3 Years In: How Is AI Doing? SANS Weighs In

It’s no secret that AI is “here.” It’s been here for three years now, and yet security operators are still figuring out how to use it.

That’s the theme of the most recent SANS survey on AI. In the report, we find that despite its popularity, only half of all organizations using AI are using it for cybersecurity. And among those who do use it, 66% say that it still produces too many false positives.

There’s still much to do. But the details in this report provide a much-needed insight into what is working, what isn’t, and where practitioners need the AI security industry to go. 

AI Is Pushing Ahead: Security AI Is Lagging Behind

In the AI arms race, it seems consumers might be outstripping us all; both black hats and white hats.

Where AI is best, it is underutilized. Despite its ability to aggregate large amounts of data and sift through them for that “needle in the haystack,” only 33% are currently using AI for incident investigation. Those who do experience force-multiplied time-savings, especially with automated and AI-driven workflows like those found in Fortra DSPM.

And yet AI-driven attacks have organizations on the run; 81% are actively concerned about AI-powered threats. Perhaps it’s a lack of confidence, as nearly two-thirds highlighted the need for more AI in cybersecurity courses. With so much that can go wrong, teams need something to ensure the security of AI, from AI, and with AI—and human-centric training courses could help.

At this point, AI adoption is still outstripping AI compliance and security.  This is true both when it comes to external and internal AI governance policies, though 39% are pursuing greater AI security oversight to better manage risk (and 35% are doing it to keep up with legal requirements). It’s better than nothing but still leaves room to improve.

Teams Aren't Afraid of a Little AI Help

Far from fearing AI, professionals across industries actually welcome the change—even when it comes to cybersecurity.

Three quarters (75%) anticipate AI complementing tools they already have in their stack, such as SIEM, SOAR, and EDR, in the course of the next few years. This is seen as AI enhances automated workflows between tools, bringing disparate telemetries together to derive synthesized conclusions, then orchestrating all tools to get to incident response faster.

As noted in EU Cyber Direct, the work of SOCs is “highly demanding and fast-paced, which is why AI and in particular machine learning techniques can provide invaluable support to practitioners.” They go so far as to state that the job of a SOC is to “improve incident detection, analysis and response speeds through state-of-the-art AI and machine learning capabilities”; a hearty vote of confidence for AI’s abilities to move security forward. 

But don’t worry. When it comes to worrying about being replaced, analysts should know that the majority of respondents (67%) predict that the demand for skilled cybersecurity professionals will only increase in the next 36 months. At least for those with AI and cybersecurity expertise.

Unsure Where to Invest in AI? Security Is a Sure Bet

As David Hoelzer, SANS Faculty Fellow, states, “In my opinion...leadership teams are sure that they need AI but are not usually able to clearly articulate what that means.” This is a key breakdown.

As business leaders invest in AI, they typically do it through time-saving LLMs, or their employees use it on the sly to make everyday business tasks faster. While this leads to a lot of workslop, it shows the dominant trend; an appreciation for all that AI can offer, whether sanctioned or unsanctioned.

The trick is to apply that enthusiasm across the security landscape, and many organizations have already gotten a start.

• 53% are using AI for anomaly detection

• 49% are using AI for alert enrichment

• 50% already use AI in their security strategy and 30% plan to start in the next 12 months

While adoption rates are strong, teams have been experiencing troubles and snags along the way. Sixty percent cited AI security challenges, specifically integrating AI and AppSec tools, and the vast majority are concerned about things detection tools can’t catch: highly personalized social engineering attacks (83%) and deepfakes (73%).

Staying On the Forefront of AI Security

With AI, things move fast and change often. Teams need to adjust to these changes by investing in security tools designed with AI threats in mind, and AI models in-tow. 

The good news is that AI-powered solutions seem to be a welcome addition to most security stacks. The real sign of maturity will be whether the organizations that adopt it do so in a way that puts security first.