AI cyber-attacks a critical threat, but CISO priorities are not changing yet, according to the latest ClubCISO research
A new cybersecurity report by ClubCISO in collaboration with Telstra Purple finds that despite significant concerns around the impending impact of AI cyberattacks on respondent organisations, many have not seen their priorities or investment plans change.
The report, informed by a survey of cybersecurity leaders across public and private sector organisations worldwide, emphasises that among the myriad risks vying for the CISO’s attention, AI cyber-attacks are not yet forcing a change of focus.
The majority (63%) of CISOs surveyed rate the severity of the threat posed to their businesses by AI cyber-attacks as critical or high, with 63% also suggesting that AI cyber-attacks will be extremely damaging to businesses. This underscores the urgent need for preparedness, as 62% agree that the industry is not equipped to deal with the threat. However, the emergence of AI has not altered the priorities of a significant chunk (40%) of respondents, and for more than three-quarters of respondents (77%), AI hasn’t triggered an increase or decrease in cybersecurity spending.
Despite all the buzz around AI and a cybersecurity skills gap, only 6% of CISOs are hiring more staff with the skill set to recognise the signs of AI cyber-attacks and only 7% are hiring staff with the skill set to use it in a defensive role.
The findings suggest that whilst AI cyber-attacks represent a significant risk, combatting them may not require a shift in priorities or a dramatic uplift in dedicated AI skills. CISOs are maintaining course on their resilience plans with perhaps some optimising of processes and existing capabilities.
When asked to rank the severity of current threats to their organisations, ransomware came out on top with 67%, suggesting it represents a severe or very severe threat. Software supply chain/third-party risk (64%) and software vulnerabilities (59%) came in second and third as the biggest threat to respondent organisations today, ahead of AI cyber-attacks.
For those who are already taking some precautionary action against the threat of AI cyber-attacks:
-
41% say they are training staff to recognise and defend against AI cyber-attacks
-
31% suggest they are training staff to use AI in a defensive role
-
Only 30% say they have started investing in defensive AI technology
Commenting on the findings, Rob Robinson, Head of Telstra Purple EMEA, stewards of the ClubCISO community, said, “Our member survey highlights that, in contrast to some of the reporting we’ve seen around AI, CISOs are taking a measured, wait and see approach before making any significant investment decisions. While AI has the potential to augment a range of attack tactics, such as creating more compelling social engineering attacks, CISOs are more concerned with threats as they stand today”.
He continued, “We’ve seen CISOs evolve to become strategic conductors, rather than technology and domain experts, in the past few years. The emergence of AI and the threat it poses are clearly being balanced with a range of technology, skills, risk, and macro-economic factors.”