The Chartered Institute of Information Security (CIISec) today revealed the findings of its annual State of the Security Profession report, showing that more than half (54%) of cybersecurity professionals believe cybercriminals will benefit more from AI than the security industry. The survey of cybersecurity professionals comes as AI continues to dominate the tech landscape, and shows:

  • AI influence: More than half (51%) of those surveyed believe that AI and machine learning will be the most influential technology in the cybersecurity industry over the coming year. Zero trust and cybersecurity hygiene basics were the next closest technologies/principles, both with just 7%.
  • Winners and losers of AI: 89% of cybersecurity professionals say AI will benefit attackers, compared to 84% who say it will benefit the cybersecurity industry itself. Unskilled workers (26%) and older people (39%) will benefit the least. Less than half (48%) think AI will benefit society as a whole.
  • Risk (un)awareness: Almost half of security professionals (44%) believe their organisation is unaware of the risks of AI and doesn’t have policies in place to ensure safe use. Despite this, 85% are at least considering the use of AI in their role.

“Whilst the AI revolution will undoubtedly benefit many business functions, it’s presenting more questions than answers for cybersecurity professionals. There’s a huge risk of both cybercriminals weaponising the technology, and employees with a lack of risk awareness inadvertently leaving their organisation vulnerable when using it,” says Amanda Finch, CEO of CIISec. “The security industry needs to build knowledge of the threats posed by AI – particularly GenAI – whilst it’s still in its relative infancy. Educating people just entering the industry and those looking to start a career in cyber will be particularly vital, as they’ll be defending against AI attacks for decades to come. This will help to inform security practices and help cybersecurity professionals to educate the wider business about risk and safety.”

Beyond the risk of AI, the research also looked into broader cybersecurity industry trends, including:

  • Wages are high, but so is stress: Cybersecurity professionals reported a sharp rise in wages compared to the first CIISec State of the Security Profession report in 2016/17. The average wage now sits at £87,205 – more than a £25,000 rise across the period, significantly outpacing inflation. However, this comes at a cost, with almost a quarter of cybersecurity professionals (22%) classed as overworked, and 55% of security professionals kept awake at night by the stress of the job.
  • Breaches are handled better than budgets: Whilst 56% of security professionals believe that the industry is doing better at defending against and dealing with breaches, this isn’t sustainable, as 80% of cybersecurity professionals believe security budgets are rising too slowly, flatlining, or declining. Just 11% think budgets are rising in line with threat levels and a record number (19%) believe the industry will stagnate over the next three years.
  • Poor practice lasts long in the memory: When asked about well and poorly handled breaches, just 57% could name a breach that was dealt with well, whereas 97% could remember a poorly managed security incident. The mismanaged breaches also lived long in the memory, tending to have occurred longer ago than well-handled incidents, showing the lasting impact of poor practice.
  • Lack of diversity widening the skills gap: When comparing which poses the greatest operational challenge between people, process and technology, people (72%) was top, compared to process (17%) and technology (11%). Specifically, analytical thinking and problem-solving skills are most in demand. However, the security industry remains an exclusive sector, with only 19% of professionals entering the industry without a degree and women making up just 10% of the workforce. Retention is also an issue, with just 41% predicting they’ll be in the same role in two years’ time.

“Cybersecurity professionals face so many challenges, many of which – such as the economy and the advanced threat landscape – are out of their control. But bridging the skills gap with improved recruitment and retention is one area where the industry can exert influence and drive improvements,” says Finch. “If the cybersecurity industry wants to attract and keep its talent, it must diversify recruitment practices, hiring based on skills rather than experience or qualifications. Issues such as stress and career progression will also need to be addressed to help retain staff. With an ever-widening skills gap and more advanced threats driven by AI, failing to attract talent to the industry will hinder efforts to make the world a safer place, both today and in the future.”

To download a copy of the report, please visit the CIISec website. The report will also be available as a hard copy at CIISec’s annual Live conference.

About CIISec

The Chartered Institute of Information Security (CIISec) is the natural home for the cyber professional community. As the first institute in the space to be granted Royal Charter status, CIISec provides a universally accepted focal point for cyber and information security professionals at every career stage; CIISec is committed to raising levels of competency, and developing teams effectively, ensuring today’s professionals are equipped with the skills and knowledge to navigate the cyber threats of tomorrow. As well as supporting the cyber professional community, CIISec also encompasses the Institute of Cyber Digital Investigation Professionals (ICDIP). This is achieved through having programmes that support development, recognition and success.

  • Development – CIISec is the place to go for cyber professional development and ethical practice.
  • Recognition – CIISec provides an authoritative voice for the cyber industry and recognition of excellence in practice.
  • Success – CIISec helps you and your business succeed securely in the digital world.