcrowd listed five myths about CISOs that were debunked by the survey:

1. CISOs are opposed to ethical hacking: 73 percent of security leaders view ethical hacking in a favorable light, and 75 percent of them have actually engaged in it themselves.
2. CISOs are mainly management professionals: 76 percent of CISOs have worked in 3 to 10 cybersecurity roles, and 82 percent of CISOs have either a bachelor's or master's degree in cybersecurity.
3. Only large companies need CISOs: 20 percent of CISOs lead teams with fewer than 10 members, showing that even smaller teams benefit from the high-level strategizing of a CISO.
4. CISOs are unprepared for AI: 95 percent of CISOs are already implementing AI-based defensive measures, namely crowdsourced testing, pen testing, and color teaming.
5. CISOs all believe in the value of AI: 58 percent of CISOs believe that the risks of AI outweigh its potential benefits, while 42 percent believe in the potential of AI, indicating that there is no consensus on this issue.

The report is based on a survey of 209 security leaders with titles including CISO, CIO, CTO, head of security or VP of security. The survey was commissioned by Bugcrowd and conducted by Quest Mindshare, with respondents from North America, South America, Europe, Asia, Australia, and Africa who were all fully employed at organizations of varying sizes.