Gaps and paradoxes in expectations and concerns were elicited from 400 security decision makers’ answers

Based on a November 2024 survey of 400 IT security decision makers* by a cybersecurity firm on the topic of AI in cybersecurity (particular generative AI), some findings have been published.

First, 65% had adopted generative AI (GenAI) but 89% of all respondents were concerned that flaws in GenAI cybersecurity tools could put their organization at risk. This was despite 99% of respondents having indicated that said they had evaluated “the caliber of the cybersecurity processes and controls used in the development of GenAI capabilities”.

Second, respondents from organizations of different sizes had indicated different priorities for utilizing GenAI. While those in organizations with more than 1,000 employees were prioritizing improved protection, those in firms with 50–99 employees had rated reducing burnout as their top desired benefit from GenAI tools. Yet, 84% of respondents also noted they were concerned about pressure to reduce cybersecurity professional headcount due to unrealistic expectations about AI’s abilities to replace human operators.

Other findings

The third finding released from the survey results was that the respondents had indicated that costs of GenAI were “hard to quantify” in agreement with prompts to that effect.

Fourth, 80% of the respondents cited their belief that GenAI will significantly increase the cost of cybersecurity tools, and 87% from the same survey citing their belief that the savings of GenAI will offset the costs.

Fifth, with 98% of respondents’ firms cited to have “some form of AI embedded in the cybersecurity infrastructure”, there were concerns about potential over-reliance on AI. Some 87% of respondents cited being concerned about a resulting lack of cybersecurity accountability.

According to Chester Wisniewski, Director, Global Field CTO, Sophos, the firm that commissioned the survey: “We have not actually taught the machines to think; we have simply provided them the context to speed up the processing of large quantities of data. The potential of these tools to accelerate security workloads is amazing, but it still requires the context and comprehension of their human overseers for this benefit to be realized.”

*in organizations with between 50 and 3,000 employees. All respondents worked in the private or charity/not-for-profit sector and were using endpoint security solutions from 19 separate vendors and 14 MDR providers. No geographical demographics information provided.