91% of CISOs Say AI Will Outperform Security Pros

• By David Ramel
• 07/12/24

A new survey of CISOs by Bugcrowd indicates AI is already beating security pros in some areas and is expected to take on a larger role in the future.

"Interestingly, 91% of CISOs believe AI will be better than members of their own security teams," said the Bugcrowd report based on a survey of chief information security officers. "Almost half of the CISOs believe Gen AI has already surpassed the abilities of their team."

Bugcrowd, which provides crowdsourced security testing, surveyed 209 security leaders from around the world for its new "Inside the Mind of a CISO" report. The survey found that 78% of CISOs are already using AI to help their security teams while 20% are waiting to see more powerful models and better AI security tools before they adopt. Either now or later, AI seems to be taking over the security world.

The report found that some organizations use AI for offensive security, but the most common use case is automating repetitive or tedious security tasks, such as using AI tools to help write data queries to more quickly get the security information they need. "This, in turn, lets them run analyses, communicate, and take action in less time," the report said.

Of course, AI is also being used by threat actors, as Bugcrowd noted in a June 27 blog post. "The jury is still out on how exactly security teams need to approach AI as a tool, a target, and a threat," the company said. "Teams are leveraging AI, which is already starting to affect headcounts, but many leaders are hesitant to become early adopters of AI. The one consensus is that AI is here, and it is the responsibility of security leaders to quickly build their AI strategy."

Competitive Advantage

The company said another key highlight of the report is the observation that security helps in the business world, boosting the bottom line.

"Security is more than just a best practice — it is a competitive advantage. As threats become more serious and more ubiquitous, consumers are becoming more aware of the importance of security, and they use this as a factor in their buying decisions. As the C-suite and boards continue to recognize this fact, the pressure will be on security leaders to deliver a superior security experience."

Backing up that competitive advantage angle, the report noted that almost a third of respondents are prioritizing building a security brand to differentiate their organizations from their competition. "That's right — they think it's even more important than avoiding breaches and creating an internal security culture," Bugcrowd said.

Top CISO Concerns

Top concerns of CISOs were summarized like this:

• Regulatory obligations: With regulatory obligations and government oversight of cybersecurity on the rise, CISOs need vendors who can provide solutions to these challenges.
• Cyber insurance premiums: CISOs want to demonstrate a proactive approach to security risk management to reduce insurance premiums.
• Legal exposure: Gartner predicts that by 2027, two-thirds of Global 100 organizations will extend D&O insurance to CISOs due to personal legal exposure.
• Burnout: 50% of current CISOs will have changed jobs in the next year as a result of burnout.
• Professional development: 69% of top-third CISOs prioritize recurring professional development time.
• Closing the skills gap with AI: Gartner predicts that by 2028, the adoption of Gen AI will close the hiring gap for entry-level skills.
• Risk vs. compliance: CISOs are taking a risk-driven approach to security in addition to ticking compliance boxes.
• Outcomes: Instead of approaching solutions through the lens of security silos and products, CISOs are focusing on outcomes.

Backing data points are presented in a graphic:

CISO Myths Debunked

Along with the data points, Bugcrowd listed five myths about CISOs that were debunked by the survey:

1. CISOs are opposed to ethical hacking: 73% of security leaders view ethical hacking in a favorable light, and 75% of them have actually engaged in it themselves.
2. CISOs are mainly management professionals: 76% of CISOs have worked in three to 10 cybersecurity roles, and 82% of CISOs have either a bachelor's or master's degree in cybersecurity.
3. Only large companies need CISOs: 20% of CISOs lead teams with fewer than 10 members, showing that even smaller teams benefit from the high-level strategizing of a CISO.
4. CISOs are unprepared for AI: 95% of CISOs are already implementing AI-based defensive measures, namely crowdsourced testing, pen testing, and color teaming.
5. CISOs all believe in the value of AI: 58% of CISOs believe that the risks of AI outweigh its potential benefits, while 42% believe in the potential of AI, indicating that there is no consensus on this issue.

The report is based on a survey of 209 security leaders with titles including CISO, CIO, CTO, head of security or VP of security. The survey was commissioned by Bugcrowd and conducted by Quest Mindshare, with respondents from North America, South America, Europe, Asia, Australia, and Africa who were all fully employed at organizations of varying sizes.

The full report can be accessed here on the Bugcrowd site (registration required).