With the use of artificial intelligence (AI) by threat actors limited largely to crafting more effective social engineering and phishing lures, and AI-orchestrated ransomware attacks still some way off – if they ever happen at all – 63% of UK chief information security officers (CISOs) say that while the potential threat from AI cyber attacks is high or critical, and 62% agree they are not equipped to deal with them, the biggest threats to their organisations remain ransomware, supply chain attacks and software vulnerabilities.
This is according to a survey conducted among members of security community ClubCISO, which found that 40% of security leaders are holding fire when it comes to changing their spending priorities, and 77% have not yet changed their cyber spending plans to account for AI.
“Our member survey highlights that, in contrast to some of the reporting we’ve seen around AI, CISOs are taking a measured, wait-and-see approach before making any significant investment decisions,” said Rob Robinson, head of Telstra Purple EMEA, which operates the ClubCISO community.
“While AI has the potential to augment a range of attack tactics, such as creating more compelling social engineering attacks, CISOs are clearly more concerned with threats as they stand today.”
Robinson said this may reflect the evolution of the CISO role over the past few years to become more of a “strategic conductor” as opposed to technical experts, and are more able to balance their reaction to new threats and account for factors such as macroeconomics, risk and skills.
Where ClubCISO members have taken some precautionary measures against AI-enabled cyber attacks, these moves have come in the form of enhanced cyber security training – teaching security teams to recognise the signs of cyber attacks enhanced by AI and defend against them, or to take advantage of their defensive capabilities. Fewer are actually investing in technological solutions.
The survey’s findings may also suggest that combatting future AI-enabled cyber attacks may not in fact require much of a shift in priorities, or a dramatic skills uplift, which contrasts with the views of other observers.
ClubCISO suggested its members were clearly “maintaining course” on their resilience plans, and the growth of AI as a threat vector may yet be manageable through optimising existing capabilities and processes.
Indeed, despite talk of an AI and cyber skills gap, only 6% of security leaders are hiring more staff with the skills to recognise and handle AI cyber attacks, and only marginally more (7%) are hiring staff with the skills to deploy AI defensively.