A slender 54% majority of UK cyber security professionals believe threat actors stand to benefit more from artificial intelligence (AI) than they do, according to a report on sector attitudes compiled by the Chartered Institute of Information Security (CIISec).
All told, 89% of those who took part in the organization's latest State of the security profession report said they thought AI would benefit attackers, compared with 84% who thought it would benefit the cyber security industry directly.
The study also exposed a lack of planning for AI among UK businesses, with 44% of cyber professionals saying their organization was broadly unaware of the risks posed by AI and did not have sufficient policies in place to ensure it was being used safely – although this, 85% were at least considering the use of AI themselves.
The CIISec report showed that AI and machine learning will be the most influential technology in the security sector in 2025 by a country mile, with 51% agreeing, compared with zero trust, cited by just 7%, and security hygiene basics, also cited by 7% of respondents.
“Whilst the AI revolution will undoubtedly benefit many business functions, it's presenting more questions than answers for cyber security professionals. There's a huge risk of both cyber criminals weaponising the technology and employees with a lack of risk awareness inadvertently leaving their organization vulnerable when using it,” said Amanda Finch, CEO of CIISec.
“The security industry needs to build knowledge of the threats posed by AI – particularly generative AI – whilst it's still in its relative infancy. Educating people just entering the industry and those looking to start a career in cyber will be particularly vital, as they'll be defending against AI attacks for decades to come. This will help to inform security practices and help cyber security professionals to educate the wider business about risk and safety.”
Beyond the cutting edge
As always, CIISec's annual report also explored broader security industry trends, where it found some areas of general improvement, but also much to be concerned about.
Amanda Finch, CIISec
For example, average sector wages now stand at over £87,000, up £25,000 from its first such report covering the 2016-17 period – an indication that, for security professionals at least, earnings growth has not only kept up with, but outpaced inflation. .
Security professionals also tended to believe that, as an industry, they were doing better at defending against and dealing with cyber incidents, but many said this is unsustainable – 80% think their budgets are either rising too slowly, flatlining, or outright declining, compared with 11% who think budgets are rising in line with threat levels. Many believed a period of stagnation in security may lie ahead.
Coupled with this, almost a quarter of cyber security professionals said they felt overworkedand over half said they had had trouble sleeping due to the pressures of the job. And well they might, because when asked about well-handled and poorly handled incidents, just 57% could name one that had been handled appropriately while 97% could remember a mismanaged breach.
Talent gap widened by diversity failings
Finally, this year's report also explored how a lack of attention to diversity within the security sector is widening the skills gap. Between people, processes and technology, it is people, said CIISec, that pose the greatest operational challenge, with analytical thinking and problem-solving skills in particular shortage.
The sector also remains an exclusive one, with only 19% of entry-level cyber professionals not holding a degree, and only 10% women. Retention is also a growing issue, with only 41% of cyber professionals predicting they would be in the same role two years from now.
“Cyber security professionals face so many challenges, many of which – such as the economy and the advanced threat landscape – are out of their control. But bridging the skills gap with improved recruitment and retention is one area where the industry can exert influence and drive improvements,” said Finch.
“If the cyber security industry wants to attract and keep its talent, it must diversify recruitment practices, hiring based on skills rather than experience or qualifications. Issues such as stress and career progression will also need to be addressed to help retain staff. With an ever-widening skills gap and more advanced threats driven by AI, failing to attract talent to the industry will hinder efforts to make the world a safer place, both today and in the future.”