What 125 Security Leaders Told Us About AI in Cybersecurity

How Would You Answer These Questions?

• When it comes to using AI, who’s winning right now, attackers or defenders?
• How concerned are you about AI-powered phishing, deepfakes, and multi-platform social engineering attacks?
• Does your team have a clear AI strategy for your cybersecurity, or are you still trying to figure it all out?

We just put these questions (and a whole lot more) to 125 security leaders from some of the largest organizations in the U.S., all companies with 500+ employees or security teams with 50+ members. The answers were eye-opening. Some were validating. Others? Honestly, kind of surprising.

As we get ready for our upcoming webinar about this report to break it all down, I wanted to give you a little insider access...a peek into the prep conversations I’ve been having with our panelists. These behind-the-scenes discussions have been some of the best parts of this whole project, and I think you’ll get a lot from hearing what’s on their minds. You can download the report and register for the webinar here: Osterman Research: Using AI to Enhance Defensive Cybersecurity.

So, here’s a preview. Let’s dig in.

1. Security Leaders Know There’s a Gap, But They Don’t Know How Big

When I first read through the survey results, one stat jumped out like a red flag: only 17.6% of security leaders said they saw a “significant advantage” in AI tools like behavioral analysis and semi-supervised machine learning.

That reaction was validated when Michael Sampson (Principal Analyst, Osterman Research) explained what the data was really telling us:

“The survey reflects accurately... security leaders across a randomized set of organizations don’t have a full grasp of what this could do for their organization.”

Watch Michael explain the reality behind this knowledge gap:

This isn’t just a slow adoption problem, it’s a visibility problem. Security teams know AI is important, but many don’t yet understand how powerful it can be.

2. You Need an AI Plan, Like Yesterday

Here’s another one that hit hard: 80% of security leaders say AI is essential for defending against cyberattacks, but most of them don’t actually have a plan.

That stat didn’t surprise me. It’s something I see all the time when talking with security teams. I said it during our prep call, and I’ll say it again here:

“Strategic AI integration is non-negotiable. It’s not just about buying tools. It’s about asking, ‘Where can we enhance what we already have? Where can we automate? Where can we make defenders faster?’ If you’re waiting for the perfect solution, you’re already falling behind.”

Matthew Martin (Founder of Two Candlesticks and Former Deputy CISO at LPL Financial) jumped in to back this up, pointing out something I’ve seen firsthand working with large organizations:

“Everyone wants AI...security, marketing, IT, but who actually owns it? Without leadership driving a company-wide strategy, you get shadow AI projects popping up everywhere, and no one is aligned.”

Hear us talk through this challenge in our prep call.

Look, I get it. Building an AI strategy sounds like a huge lift. But waiting until you have it all figured out is the wrong move. Start small. Identify a few places AI can support what your team is already doing. Build from there. Because attackers? They’re not waiting.

3. Security Leaders Want AI, But They Don’t Fully Trust It (Yet)

Even among the security leaders who see the value in AI, there’s still a big hesitation around trust and data security. I hear it all the time: What data is going into this system? Who can access it? What happens if it gets compromised?

When we talked about this during our prep, Matthew Martin made the point that for many CISOs, AI looks like just another attack vector they need to defend, and that slows things down:

“There’s a big concern over data. Where does it go? Who interacts with it? How do we secure it? CISOs look at AI and think, ‘Oh, great. Another attack vector.’”

But (and this is key) the business isn’t going to wait. AI is already being adopted across marketing, communications, product teams, you name it. If security doesn’t get comfortable with it, they’ll get left behind.

Listen to Matthew explain the security and trust issues teams are working through:

This is the reality now. AI isn’t just a nice-to-have—it’s the only way we can match the speed and scale of modern attacks. Period.

Why You Need to Be at This Webinar

AI is transforming cybersecurity (obvious, I know), but it's happening right now. And the uncomfortable truth? It looks like defenders are still trying to figure out how to keep up.

We’ve got the data. We’ve got the experts. And we’ve had the kind of real, unfiltered conversations that don’t always make it into polished reports. I want you to be part of this discussion.

Here’s what we’ll cover:

• What 125 security leaders told us about their AI challenges (and wins)
• Where AI is making a real difference today (and where it’s all hype)
• Practical steps you can take to start building an AI-powered defense strategy (without blowing up your current stack)

Reserve Your Spot Now!