This year, CISOs are focused on protecting their organizations from an ever-expanding threat landscape, while they help to securely implement new technologies, like AI and generative AI. In fact, generative and traditional AI moved into the top five priorities for CISOs for the first time in 2024.
Last year, we asked CISOs across our communities whether or not they were using AI and GenAI at a time when ChatGPT was the talk of the business world. Now, CISOs are moving beyond the investigation phase, while trying to balance the opportunities with the security risks.
Here is a snapshot of what more than 400 CISOs shared about AI application and adoption at their organizations today.
What is the status of AI Implementation?
More than half of CISOs (52%) say they have developed some AI use cases or are piloting projects. This is a higher percentage than their peers across the C-suite, 45% of whom report that they are at a stage where they have developed AI use cases.
After that, security leaders report they either have completed AI pilot projects (18%) or they have more work to do before implementing AI (18%). One CISO noted that their approach was “cautious, looking for the right fit,” while another said they are seeing “definite benefits in niche applications currently.”
In our 2023 survey, CISOs described their AI usage as exploratory, saying the use cases were “ad hoc in an investigative manner,” or that they were “currently only testing its functionality.”
How does their organization approach technology adoption?
When it comes to adopting new technologies, 40% of CISOs describe their organization as Early Majority adopters, or squarely in the middle on a scale ranging from Innovators to Laggards. Twenty-five percent of security leaders believe their company is an Early Adopter, and 25% say they are in the Late Majority.
Are they taking the same approach to AI adoption?
Eighty-one percent of CISOs report that their organization is approaching AI implementation in the same way as they approach new technologies, in general. This places most CISOs’ organizations in the middle as Early Majority adopters of AI.
However, 19% of CISOs say their company is taking a different approach to AI. Two executives commented that they were adopting AI more quickly because it is “easily accessible and adoptable by many” and because of the “transformational opportunities in AI along with business support.”
A few CISOs commented that they were taking a more conservative approach to AI, with one explaining they have “no clear use case with actual payback and no global governance.”
What might be slowing their adoption?
A whopping 88% of CISOs report they are concerned about deploying AI securely and managing the risks. Seventy-nine percent cite concerns about data privacy and security, and 72% of CISOs are unsure if they can govern the use of AI internally.
CISOs listed these concerns under “Other”: “hallucination,” “ability to meet emerging regulatory requirements,” “changing legislative landscape,” and “if we can demonstrate a clear ROI.”
The percentage of CISOs expressing concerns about AI increased significantly compared to our survey in 2023. Last year, only 23% of CISOs were concerned about security risks, 23% about data privacy, and 21% about governing its use throughout the organization. This is possibly a reflection of the increase in AI usage – in 2023, many security leaders were focused on experimentation, rather than widespread adoption.
What’s their outlook on AI?
CISOs have a positive outlook on the future of AI despite their strong concerns, with 83% reporting their sentiments are “very positive” or “somewhat positive.” Very few security leaders describe their outlook as negative.
For security leaders, their thoughts on AI and its impact on business in the future remain quite similar to last year – when 76% felt “very positive” or “somewhat positive” about AI.
How are they implementing AI tools?
Forty-eight percent of CISOs say they are primarily buying tools to implement AI. Another 41% report that they are employing a combination of buying and building AI tools. Relatively few CISOs (6%) are exclusively building AI tools.
Current Sentiments About AI
We included an open-ended survey question to ask CISOs about their current sentiments on AI and the journey to AI adoption. Here is a sample of their comments:
Generative or predictive AI is still in its relative infancy. Enormous potential. Enormous risk.”
Cautiously optimistic that we will be able to leverage [it] responsibly and attain results of value.”
AI will generate some opportunities to improve our speed to market, but there will be other initiatives that are going to be questionable in value vs. the risk they can introduce.”
Ambivalent; I would like to see it actually save money and allow resources to work on alternate activities with time saved.”
Great potential, but concerned about security risks… We have to make sure our customer's data is safe first and foremost. Any reputational damage is unacceptable.”
I am bullish about it although I harbor some concerns seeing that it is a double-edged sword in the wrong hands.”
If you are a CISO navigating AI adoption at your organization, explore an opportunity to discuss it with your peers by joining an Evanta CISO community near you. If you are already a member, sign in to MyEvanta to find your CISO community’s next gathering.
Based on 400 responses to Evanta’s Community Pulse Survey, June 2024.
by CISOs, for CISOs
Join the conversation with peers in your local CISO community.