Dive Brief:
- One in four CISOs has experienced an AI-generated attack on their company’s network in the past year, and AI risks now top their priority lists, according to a report released Thursday from cybersecurity firm Team8.
- The true number of companies targeted by AI-powered attacks “may be even higher,” Team8 said in its report, “as most AI-driven threats mimic human activity and are difficult to detect without advanced metrics like time to exploitation and velocity indicators.”
- AI outranked vulnerability management, data loss prevention and third-party risk on CISOs’ priority lists, according to the report, which is based on interviews with more than 110 security leaders from major enterprises.
Dive Insight:
AI is creating a range of new cybersecurity challenges for CISOs, from newly effective attacks to newly vulnerable technology platforms.
The issues dominating CISOs’ minds are securing AI agents (which 37% of respondents mentioned) and ensuring that employees’ use of AI tools conforms to security and privacy policies (36%). Beyond AI-powered phishing and malware development, the report shows, executives are also worried about the unintended security consequences of their own companies’ use of AI.
“Boards are pushing aggressively for enterprise-wide [AI] adoption, and security leaders are expected to enable, not block, this transition,” Team8 said in its report. “That puts CISOs in the hot seat: charged with mitigating risk in a technology domain that’s still poorly understood, moving fast, and lacking mature controls.”
Almost half of companies still require employees to get permission to use particular AI tools, an allow-listing approach that Team8 said could cause friction with non-security executives eager to expand their firms’ AI use. “The demand for effective ‘allow-by-default’ controls is acute,” Team8 observed, “as security teams grapple with shadow AI usage and the absence of enterprise-grade governance frameworks.”
On the flip side, CISOs are also eager to incorporate AI into their own operations. Nearly eight in 10 CISOs told Team8 that they expect security operations center roles to be the first positions replaced by AI. Nearly half of those CISOs said that reducing their employee count was a major factor in their experimentation with AI-powered SOCs. Executives also expect AI to replace humans in the areas of penetration testing (which 27% of CISOs cited), third-party risk assessments (27%), reviews of user access requests (24%) and threat modeling (22%).
In the areas of penetration testing and threat modeling — where there is a major workforce shortage because of the required skills and knowledge — Team8 said that AI agents could “unlock expert-level capabilities across a broader surface area.”
Already, nearly seven in 10 companies are using AI agents and another 23% are planning to deploy them next year, according to Team8’s report. Interestingly, given the proliferation of agentic AI vendors, more than two-thirds of the companies using or testing AI agents said they were developing them in-house.
