Share article
01
Despite strong optimism about gen AI, data silos prevent organizations from fully leveraging their AI investments.
Optimism about gen AI is high among security professionals — this according to research from Ivanti. Professionals are 8x more likely to say gen AI is a net positive (vs. a net negative) for security.
Despite the positive outlook for gen AI, 72% say their IT data and security data are siloed.
How can organizations be so optimistic about gen AI given what appear to be persistent data accessibility problems?
To deliver on its immense promise, gen AI requires real-time, highly accessible data.
Organizations must break down data silos to achieve a true single source of truth — always-on access to data that is clean, validated, standardized and highly accessible across applications, systems, users, etc.
As gen AI becomes more powerful and widely available, the applications for its use in cybersecurity are expected to be far-reaching; they include:
Regardless of whether an organization has ample budget to invest in tech or great optimism about AI’s power, as long as data silos persist, organizations will not be able to maximize AI’s potential.
02
Gen AI is a powerful tool for security teams protecting organizations, but it can also be used by bad actors … and phishing-related attacks are a growing, concerning threat vector.
When survey respondents are asked which threats are becoming more dangerous, “phishing” is the number one answer, chosen by 45%.
Attackers are now using generative AI to craft highly believable content to lure victims — all at high scale and low cost. This threat vector will become even more powerful as attackers further personalize their phishing messages based on data found in the public domain.
AI-powered social engineering is attackers’ most powerful weapon. Training is a critical part of a multi-layered cyber defense, yet many organizations have not evolved their training strategies to reflect AI-powered threats.
Gen AI gives tremendous power to threat actors, who are iterating new methods to exploit the human element in organizations. Educated employees are still extremely important (even if imperfect) for organizations to defend against AI-driven cyber threats.
57% say they use anti-phishing training to protect their organization from sophisticated social-engineering attacks. It’s the most frequently used method compared to all others.
Yet just 32% say they believe training is “very effective” to protect against AI-powered social-engineering attacks. (Failure to continuously update training to reflect new realities may be one reason for this.)
Gen AI currently stacks the deck in favor of threat actors, who can exploit AI capabilities to continuously improve their phishing attempts.
Attackers have greater resources, more time, and dogged persistence. Given the nature of the threat — and how dynamic and complex it is — we as a security community have to work together and share knowledge to defend ourselves against this very complex, organized enemy.
Brooke Johnson
Senior Vice President, Chief Legal Counsel, Ivanti
That said, gen AI will be a crucial tool for defenders as well, helping organizations identify weaknesses in their systems and proactively address vulnerabilities before they are exploited by attackers.
03
There is a global shortage of experienced security professionals.
A 2024 study from ISC2 estimates a gap of 4.8 million cyber professionals worldwide needed to secure companies. And research from Ivanti shows that 1 in 3 security professionals cite “lack of skill/talent” as one of the biggest barriers to effective IT operations at their companies. Why has the cybersecurity talent gap grown so wide?
In the past, companies mainly relied on contracted services for cybersecurity. Effective cybersecurity now demands professionals who possess intimate familiarity with the network and operating environment, making full-time positions more feasible and advantageous compared to contracted services. This shift has contributed to the surge in job opportunities — and is a deep challenge for organizations searching for qualified, full-time professionals to fill these positions.
Mike Riemer
Senior Vice President, Network Security Group (NSG) and Field CTO , Ivanti
Gen AI can help close the talent gap by making teams more productive, yet research shows many security professionals have mixed feelings about its potential.
Ivanti’s research shows an interesting contrast between professionals’ optimism about AI in general and individuals’ pessimism about how AI will benefit them personally.
90%of security pros believe gen AI benefits security teams as much or more than threat actors. |
85%say AI tools will highly or moderately improve their productivity at work. |
But curiously, security professionals don’t necessarily see that AI-driven benefits will accrue to them personally. They are much more likely — 6x more likely, in fact — to say AI tools will primarily benefit employers, not employees.
To bring employees along, companies must invest in upskilling their cybersecurity teams, using strategies such as interactive learning opportunities and attack simulations. And given the rapid evolution of AI tools, training must be ongoing and continuously evolving. To ensure employees feel engaged and activated, encourage self-directed learning about AI security trends in addition to company-offered training.
04
Separate layers can no longer prevent AI-powered attacks from breaching your enterprise. In the hands of attackers, gen AI breaks down defenses by simultaneously breaching networking servers and layers. Threat actors can immediately scale and attack at high velocity … and with a much higher level of intelligence.
Organizations must evolve their defenses to combat something that has more data, more velocity and machine intelligence. It will require wholly new tactics to prevent malicious AI from being an unstoppable force. The way forward is not to eliminate the human element, but to empower humans with AI assistants. These assistants, in collaboration with other AI assistants, can gain a more holistic, cross-disciplined view of the organization.
While attackers have been using AI for years, 2025 will be the year that defenders truly take advantage of its capabilities. Security professionals will effectively leverage the functionality of gen AI to analyze vast amounts of data from various systems. This will provide insights into potential vulnerabilities and help identify weaknesses in systems. Security professionals must — with great urgency — evaluate software solutions and tools for self-protection and self-diagnosis capabilities — then propose upgrades to more modern platforms that offer these features.
As security becomes more critical to business strategy and sustainability, organizations will adopt a contextual, holistic view of cybersecurity risk. For example, the concept of “attack surface” will broaden to encompass a wide range of both tangible and intangible assets. Exposure management will be viewed as a key business objective and performance indicator. And cyber risk quantification will evolve from subjective assessments to data-driven, objective measurements powered by machine learning.
In a mature organization, cybersecurity strategy will directly influence operational investments and priorities, with the broader C-Suite managing comprehensive decision-making. We expect C-Suite executives will develop competencies to make well-informed, consistent and transparent cybersecurity risk management decisions.
Continuous learning programs are not nice to have; they are essential to teach security teams about emerging threats and defense techniques. Security professionals need hands-on, simulation-based training to help them practice their response strategy in a safe, secure environment. Make sure training content is dynamic and personalized — matched to individual team members' skill level and learning pace.
Currently there is more emphasis in the industry on AI and machine learning expertise, along with developing sound skills in specific programming languages. The threat landscape is evolving, and skills must evolve in parallel. Security professionals need to understand a wide range of AI-enabled attack vectors.
AI and automation can help security teams by using predictive analytics to provide insights and flag potential threats. But when it comes to decision making, it should be done by humans, who have critical decision-making skills. AI can add a lot of value in handling a large volume of alerts and repetitive tasks, but there will still be complex incidents that require human intervention: investigations, root-cause analysis and taking preventive action. Companies must strike a balance between automation and human analysis.
This report is based on two surveys conducted by Ivanti: the 2024 State of Cybersecurity: Inflection Point and 2024 Digital Employee Experience Report: A CIO Call to Action. In total, these two studies surveyed over 14,500 unique executive leaders, IT professionals, security professionals and office workers.
Get key findings and survey results, including charts and graphs, in a presentation-ready format
