How CISOs Are (and Aren’t) Using Generative AI

These days, CISOs are wrestling with the question “Will generative AI be a friend or foe?” The short answer: It’s both. According to our recently released CISO Report, CISOs see this disruptive technology as both a tool and a threat. And while the debate rages on over how it will be applied to both the security and threat landscapes, one thing is clear: Generative AI isn’t going away any time soon. Here are the top ways CISOs are using — or plan to use — generative AI in their security systems, based on survey responses from hundreds of CISOs and security leaders.

AI empowers cyber adversaries

First, we need to acknowledge that what can be used for good, can be, and often is, used for evil. AI is no exception — nefarious tooling for cyber criminals has already been created with worrying implications. CISOs are aware of the threats and can see a terrifying future.

Whether founded or not, CISOs’ fear and uncertainty around AI is very real. The overwhelming majority of CISOs (70%) believe that generative AI will create an asymmetrical battlefield that will inevitably be tipped in favor of cyber adversaries. The top three malicious use cases that CISOs predicted were: faster and more efficient attacks (36%), voice and image impersonations for social engineering (36%) and extending the attack surface of the supply chain (31%).

Many of these concerns are still theoretical, driven by media reports or as part of researchers’ proof-of-concepts. Thus far, we haven’t seen generative AI used extensively in real-world attacks. Specifically, the jury is still out on whether leveraging generative AI achieves a higher click-through rate than human-written phishing attempts do.

How AI plays out on the greater threat landscape largely remains to be seen. Meanwhile, CISOs aren’t sitting still. While they’re eyeing evolving AI threats with caution, they’re also simultaneously preparing to build out better, stronger and more resilient cyber defenses.

That’s where generative AI will come in.

AI fills cyber defense gaps

When it comes to how AI can be used for cyber defense, CISOs are already seeing its potential. Thirty-five percent of CISOs report using AI, either extensively or somewhat, for positive cybersecurity functions. Another 61% express that they either have plans to use it in the next 12 months, or are interested in doing so.

AI can address challenges ranging from strategic to deeply technical, and at least for now, CISOs are queuing up mundane technical tasks. The most significant percentage of CISOs (35%) express that they want to use AI for security hygiene. Already we have talked to security organizations that are using generative AI to generate inline documentation for security detections or python code via CI/CD pipelines. Others are using it for asset and inventory collection. Another 27% want to use it for data enrichment of alerts and incidents and 26% are looking to use it for internal communications.

But AI’s potential also stretches far beyond documentation creation and into the realm previously thought only accomplished by the human brain: quality assurance and prioritizing data sources (26%), malware analysis (25%), threat hunting (22%) and incident response and forensic investigations (19%). While the security problems are not new, with AI, the solutions could be.

AI also provides opportunities to elevate staff’s skill sets and education. Forty-six percent plan on getting security teams up to speed on effective prompt engineering. Policy efforts range from implementing security controls to mitigating AI risks (41%), training employees to better understand the threats posed by generative AI (39%) and establishing protocols to determine the types of tasks appropriate for AI bots (37%) as opposed to those that should be done exclusively by humans. Eighty-four percent of CISOs even say they plan to develop their own large language model (LLM) or other AI-based solutions for cybersecurity.

That said, many of these plans are either conceptual or in nascent stages, and teams still lack concrete implementation or deployment strategies. That will almost certainly change over the next year, however, as CISOs start reaping the benefits of AI and seeing new opportunities for development and expansion.

Building out, building better

“Will AI replace jobs?” is another million dollar question. The answer is “not entirely.” In fact, according to our CISO Report, 86% percent of CISOs believe that generative AI will alleviate existing skills gaps and talent shortages that they have on the security team. That means instead of replacing jobs, generative AI will more likely be used to fill in labor-intensive and time-consuming security functions that security professionals drag their feet doing anyway, freeing them up to be more strategic. In light of skills gaps and talent shortages, the reality is that there aren’t enough cybersecurity professionals to meet demands. AI gives organizations the ability to supplement staff with everything from documentation to basic ticket triage.

Instead of fearing AI might steal their jobs, many CISOs see it in the same way as they do automation — augmenting, rather than replacing, talent. When it comes to automation, 93% of CISOs say they have already either extensively or moderately implemented automation into their processes, giving them a lot of room for innovative use cases in the future.

While there are still many unknowns on the AI front, it’s safe to say that it will transform the roles of security professionals and cybercriminals alike. AI will assuredly give adversaries a new set of tools in their arsenal — and security teams will need to prepare accordingly. But CISOs also remain hopeful that it will give them a big leg up as well, allowing them to build out bigger and better cyber defenses, automate and accelerate processes, detect threats faster and eliminate them sooner.

And ultimately, help to beat the cybercriminals at their own game.

For more insight on how fellow cybersecurity leaders today are thinking about AI, ransomware, boardroom communication and more, read the full CISO Report.