More than half (54pc) of cybersecurity people surveyed believe cybercriminals will benefit more from AI than the security industry, according to the Chartered Institute of Information Security (CIISec). Its survey of members and others in cyber found that about a half (51pc) of those surveyed believe that AI and machine learning will be the most influential technology in the cybersecurity industry over the coming year. Zero trust and cybersecurity hygiene basics were the next closest technologies and principles, with just 7pc each.
Most, 89pc of cybersecurity people surveyed say AI will benefit attackers, compared to 84pc who say it will benefit the cybersecurity industry itself. Unskilled workers (26pc) and older people (39pc) will benefit the least. Less than half (48pc) think AI will benefit society as a whole. Short of half of those in the survey (44pc) believe their organisation is unaware of the risks of AI and doesn’t have policies in place to ensure safe use. Despite this, 85pc are at least considering the use of AI in their role.
Amanda Finch, CEO of CIISec says: “Whilst the AI revolution will undoubtedly benefit many business functions, it’s presenting more questions than answers for cybersecurity professionals. There’s a huge risk of both cybercriminals weaponising the technology, and employees with a lack of risk awareness inadvertently leaving their organisation vulnerable when using it.
“The security industry needs to build knowledge of the threats posed by AI – particularly GenAI – whilst it’s still in its relative infancy. Educating people just entering the industry and those looking to start a career in cyber will be particularly vital, as they’ll be defending against AI attacks for decades to come. This will help to inform security practices and help cybersecurity professionals to educate the wider business about risk and safety.”
The institute’s CIISec LIVE 2024 event runs on November 26 in Bristol; on a theme of ‘Cyber Mastery: Basics to Brilliance’.
The study also looked into broader cyber industry trends. As for working conditions, stress looms large; cyber people reported a sharp rise in wages compared to the first CIISec State of the Security Profession report in 2016/17. The average wage now sits at £87,205 – more than a £25,000 rise across the period, outpacing inflation. However, this comes at a cost, with perhaps a fifth or a quarter of those surveyed (22pc) classed as overworked, and a good half, 55pc saying that they are kept awake at night by the stress of the job.
While 56pc of those surveyed believe that the industry is doing better at defending against and dealing with breaches, this isn’t sustainable, as 80pc of the survey believe security budgets are rising too slowly, flatlining, or declining. Just 11pc think budgets are rising in line with threat levels and a record number (19pc) believe the industry will stagnate over the next three years.
When asked about well and poorly-handled breaches, a majority, 57pc could name a breach that was dealt with well, whereas nearly all, 97pc could remember a poorly managed security incident. The mismanaged breaches also lived long in the memory, tending to have occurred longer ago than well-handled incidents, showing the lasting impact of poor practice. When comparing which poses the greatest operational challenge between people, process and technology, people (72pc) was top, compared to process (17pc) and technology (11pc). Specifically, analytical thinking and problem-solving skills are most in demand. However, the security industry remains an exclusive sector, with only 19pc of those entering the industry without a degree and women making up just 10pc of the workforce. Retention is also an issue, with just 41pc predicting they’ll be in the same role in two years’ time.
Finch adds: “Cybersecurity professionals face so many challenges, many of which – such as the economy and the advanced threat landscape – are out of their control. But bridging the skills gap with improved recruitment and retention is one area where the industry can exert influence and drive improvements.
“If the cybersecurity industry wants to attract and keep its talent, it must diversify recruitment practices, hiring based on skills rather than experience or qualifications. Issues such as stress and career progression will also need to be addressed to help retain staff. With an ever-widening skills gap and more advanced threats driven by AI, failing to attract talent to the industry will hinder efforts to make the world a safer place, both today and in the future.”
At CIISec’s State of the Security Profession webinar on Friday, November 15 at 11.30am to 12.30pm, Amanda Finch, and Piers Wilson, CIISec Director, will examine the key findings of the report.
