Gen AI and Cybersecurity: Risk and Reward

Show Notes

Ivanti’s latest research report surveyed over 14,500 executives, security and IT professionals and office workers to understand how organizations are managing the double-edged sword of gen AI in cybersecurity — and the processes, technology and talent needed to fortify defenses.  

Cybersecurity teams are optimistic about gen AI’s ability to improve workflows and enhance threat detection and response, but AI is also a powerful weapon in the hands of threat actors. As Gen AI makes social engineering threats like phishing more dangerous and sophisticated, cybersecurity AI education and training needs to continuously evolve.  

How can organizations leverage AI in cybersecurity efforts and combat evolving AI-powered threats? 

“Listen to hear the full report: Gen AI and Cybersecurity: Risk and Reward.” 

To read the report and access additional media, including presentation-ready slides and downloadable charts and graphs, visit ivanti.com/ai-security  

For more Ivanti research on IT, security and the future of work, visit ivanti.com/research. 

About Ivanti 

Ivanti elevates and secures Everywhere Work so that people and organizations can thrive. We make technology work for people, not the other way around. Today’s employees use a wide range of corporate and personal devices to access IT applications and data over multiple networks to stay productive wherever and however they work. Ivanti is one of the only technology companies that finds, manages and protects each IT asset and endpoint in an organization. Over 40,000 customers, including 88 of the Fortune 100, have chosen Ivanti to help them deliver an excellent digital employee experience and improve IT and security team productivity and efficiency. At Ivanti, we strive to create an environment where all perspectives are heard, respected and valued, and we are committed to a more sustainable future for our customers, partners, employees and the planet. For more information, visit ivanti.com and follow @GoIvanti. 

Chapters

• 0:00: Introduction
• 0:45: Part 1: AI silos
• 2:45: Part 2: AI attacks
• 4:55: Part 3: Security talent
• 6:49: Part 4: Action steps
• 11:26: Outro

Transcript

Introduction 

Research from Ivanti shows how organizations are managing the double-edged sword of gen AI in cybersecurity — and the processes, technology and talent needed to fortify defenses. 

You’re listening to the audio version of Gen AI and Cybersecurity: Risk and Reward, part of Ivanti’s state of cybersecurity research series. To see more Ivanti research and to access additional media, including presentation-ready slides and downloadable charts and graphs, visit ivanti, I-V-A-N-T-I.com/research.  

[Sting]  

Part one: AI silos 

[Sting]  

Problem today 

Despite strong optimism about gen AI, data silos prevent organizations from fully leveraging their AI investments.   

Optimism about gen AI is high among security professionals — this according to research from Ivanti. Professionals are 8 times more likely to say gen AI is a net positive (vs. a net negative) for security. 

Despite the positive outlook for gen AI, 72% say their IT data and security data are siloed.   

How can organizations be so optimistic about gen AI given what appear to be persistent data accessibility problems?   

[Sting]  

Why it matters 

To deliver on its immense promise, gen AI requires real-time, highly accessible data.   

Organizations must break down data silos to achieve a true single source of truth — always-on access to data that is clean, validated, standardized and highly accessible across applications, systems, users, etc.   

As gen AI becomes more powerful and widely available, the applications for its use in cybersecurity are expected to be far-reaching. 

They include enhanced threat detection, to identify patterns, anomalies, and potential security breaches; improved predictive capabilities, using historical and real-time data to quickly assess risk and deliver proactive threat predictions; and real-time response, to facilitate rapid, automated responses to emerging threats, significantly reducing response times and potential damage.  

Regardless of whether an organization has ample budget to invest in tech or great optimism about AI’s power, as long as data silos persist, organizations will not be able to maximize AI’s potential.   

[Sting]  

Part two: AI attacks 

[Sting]  

Problem today 

Gen AI is a powerful tool for security teams protecting organizations, but it can also be used by bad actors … and phishing-related attacks are a growing, concerning threat vector.   

When survey respondents are asked which threats are becoming more dangerous, “phishing” is the number one answer, chosen by 45%.  

Attackers are now using generative AI to craft highly believable content to lure victims — all at high scale and low cost. This threat vector will become even more powerful as attackers further personalize their phishing messages based on data found in the public domain. 

[Sting]  

Why it matters 

AI-powered social engineering is attackers’ most powerful weapon. Training is a critical part of a multi-layered cyber defense, yet many organizations have not evolved their training strategies to reflect AI-powered threats.  

Gen AI gives tremendous power to threat actors, who are iterating new methods to exploit the human element in organizations. Educated employees are still extremely important (even if imperfect) for organizations to defend against AI-driven cyber threats.   

57% say they use anti-phishing training to protect their organization from sophisticated social-engineering attacks. It’s the most frequently used method compared to all others.   

Yet just 32% say they believe training is “very effective” to protect against AI-powered social-engineering attacks. (Failure to continuously update training to reflect new realities may be one reason for this.)  

Gen AI currently stacks the deck in favor of threat actors, who can exploit AI capabilities to continuously improve their phishing attempts. 

That said, gen AI will be a crucial tool for defenders as well, helping organizations identify weaknesses in their systems and proactively address vulnerabilities before they are exploited by attackers.   

[Sting]  

Part three: Security talent 

[Sting]  

Problem today 

There is a global shortage of experienced security professionals.   

 A 2024 study from ISC2 finds a gap of 4.8 million cyber professionals worldwide needed to secure companies. And research from Ivanti shows that 1 in 3 security professionals cite “lack of skill/talent” as one of the biggest barriers to effective IT operations at their companies. Why has the cybersecurity talent gap grown so wide? 

[Sting]  

Why it matters 

Gen AI can help close the talent gap by making teams more productive, yet research shows many security professionals have mixed feelings about its potential.   

Ivanti’s research shows an interesting contrast between professionals’ optimism about AI in general and individuals’ pessimism about how AI will benefit them personally.   

90% of security professionals believe gen AI benefits security teams as much as, if not more than, it benefits threat actors.   

And 85% say AI tools will highly or moderately improve their productivity at work.   

But curiously, security professionals don’t necessarily see that AI-driven benefits will accrue to them personally. They are much more likely — 6 times more likely, in fact — to say AI tools will primarily benefit employers, not employees.   

 To bring employees along, companies must invest in upskilling their cybersecurity teams, using strategies such as interactive learning opportunities and attack simulations. And given the rapid evolution of AI tools, training must be ongoing and continuously evolving. To ensure employees feel engaged and activated, encourage self-directed learning about AI security trends in addition to company-offered training. 

[Sting]  

Part four: Action steps 

Experts weigh in on how organizations can leverage gen AI to prepare for the future of cyber defense.    

[Sting]  

Prepare for escalating AI-powered threats, says Bob Grazioli, Ivanti’s CIO. 

Separate layers can no longer prevent AI-powered attacks from breaching your enterprise. In the hands of attackers, gen AI breaks down defenses by simultaneously breaching networking servers and layers. Threat actors can immediately scale and attack at high velocity … and with a much higher level of intelligence.  

Organizations must evolve their defenses to combat something that has more data, more velocity and machine intelligence. It will require wholly new tactics to prevent malicious AI from being an unstoppable force. The way forward is not to eliminate the human element, but to empower humans with AI assistants. These assistants, in collaboration with other AI assistants, can gain a more holistic, cross-disciplined view of the organization.   

[Sting]  

Modernize your suite of security tools, says Mike Reimer, Ivanti’s SVP of Network Security and Field CTO. 

While attackers have been using AI for years, 2025 will be the year that defenders truly take advantage of its capabilities. Security professionals will effectively leverage the functionality of gen AI to analyze vast amounts of data from various systems. This will provide insights into potential vulnerabilities and help identify weaknesses in systems. Security professionals must – with great urgency – evaluate software solutions and tools for self-protection and self-diagnosis capabilities — then propose upgrades to more modern platforms that offer these features.   

[Sting]  

Mike goes on to say that organizations must take a holistic view of exposure management and risk quantification. 

As security becomes more critical to business strategy and sustainability, organizations will adopt a contextual, holistic view of cybersecurity risk. For example, the concept of “attack surface” will broaden to encompass a wide range of both tangible and intangible assets. Exposure management will be viewed as a key business objective and performance indicator. And cyber risk quantification will evolve from subjective assessments to data-driven, objective measurements powered by machine learning.  

In a mature organization, cybersecurity strategy will directly influence operational investments and priorities, with the broader C-Suite managing comprehensive decision-making. We expect C-Suite executives will develop competencies to make well-informed, consistent and transparent cybersecurity risk management decisions. 

[Sting]   

Update internal training to respond to evolving threats, says Sirjad Parakkat, Vice President of Engineering at Ivanti. 

Continuous learning programs are not nice to have; they are essential to teach security teams about emerging threats and defense techniques. Security professionals need hands-on, simulation-based training to help them practice their response strategy in a safe, secure environment. Make sure training content is dynamic and personalized – matched to individual team members' skill level and learning pace.     

Currently there is more emphasis in the industry on AI and machine learning expertise, along with developing sound skills in specific programming languages. The threat landscape is evolving, and skills must evolve in parallel. Security professionals need to understand a wide range of AI-enabled attack vectors.   

 [Sting] 

Sirjad goes on to say that, as you deploy advanced AIs, you shouldn’t overrule humans. 

AI and automation can help security teams by using predictive analytics to provide insights and flag potential threats. But when it comes to decision making, it should be done by humans, who have critical decision-making‌ skills. AI can add a lot of value in handling a large volume of alerts and repetitive tasks, but there will still be complex incidents that require human intervention: investigations, root-cause analysis and taking preventive action. Companies must strike a balance between automation and human analysis.   

 [Sting]   

Outro 

If you enjoyed listening to this report and want even more Ivanti research, you can subscribe to this podcast to get the latest Ivanti research in your feed as soon as it’s released.   

  You can read the report, download charts and graphs and presentation-ready slides, and see the rest of Ivanti’s research at ivanti, I-V-A-N-T-I.com/research.   

And if you’d like to hear even more audio content from Ivanti, check out Executive Summary with Jeff Abbott, a podcast exploring the latest research in IT, security, and the future of work, and what they mean for your business strategy. In every episode, Jeff is joined by a new business leader for a free-ranging discussion, unpacking the research findings and connecting them to real-world leadership experience.   

 You can follow Ivanti on social media at Go Ivanti, and you can visit us at ivanti.com to learn more about our products and solutions.   

   Thanks for listening!