Two ways AI hype is worsening the cybersecurity skills crisis – Source: www.csoonline.com

AI was supposed to make security teams more efficient, but instead, it’s making their jobs harder. Security professionals are being pulled in two directions: they’re being expected to govern their organisation’s AI use while also figuring out how to integrate the technology into their own workflows, often without proper training. The result? Overstretched teams, mounting pressure, and an ever-widening skills gap.

Despite these growing pressures faced by cybersecurity teams, Richard Addiscott, vice president analyst at Gartner, points out how businesses are embracing AI at an unprecedented pace. “Our research shows 98% of organizations have already adopted or are planning to adopt generative AI or another form of AI. Only 1% plan not to adopt AI, and the other 1% is not sure,” he tells CSO. “But if you’re the head of the security organization, blocking AI probably won’t do you or your team any favors.”

This adoption, however, adds a new layer of responsibility for cybersecurity professionals, who must oversee AI governance while using AI themselves. “As a security function, where things like cost efficiency, operation productivity, operational continuity, and talent shortages already have an impact, it’s also entirely appropriate that those teams look at, ‘How can I use AI from a security function benefit, whether it’s improving operation efficiency, cost efficiency, or giving my team the opportunity to do more with the same level of resources,” Addiscott says.

The security burden that comes with AI

One key challenge is that many cybersecurity professionals are expected to deploy and oversee AI tools, often without formal training. An O’Reilly report, Technology Trends for 2025, highlights just how quickly the interest in AI-related skills are growing. From 2023 to 2024, interest in artificial intelligence grew by 190%, while generative AI skyrocketed by 289%. But the most telling increase was in AI principles, up 386%, and prompt engineering, which jumped 456%.

“It’s all well and good to want to embrace the organization’s AI ambitions, but if no one in the team understands large language model operations or prompt engineering … then it’s going to be really difficult,” Addiscott explains. “Your capacity and capability mix needs to shift, which has a fundamental impact on your strategic workforce plan … and a whole heap of other downstream impacts that we need to think about from a strategic operational perspective in security.”

Anil Appayanna, CISO at India International Insurance and founder of NexisCyber, agrees, noting that organizations often rush to implement AI without ensuring their teams are prepared. “There’s a fear of missing out because everybody in the world today is talking about AI,” he says. “Frankly, if I’m speaking at a seminar and telling people I do this and I do that, there is a lot of pressure on others to go back to their companies and say, ‘Hey they are using it, why can’t we use it?’ 

“But preparedness is very important,” Appayanna says. “It’s not about just putting things in place, but do you understand where you’re heading? What is it that you’re looking for? And then, do you have the right kind of skills and people in place to implement it?”

Beyond technical skills, AI also requires a mindset shift. Instead of blindly trusting AI recommendations, Appayanna insists that human oversight is maintained to verify any AI-generated results.

“I will never fully automate or over-rely on AI,” he says.

“There will always have to be one human interface somewhere there. It could be as simple as that ‘see it, forget it, no problem’, but I don’t want it to become ‘just because AI told me that this is a thing, I should have to take its word’. You have to do include some kind of human intervention, to look at what exactly is happening.”

But with all the hype, some level of disillusionment is inevitable, the O’Reilly report warns that many organizations adopting AI may not fully understand its capabilities or limitations, particularly in emerging fields like prompt engineering. While searches for prompt engineering grew sharply in 2023, the report indicated early signs of decline in early 2024. It also questions whether this is just noise or the first indication of AI fatigue, suggesting that if excitement around prompt engineering fades, broader enthusiasm for machine learning and AI could follow.

Appayanna likens the rush to adopt AI to the digital transformation wave of the past decade when companies felt pressured to move to the cloud, automate workflows, and embrace digital technologies, but many failed to consider whether those changes actually aligned with business needs.

“The question is: yes, you can introduce AI, but to what context? You have to define the context and make sure that you meet your business requirements. Only then can AI provide value.”

Appayanna’s personal approach to AI has been methodical, where he explains how he introduced AI to his team to handle repetitive, low-level tasks initially before gradually expanding its use in more complex areas like automated red teaming. “If I am introducing an AI technology, the first thing I look at is, ‘Do I have the right skill sets and do the people on my team have the skills to even look at it?’ Because I always make sure that training is first and foremost.” 

Attackers are using AI, but are defenders ready?

AI isn’t just increasing workloads; it’s also raising expectations. Many security teams are already stretched thin, and the push to integrate AI is adding further strain. “If you’ve got a very lean team that barely has enough time to look above the parapet as it is and you’re already behind the eight ball when it comes to business as usual, and with AI that’s a challenge,” Addiscott highlights.

Another critical factor in the AI-skills shortage discussion is that attackers are also leveraging AI, putting defenders at an even greater disadvantage. Cybercriminals are using AI to generate more convincing phishing emails, automate reconnaissance, and develop malware that can evade detection. Meanwhile, security teams are struggling just to keep up.

“AI exacerbates what’s already going on at an accelerated pace,” says Rona Spiegel, cyber risk advisor at GroScale and former cloud governance leader at Wells Fargo and Cisco. “In cybersecurity, the defenders have to be right all the time, while attackers only have to be right once. AI is increasing the probability of attackers getting it right more often.”

Without proper AI training, security professionals may not even realize they are dealing with AI-generated threats. “We have a threat environment that is wanting to leverage [AI] to the nth degree … typically, [the attackers] have a lot more time and money on their hands to be able to play around with this stuff,” Addiscott says.

Can AI fix the skills shortage?

However, not everyone sees AI as a purely negative force in the cybersecurity talent landscape. Spiegel acknowledges the complexity of AI adoption but argues that the issue is more about how leadership goes about acquiring. She suggests that cybersecurity teams require a diverse, well-rounded set of skills and experiences.

“I don’t think we have a cybersecurity skills shortage – I think we have a leadership understanding shortage,” Spiegel argues. “Leaders are being pressured to adopt AI at lightning speed, and they’re focused on the efficiencies that can be gained through AI automation, but they’re looking at how they staff with a very narrow view of what cybersecurity is.”

She believes AI could ultimately help alleviate some of the skills shortage.

“CISOs will have to be more tactical in their approach,” she explains. “There’s so much pressure for them to automate, automate, automate. I think it would be best if they could partner cross-functionality and focus on things like policy and urge the unification and simplification of how polices are adapted… and make sure how we’re educating the entire environment, the entire workforce, not just the cybersecurity.”

Appayanna echoes this sentiment, arguing that when used correctly, AI can ease talent shortages rather than exacerbate them. He believes AI frees up security professionals to develop higher-level skills rather than being stuck in mundane, repetitive tasks.

“If my L1 security analysts spend two or three hours glancing through logs, which my AI can do in five minutes, I want to use AI there — not as a replacement, but an augmenter,” he explains.

Despite AI’s potential, the short-term reality remains challenging. Addiscott believes that AI will sit atop existing security responsibilities rather than replace them in the foreseeable future. “We still need security monitoring, application security, infrastructure security, cloud security, policy security, security awareness — all of those things are still required,” he says.

“What’s going to happen in the short to medium term, AI will sit on top of all those things. And until we start to see the embedding – which is probably going to take a generational shift – it’s going to be a long time before we can happily look back and reflect and say, ‘I think we’ve landed on best practice’.”

Appayanna cautions against the misconception that AI alone can solve security challenges. He believes that organizations that invest in structured AI training and thoughtful implementation will be better positioned to succeed.

“AI tools can only automate. They can help you; they can support you, but they will never replace a human expertise and organizations must manage their expectations with their boards or their teams that we recognize AI as an augmented tool, but not as a replacement.”