As AI continues to reshape the security landscape, Boston Consulting Group’s latest cybersecurity research reveals a widening gap between threat capability and corporate defence. The firm’s 2024 Annual Cybersecurity Survey, titled ‘What Cybersecurity Leaders Get Right’ found 72% of firms faced AI-powered phishing attacks last year.
The research comes as organisations worldwide spend US$200 billion annually on cyber products and services, with 76% of Chief Information Security Officers planning increased investments this year. Yet this spending shows no correlation with improved security posture.
In an interview with Vanessa Lyon, BCG’s Global Leader of Cyber and Digital Risk, she outlines how the “nondeterministic characteristics” of generative AI (Gen AI) are challenging traditional rule-based security tools, creating new vulnerabilities in enterprise defence systems.
You lead the topic of cybersecurity and digital risk globally at BCG. Can you describe your role and how you’re advising clients?
Strategy is central to BCG’s DNA. We help boards and C-Suites anchor cyber into their business strategy, making sure the topic is addressed at the highest level, and can be used to unlock sustainable competitive advantage.
Cybersecurity actions and measures are too often relegated solely to technologists. Yet, given today’s changing threat landscape, pervasiveness of digital, and increased regulatory pressures and scrutiny – business and tech need to sit at the same table.
What are the biggest concerns you hear from CISOs and cyber leaders?
Overall, many cyber leaders are crushed between increased risk, budget pressure, and talent shortages. The findings of our latest CISO survey also show that there is no correlation between spending and maturity. With regards to the actual types of attacks, we see that the bar is lowering for many to be able to easily trigger large scale attacks. For example, credible deep fake tech is accessible to high schoolers. And the nondeterministic characteristics of Gen AI are challenging the current rule-based cyber tools.
Today’s threat landscape is dynamic, and we expect cybersecurity budgets will continue rising.
How is Gen AI impacting the cybersecurity threat landscape for global enterprises?
The nondeterministic characteristics – or ways in which a model can produce different output even with the same input – challenge the efficacy of current rule-based cyber tools for several reasons including the unpredictability of the AI’s outputs, evasion of signature-based detection, increased complexity in behavioral analysis, difficulty predicting AI-driven social engineering tactics and adaption to new, unrecognisable patterns.
Organisations worldwide spend US$200bn a year on cybersecurity products and services. What are your expectations for cyber spend in the coming year? Where are companies investing?
Today’s threat landscape is dynamic, and we expect cybersecurity budgets will continue rising. According to our survey findings, 76% of CISOs are planning increased investments this year. Spending priorities are shifting, though, toward high-impact areas like zero-trust network access, identity management and cloud security while companies aim to streamline vendor relationships for better integration and cost efficiency.
That said, as I mentioned, increased spend doesn’t necessarily correlate with cyber maturity. Leading companies are ‘spending smart’ by aligning investments with a long-term, strategic view.
Key facts
76% of CISOs expect increased cybersecurity spending in 2024, with budgets rising 11% year-on-year
Only 72% of cybersecurity roles are currently filled across the industry
59% of companies have faced AI-powered malware attacks in the past 12 months
What are the biggest reasons for the talent shortage in the cybersecurity space? How are companies addressing this issue?
The cyber talent shortage stems primarily from a mismatch between required skills and available candidates, with only 72% of roles currently filled. The rapid pace of technological change, paired with new AI-enabled threats, has intensified the need for highly specialised skills, creating fierce competition across industries.
Spending priorities are shifting toward high-impact areas like zero-trust network access, identity management, and cloud security
In response, companies are focusing on continuous training, skill mapping, and targeted recruitment to bridge gaps. Efforts to attract underrepresented groups, especially women, and partnerships with educational institutions are also critical. These strategies help expand the talent pool and build a resilient, future-ready workforce.
Source: https://cybermagazine.com/articles/bcg-global-cyber-leader-how-gen-ai-breaks-security-defences