AI has made an impact everywhere else across the tech world, so it should surprise no one that the 2024 ISC2 Cybersecurity Workforce Study saw artificial intelligence (AI) jump into the top five list of security skills.

It’s not just the need for workers with security-related AI skills. The Workforce Study also takes a deep dive into how the 16,000 respondents think AI will impact cybersecurity and job roles overall, from changing skills approaches to creating generative AI (gen AI) strategies.

Budgets and the skills gap

According to the study, two-thirds of respondents think that their expertise in cybersecurity will augment AI technology; on the flip side, a third are concerned their jobs could be eliminated in an AI-focused world.

That, of course, is not going to happen immediately. Not even half the respondents have implemented gen AI into their tools. The more immediate concern for cybersecurity professionals is budgets.

“In 2024, 25% of respondents reported layoffs in their cybersecurity departments, a 3% rise from 2023, while 37% faced budget cuts, a 7% rise from 2023,” the report stated.

These budget cuts have impacted the skills gap, as two-thirds of the respondents said not only have the budget cuts led to current staffing shortages but they are expected to make closing the skills gap even more difficult in the next few years.

Many of the respondents pointed out that the skills gap has had a more negative effect on organizational security than the decrease in on-site staff. In part because the funding isn’t available for training and because those with skills in high demand are moving on to better-paying positions, many security teams struggle to address the threats and risks in today’s cybersecurity landscape.

The role of AI in the skills gap

Two years ago, AI wasn’t even considered a required skill set for cybersecurity jobs, but now it is a top five skill, said Jon France, CISO with ISC2.

“And we suspect that probably next year, it will be the number one in-demand skill set around security,” France said in a conversation at ISC2’s Security Congress in Las Vegas.

(If you’re wondering, the other skills in the top five are cloud, zero trust architecture, forensics, incident response and application security — all areas that have been at the top of the skills need list for a long time.)

AI’s role in cybersecurity is changing because of the exponential increase in data and the need to gather good intelligence on the data being generated.

“AI is one of the tools that can obviously consider large data sets very quickly,” said France. Still, human eyes are necessary to validate the results generated from AI models. This is where AI security skills will be most needed to advance the changes in how analysts and incident responders analyze data.

France also believes that AI will change the scope of entry-level security positions. “I think if you’re coming into the profession, and if you’ve got to pick up one thing to learn, you’ll get the most favorable opportunities if you have experience of using generative AI coding.”

Right now, however, there is a bit of a disconnect between the technical skills that hiring managers think are needed and what non-hiring managers want. Both types of managers list cloud computing security skills at the top of the list, but when asked about AI/ML skills, only 24% of hiring managers said it was a skill they want right now, ranking last on the skills-need list. When non-hiring managers are asked about the skills most in demand to advance careers, 37% said AI/ML, higher than every other listed skill but cloud security.

AI is reinventing cybersecurity skills

In its study AI in Cyber 2024, ISC2 found that 82% of respondents are optimistic that AI will improve work efficiency, and 88% thought it would impact their job role in some way. Relying more on AI in the cyber world has a lot of positive points, but there are also issues around the technology causing stress. Four in ten respondents said they aren’t prepared for the explosion of AI, according to the AI study, and 65% said their organization needs more regulations around the safe use of gen AI, according to the Workforce study.

But there are also a lot of question marks surrounding what skills will be needed. “While study participants speculated on what skills may be automated or streamlined, they cannot yet predict what activities, if any, AI will replace,” the study reported. Perhaps this is why hiring managers are showing some reluctance to hire cybersecurity professionals who have AI technical expertise.

With AI, many anticipate an uptick in the need for non-technical skills. Cybersecurity has been more open to finding potential professionals outside of the traditional technical areas and training them for their new roles, so it isn’t too surprising that, because hiring managers aren’t certain of the type of skills that will be required for using gen AI as a security tool (or for securing gen AI, for that matter), there is a greater willingness to default to non-tech skills that are seen as more transferable as the technology evolves. Overall, strong communication skills were listed as the most in-demand skill set across all of cybersecurity, followed closely by strong problem-solving skills and teamwork/collaboration skills.

The cyber workforce in the world of AI

Looking at the overall picture of how AI skills will fit into the cybersecurity workforce going forward, it is likely that the issues that hamper hiring today will have a similar impact on AI expertise. Budget cuts will decrease the workforce, as already mentioned. France pointed to the human resources gap as well, where entry-level positions are posted with requirements such as certifications that require five years of work experience.

“We also need to blow this myth: New entrance into the cybersecurity workforce doesn’t mean young. It can be a career change. In fact, career changes bring a lot of different viewpoints and experiences,” said France.

Hire for the skills the employee is bringing to the table, even if they aren’t what you need right now. “The rest,” said France, “can be taught.”

The post ISC2 Cybersecurity Workforce Study: Shortage of AI skilled workers appeared first on Security Intelligence.

Ask CISOs why they think there is a cyber skills shortage in their organization, what keeps them up at night or what the most important issue facing the industry is — at some point, even if not the first response, they will bring up budgets.

For example, at RSA Conference 2024, a roundtable discussion about issues facing the cybersecurity industry, one CISO stated bluntly that budgets — or lack thereof — are the biggest problem. At a time when everything is getting more expensive, the CISO said, security budgets are being slashed.

As for the cybersecurity talent shortage, the 2024 ISC2 Cybersecurity Workforce Study noted that “39% said a lack of budget was the top reason for cyber shortages, replacing a shortage of talent as the previous top reason for staff shortages.” According to Forrester’s 2024 Cybersecurity Benchmarks Global Report, the cybersecurity budget is just 5.7% of the entire IT budget, making it very difficult for CISOs to bring in the right personnel or upgrade tools and solutions.

However, it might not be the dollar amount that is the problem as much as where the budget is coming from. CEOs think about cybersecurity differently when it is tied to IT and when the CISO reports directly to the CIO versus when the CISO can present cybersecurity as a vital cog in overall business operations and tie it directly to business risk, the Forrester report found.

“CISOs who can articulate the business value of cybersecurity, demonstrating how it can drive revenue and support strategic goals, are more likely to secure the necessary funding. This shift also reflects a growing recognition of cybersecurity’s strategic importance beyond mere IT operations,” Louis Columbus wrote.

Key issues in cybersecurity funding

Once cybersecurity is approached as a key factor in business operations rather than as a function of IT, CEOs and CISOs are more likely to be on the same page when it comes to budget.

“Security funding and oversight is a top priority for both the management team and the Board of Directors,” said Dave Gerry, CEO of Bugcrowd.

“Cybersecurity investment uplift is prioritized against the cyber threats we face as a business; the IT risks that we have identified and need to remediate or the customer and compliance obligations that we need to ensure,” Gerry added. “Thematically, however, it all points back to ensuring that the confidentiality, integrity and availability of our data we reside over is protected — whether it’s that of customers, employees or critical business partners, whilst enabling our business in-turn.”

Risk prioritization and business continuity are two key areas that George Jones, CISO at Critical Start, focuses on. Along with emerging threats and vulnerability management, Jones says these four items are the pillars of security for the enterprise as they are aligned with overall business goals and objectives.

One of the drivers behind realigning cybersecurity investments is the Security and Exchange Commission’s (SEC) new rules around the disclosure of cybersecurity incidents. Organizations are now also required to share details about their cybersecurity risk management programs, particularly around any financial information.

“After recent SEC guidelines were announced, Boards are more focused than ever on cyber risk reduction and ensuring adequate funding is critical, especially as organization’s attack surfaces continue to rapidly expand,” said Gerry.

Collaboration between CISOs and CEOs

While CISOs and CEOs (and, in many cases, in conjunction with the CFO) have to build an ongoing dialogue about cybersecurity investments, they are coming to the table with two different interests.

“The CEO lens will be focused on obtaining satisfaction that the security initiatives deliver value with tolerable impacts on productivity, but more importantly looking for the potential of competitive advantage,” said Gareth Lindahl-Wise, CISO at Ontinue. The CISO’s approach, on the other hand, focuses on risk prevention, mitigation and solutions to meet all of the organization’s legal, regulatory and contractual obligations.

The overall goal should be to create a security posture advantageous in gaining or retaining customers or attracting investment. Ultimately, said Lindahl-Wise, these decisions lie with the CEO and board.

“When it comes to funding and risk acceptance, CISO is, largely, an expert advisor — if an informed and conscious decision has been made by a CEO, then one should argue the CISO has discharged their responsibilities,” Lindahl-Wise added.

CEO Gerry, however, said the final decision on funding allocation is made by the Board of Directors, and it is up to both the CEO and the CISO to get their buy-in on where and what security investments should be made.

“This is a key reason that the CISO should report to the CEO and have direct access to the Board of Directors,” said Gerry. “While oftentimes security can be viewed as a cost center, the new reality is that a robust security program should be a competitive differentiator and a revenue enabler, in addition to simply being the cost of doing business in an ever-expanding threat environment.”

The Future is AI

CISOs have long understood the role AI plays in cybersecurity, particularly handling some of the most mundane tasks that free up time for overworked security teams to handle issues that require hands-on management. As generative AI becomes ubiquitous in the workplace, CEOs have become increasingly aware of AI’s impact on business and security risks. Some companies are turning to adding Chief AI Officers to their IT and security teams, but even when they aren’t CEOs still recognize the need to include AI in future security budgets.

“As threats become more sophisticated, leveraging AI tools enables us to enhance our threat detection, automate responses and improve incident management,” said Darren Guccione, CEO at Keeper Security. “Skilled professionals are needed to navigate the rapidly evolving threat landscape and ensure that our AI-driven strategies remain effective and secure and must be a budget consideration.”

How it is defined within the cybersecurity budget will depend on how it is used. Will it be a fringe use of AI in commercial tools for productivity gains or an embedded use of AI in the organization’s core offerings?

“If it is the latter, the CEO must satisfy themselves that the organization has the right experience to manage the opportunities and risks,” Lindahl-Wise said. As for the security side of things, “My hunch is we will see AI responsibilities feature heavily in CIO/CTO roles before standalone CAIOs become the norm.”

AI might be the most current technology and security disrupter, but it won’t be the last. Where it is similar is that it creates risk, both to the business and to cybersecurity, and risk is where CEOs and CISOs will focus on investments as a team.

The post CISO vs. CEO: Making a case for cybersecurity investments appeared first on Security Intelligence.

December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.

Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment expecting the most spending growth, with security software coming in second and network security as the third area of growth.

“The continued heightened threat environment, cloud movement and talent crunch are pushing security to the top of the priorities list and pressing chief information security officers (CISOs) to increase their organization’s security spend,” said Shailendra Upadhyay, Senior Research Principal at Gartner in a recent press release. “Furthermore, organizations are currently assessing their endpoint protection platform (EPP) and endpoint detection and response (EDR) needs and making adjustments to boost their operational resilience and incident response following the CrowdStrike outage.”

Factors contributing to the increase in spending

While spending decisions and increases are likely due to many different reasons, Gartner points to two main reasons for the predicted increase.

• Generative AI: Garter said that because of organizations using Generative AI, they will need to take additional steps to secure their environment. The IBM Framework for Securing Generative AI lays out five steps: Securing the data, securing the model, securing the usage, securing AI model infrastructure and establishing sound AI governance. Many organizations will need to purchase additional software, such as application security, data security and privacy and infrastructure protection, due to the increased use of generative AI.
• The global skills shortage: Many organizations are facing a skills shortage where they do not have the in-house talent to manage their cybersecurity needs. As a solution, many are hiring help to reduce their risks, such as security consulting services, security professional services and managed security services. Gartner points to the costs of these services as a driving factor in high predicted spending, making services a high-growth area of cybersecurity.

Creating your cybersecurity budget

Instead of simply making a single line item on your organization’s budget that encompasses cybersecurity, accurate budgeting starts with breaking out all of the components of an effective cybersecurity program.

Consider the following in your budget:

• Labor costs: Besides salaries for all full-time employees, consider any additional services you need to purchase. For example, outsourcing penetration testing falls into this line item. Additionally, consider if you need to hire managed services for any portion of your cybersecurity.
• Technology: Think about all types of software needed, which includes antivirus, encryption tools and firewalls. Consider if you will be using generative AI for cybersecurity as well as additional tools needed to protect the organization from attacks on generative AI tools used for daily business tasks. Be sure to also include hardware costs, such as any infrastructure upgrades needed to run any new technological tools, especially generative AI.
• Training: Many organizations only consider the budget for training and certifications for their cybersecurity staff. However, be sure to allocate funds for cybersecurity training for the entire organization. By thinking outside the box and setting aside sufficient funds, you can make a big impact in reducing cyberattacks caused by employee errors.
• Incident Response: After a breach or attack happens, organizations need funds to contain the breach and manage the response. Costs that often occur include legal fees, PR firms, overtime, data breach notification, identity theft protection and loss of revenue.

Budget can affect employee stress

While many organizations consider business disruption and potential risk when creating their cybersecurity budget, many overlook how the budget impacts the cybersecurity team.

The ISACA State of Cybersecurity 2024 and Beyond found that 66% of cybersecurity professionals stated their role is more stressful. Not surprisingly, the top reason (81%) stated was that the threat landscape is increasingly complex. However, the budget being too low (45%) tied for second with worsened hiring retention challenges and staff not being skilled/trained.

The report found that more than half (51%) felt that their budgets were underfunded, an increase from 47% sharing that sentiment in 2023. Additionally, only 37% expect that their budgets will increase in 2025. Adding to the stress, only 40% had a high confidence that their team was prepared to handle a cyberattack. While at the same time, 47% expect a cyberattack on their organizations.

Reducing employee stress while budgeting for 2025

As business leaders are working on budgets, here are some ways to reduce employee stress related to the 2025 budget.

• Include your hands-on cybersecurity team members in the budget discussions. When employees feel that their perspectives and ideas are heard, they are less likely to be resentful. Additionally, they can see first-hand the tradeoffs involved in budgeting as well as the impact of each decision on other line items. 
• Ask employees to share their current challenges. By starting with understanding their problems, you can then use these issues to drive the budget decisions. If team members jump to the technology solutions, steer them back to first discussing the problems.
• Have your cybersecurity team research and get estimates. Once you move to the solution portion of budgeting, ask cybersecurity team members to research tools and get estimates. Since they will be the ones using the tools on a daily basis, getting their buy-in on specific solutions can help increase satisfaction as well as improve the accuracy of the budget.
• Show team members the draft budget. Budgeting often means making hard decisions. By showing the team the draft budget and asking for their input, they feel heard and also can see the tradeoffs that are necessary as part of the budgeting process.

While the increase in cybersecurity spending is a positive trend overall, the most important thing is how companies use their higher investments. By making the right choices for your specific organization, you can reduce risk while also improving employee satisfaction.

The post Making smart cybersecurity spending decisions in 2025 appeared first on Security Intelligence.