CISOs plan to start downsizing security teams because of AI – but experts warn it’s a “shortsighted and dangerous" path to take

Female CISO advises colleague in a security operations center while working on desktop computers.
(Image credit: Getty Images)

CISOs are confident the adoption of AI security tools over the next few years will result in firms cutting back on security staff, new research reveals.

Crowdsourced security platform Bugcrowd’s Inside the Mind of a CISO report analyzed 209 responses from security leaders around the world, defining ‘security leaders’ as anyone with the CISO, CIO, CTO, head of Security, or VP of Security title.

The report found 78% of CISOs are already using AI to support their security teams, while a further 20% stating they are waiting for more powerful models and improved AI tools before making the decision to adopt the technology.

Most notably, 70% of senior cyber executives admitted they have plans to reduce security team headcounts within the next five years as a direct result of their AI adoption strategy.

Almost half (44%) of respondents stated they believe AI security tools can already outperform the average security professional, and another 47% said they think it will do so in the future.

This left just 9% of senior security leaders who did not think AI security tools can outperform their human counterparts and never will.

Bugcrowd found CISO attitudes around AI vary by region, with those located Asia-Pacific and Australia being more bullish on the technology than their counterparts in the rest of the world.

For example, AI adoption in Asia-Pacific and Australia currently stands at 96%, according to Bugcrowd, and CISOs in the region have a more positive view of the technology’s capabilities.

Two-thirds of CISOs in the region believe AI already outperforms their team members, and 96% are more likely to say the security of AI tools is adequate.

In comparison, adoption rates in North America and EMEA were listed at 78% and 61% respectively, with the report speculating this may be the result of more significant skills gaps in Asia-Pacific and Australian markets combined with a more permissive regulatory environment on generative AI.

Speaking to ITPro, Camden Woolven, group head of AI at GRC International Group, gave her assessment of the causes behind the disparity in adoption rates between regions.

“Countries like China and Japan are making massive investments in AI. China, in particular, has declared its intention to become the global AI leader by 2030,” she said. 

“Plus, I think Asian businesses tend to be more open to new technologies in general (they're often early adopters). And in the cyber security space specifically, many Asian countries are dealing with serious talent shortages so they're turning to AI to help fill those gaps.”

CISOs might be jumping the gun, but experts agree AI will transform security 

Jon France, CISO at ISC2 told ITPro he agrees AI tools will fundamentally change the cyber security sector, but that ISC2’s research does not indicate this will necessarily result in minimizing security teams in the short term.

“Our research suggests that while AI will indeed transform cybersecurity roles, it will not stem the demand for skilled cybersecurity professionals nor necessarily result in shrinking teams,” he said. “Instead, AI is likely to enhance efficiency and allow professionals to focus on more complex, higher-value tasks.”

Instead, France said ISC2’s analysis suggested that although AI is expected to have an outsized impact on cyber security, rather than replace human staff, the technology is more likely to “reshape” these roles.

“While 88% of cyber security practitioners expect AI to significantly impact their jobs over the next few years, a notable 82% are optimistic that AI will improve job efficiency by performing certain tasks more reliably, at greater speed, and on a larger scale. Rather than eliminating positions, AI is expected to reshape roles and responsibilities within security teams.”


Stay one step ahead of identity thieves

(Image credit: Crowdstrike)

Protect yourself from identity theft

France stressed AI will enhance human productivity, rather than replace it.

“While AI will undoubtedly bring changes, it is more likely to complement human skills and enhance team capabilities, improving job satisfaction, rather than simply reducing headcount,” he explained. 

“Given increasing pressures on security teams, there is a rise in the adoption of AI technology to fully automate security operations. However, this does pose risks for cyber security teams that do still require visibility over technology systems, data usage, and traffic levels to effectively defend against attacks. Implementing these technologies is not a replacement for hiring skilled cyber talent.”

Rik Ferguson, VP of Security Intelligence at Forescout Technologies, echoed this feeling, warning that trying to reduce headcounts too quickly is a risky path for security leaders.

“Shrinking security teams as a result of capabilities enhanced by AI is a shortsighted and dangerous path for CISOs to take,” he explained.

“Consider the current situation, a recent Forrester Research study put the average amount of daily alerts being raised in a SOC environment at 11,000. If we imagine that initial triage work on an alert takes 30 minutes, then 11,000 alerts is equivalent to 5,500 hours of work to do every 24 hours. That would necessitate a SOC team of 687 people - just to do the triage.”

Ferguson argued this is where AI will have the greatest impact on the cyber security community, helping deal with workloads they never had the capacity for in the first place.

“This is exactly the area where AI can and already does help. But look at the numbers, AI is not only potentially freeing up time for the SOC team, it is largely taking care of a volume of information that SOC have never been staffed to deal with. The application of AI in the SOC should be elevating the role of the SOC analyst, not replacing it.”

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.