Name: The New Economics of AI in Cybersecurity
Uploaded: 2026-03-05T18:16:09.071Z
Duration: 1 h 8 s
Description: The New Economics of AI in Cybersecurity

Transcript for "The New Economics of AI in Cybersecurity": Accountability. Our latest research surveyed over 750 secondurity leaders across 12 countries, and the data tells a really powerful story. 95% of organizations are increasing cybersecurity budgets. 74% of those organizations are seeing double digit growth, and AI and automation are the number one driver of that growth at 44%. But here's the twist. AI is also the first investment organizations say they would cut if budgets tighten. So we're seeing rapid adoption and rising accountability pressure at the same time, and today we're gonna unpack what that really means with our cybersecurity experts, starting with Steve Moore, Chief Security Strategist at Exabeam Steve Wilson, Chief AI and Product Officer at Exabeam Kevin Kirkwood, our CISO at Exabeam. And Gabrielle Hempel, our security operations strategist at Exabeam. So let's get it started. So AI is driving budget increase, but is it defensible? Steve Wilson, AI is simultaneously the top driver of budget growth and the first thing organizations would cut. What does that tension tell you about where we are in the market today? I think there's a couple things. The first thing that I see when I talk to people inside large companies today is AI is definitely the largest investment area. But that's not just within cybersecurity, that's within the business as a whole. Every one of these large organizations is investing in agentic security, betting on the promise that that is going to change the way that they do business. But to date, we're still actually in the very early rounds of experimentation with those projects. The other part, though, is I think when we talk to cybersecurity professionals about their cybersecurity budgets, there's a lot of snake oil being sold by cybersecurity vendors out there who have taken chatbots and nailed them to the side of traditional cybersecurity products and called it an AI strategy and sold it to customers. And so I think when it comes on with the hands on operational people running security teams, they've touched a lot of AI stuff that's been of questionable value. And they still see the promise, but I still think they're waiting for the payoff in many cases. Seymour, I know that you have an interesting take on this AI budget boom that we're seeing. Would you like to share? Yeah. I think that it's important to consider what's driving the investment and what's changing. So where our organizations leading in adoption and making investments? We certainly see that all over the world. I have also seen some security teams that are certainly have massive investment and massive interest in adoption through all their security operations in, you know, adoption and looking to their vendors to help them with that. At the same time though, I am seeing, at scale around the world where there is some pressure still on justification of security budgets. So you have this pressure to respond with the business and secure their next move. You have you know, leading organizations. The responsibility is to evolve, like any other team. So, you know, I'm actually working on a presentation called what happens if you do nothing. And it's around this whole theme of, if you stay flat footed, what does it mean for you as a security leader? And what does it mean for your security team? Right? You you want to be relevant. Relevance is is is important for obvious reasons. And so, I'm seeing also incredible pressure to justify value. And if you can't protect and justify, you'll lose a little bit of your credibility. And with loss of credibility typically means loss of some budget. And so you're seeing this massive change, this automation on steroids that's happening right now? This re justification and even additional measurement of what we call good, right? So what is the way, what is the, how does this adoption change the way we do incident response, as an example? How does it change the way we track metrics? How does it change the way we get credit for the finding and responding of bad things? Which is super important, I think, to any security team, the pride and the esprit de corps. So, while there's great investment at all levels, I think there's equal pressure on program provability, maybe greater than I've ever seen before, and great scrutiny. And so there's this language change that's happening. Budgets are shifting. Business units are changing drastically. Headcount is changing. And so the security team is left, not only to think about what the adversary is doing, but also the rest of the business. So, a great amount of pressure. It comes up almost in every conversation I have. Yeah. So it sounds like AI adoption isn't the challenge. Everybody's adopting AI in some respects, or their executives are mandating them to or asking them to. So justification is where the challenge lies, and I'm really interested to hear about that from a CISO. So, Kevin, you know, 87% of security leaders say that they're confident that their investments deliver business value, but 30% say that boards don't understand the connection between cybersecurity investment and business resilience. I don't imagine that this is gonna be solved through just AI. In fact, I think it's gonna be increased. That pressure is gonna increase with this AI adoption. So why do you feel like there's such a disconnect? And how can we start to solve that in this AI era? Fantastic. I was about to jump into the last comment that Steve was making, because I think the open question is, you know, where is that communication coming from? Is it from the internal team, from the ELT? Is it coming from the board? If it's a combination thereof, it's a it's a balancing act, right? The board in these days and age don't look at this in terms of, what are the tactical measures that you take? How many tickets do you close? How many incidents do you respond to? How quickly do you contain an event that's occurring? All of those are good things at the tactical level. But the board doesn't look at it and say, wow, I'm going to buy two of those. They look at it and say, okay, so what risk did you reduce? What risk did you eliminate? And decrease did the overall spend so that at the bottom line, I'm going to see a positive impact? And most CISOs don't know how to answer those questions. And it comes back and says, they say, Well, I'm protecting the organization. I'm keeping them out of the news. I'm keeping them out of and that's a measure of risk as well, but there's a dollar figure associated with it. And so CISOs need to learn how to communicate the risk, communicate in financial terms, and draw new conclusions based on what they see from an evidence perspective and be able to translate that so that boards can fully understand, fully realize what they're doing for them. So it's a language lesson. The board speaks French, the CISO speaks Italian, and pretty soon nobody's talking in languages that anybody understands. And so that's a balancing act that CISOs definitely need to bridge the gap on. Showing that measurable reduction in risk is key and critical for that CISO at that board level. Taking it back to the earlier instance, we're talking about how do you justify the AI spend or how do you justify the AI protections? And you look at it and say, Okay, so AI is going to impact our bottom line in terms of being able to more quickly, more efficiently gather the information that we need and allow us to achieve business decision out of this. But is it truly doing the things in the right way? Are we protecting and measuring that in case the AI is wrong? And those are all fun elements of the risk that's identified and something that we should all be chasing. I just got off the phone with a couple 100 CISOs that are looking at AI and going, how do I block? How do I tackle? How do prove that I'm doing all the right things to protect the organization and protect that bottom line? But I'm not sure I can. And am I just chasing the fire truck that AI has become? So, Steve Moore, you work closely with CSOs and boards. Think it'd be really interesting to kind of drill into that a little bit more on that language the board actually understands when it comes to AI and security. How do we bridge that gap practically? It's interesting. And, you know, Kevin mentions, I think it was Italian and French. Those are both those are both from the same root. Those are love languages, Kevin. Those should go together more closely. I knew you were gonna go there, Steve. Awesome. Yeah. Look, I think if we step even outside of the report, many organizations still struggle, even at the top of this. See, you know, 87% of organizations, security leaders say they're confident in their investments and delivering business value. So that's a pretty high number. The equivalence of, am I valuable to the business? And does the money you give me relate to that? So that ought to translate pretty well, in many cases, to leadership meeting, whether it's SLT, ELT, or board. However, 30% are saying that, as we covered, don't understand the investment. And, you know, 32% are saying that AI is very difficult to justify. Well, no, it's not. We see everybody adopting it rapidly. Right? So is it really difficult? What is difficult about that? And I and I don't know that I, have a great foundation for that, but the other element that we have in the presentation or in the report rather, is that one in three still struggle professing any kind of value to the board. Forget about AI. And so for those, I think at a fundamental for that bottom 30%, 32%, you know, it may be some disambiguations needed. Maybe some outside help is needed. It may be being able to chunk out what's the business doing with AI, which think of that as just enhanced automation if the board is not that technical. What are we doing with it as a security team? And what's the adversary doing? You know, people have heard me mention this before on other panels and podcasts and such. And all of those are interrelated. And so it may mean a little bit of education there, that I see, where this gets sort of all muddled up. When we even have debates internally about this, right? What's the disambiguation on investment? And what investment's being driven as a result of a business action first? And what is an investment from a CISO as a catch up to that? Or is the CISO leading? So I think that's other kind of element. One of the anecdotal messages I was given is that, you know, CISOs don't fear breaches as much as they do board meetings. And the issue is, is that they don't know what they're going to get asked. So from that, is that prepared are they? And now we have this AI wild card. And so, you know, I think that that the other approach that I might advise that we take, and I'm interested to know what Kevin thinks of this, is maybe the other answer is just removing AI, the idea from the conversation, at least as it relates to the security program. So understand that you have a platform, understand that you have a program to embrace improvement, continuous improvement, automation, reduction of risk. You should be doing these things all the time. AI is the, and before that, machine learning, was the greatest tool you could implement to answer complex questions. It's incumbent to you as the CISO communicating to the board to gather whatever types of unfair advantage you can find in order to ask and answer questions of your environment that are of high complexity with the least amount of energy. They should know that that's part of how you operate. And so ten years ago, was machine learning. And it still is, but now there's artificial intelligence. Now we're using it to give me a narrative and help me make decisions, help me run business units. And so that is part of a never ending journey. And this is just another agent for us. We're calling it Nova, but another agent in another tool set for you to utilize to get better and faster. Because the adversary is absolutely doing that. Right? The basic example, whether it's a fake, North Korean employee or somebody that's that's that's spinning up, you know, business email compromised server in minutes rather than days and sometimes now seconds. So the adversary is getting faster. It's part of your plan and program. And so when the board asks, and they should be asking, what are you doing? What are you doing to maintain velocity? So you're reducing risk, but how fast can you reduce risk? How does AI affect the way that you onboard new employees? As an example. How does AI change the way that you evaluate your third parties? As an example. Right? You should have narratives around these things. And so it's not AI for the sake of AI. It's AI because this is the thing that's the most repeatable, most understandable, and increases clarity of communication, even from narrative creation. The ability to use AI for breach response. Everybody talks about ransomware and breach response and the cost. We do run books and playbooks and simulations. A simple thing like narrative creation is overlooked. When you're fatigued and tired and haven't slept in three days, you have these agents that allow you to perform with great clarity and great confidence. And so, when referencing these things to the board and talking, why do I need this? What does it give us? How does it inform our decisions moving forward? Like, those are the little pieces that often come up in these roundtables and these discussions and the advice that I give. Kevin, thoughts on the language? You led with language, but anything else that you put into that bag of the explainability of either what the CISO should mention to the board or maybe what the board should ask of the CISO? Short of relying on fear, uncertainty, and doubt, the threat actors, the bad actors are out there adopting AI at the same rate that we are, maybe even faster at some levels. And in order for me to respond at that level, I need to be able to chase that down using the same speed of intelligence that the AI offers. The threat actor using AI to come in and compromise my system, they're going to do at AI speed, at compute speed. And I need to have an AI that reacts at the same level the same way to block that compromise, block that problem area. And so, that's the easy piece of conversation. But are we there yet? So we put stipulations around how we develop and we have checkpoints and guardrails and all of these fun things that we put in place for that AI to be able to be used inside of our systems. Threat actors generally don't care, right? They're going to go out and if as long as it's giving them a result, it's going to they're not really going to care that the AI is not paying attention to guidelines and guardrails and operating within a set norm. We will continue to do that. So how do we get over ourselves, build the right framework that these AIs can operate in and get to a universal framework that's more standardized and optimized for protecting the organization across the board. And I think we're already thinking through those things and getting those things in place. I know inside the company, we're doing that really well. Are we doing that really well across The US, across the world of business? Maybe not so much. And those are some of the key things that we need to be thinking about. What are the organizational elements that we can put in place that will prevent breaches or reduce that downtime that we can then sell back to the board as we avoided $60,000,000 worth of spend because we didn't have a breach that three of our competitors did or two of our competitors did, and it cost them X. And so those are the kind of conversations that the board's going to be very interested in. It's still fear, uncertainty and doubt, but it's did we put the right organization in place to reduce that risk, to prevent breaches, to be able to recover from an incident, sometimes can reduce the overall spend to the organization? So those are kind of the languages I would put in place. That's maybe French and English, but not French and Spanish, even though they're both Latin based. So I can't resist jumping in a little bit on this point. I'll avoid any fancy language and be direct. I think both my previous colleagues are correct that you need to worry about metrics. But when you're talking to your board of directors right now, you need to understand the one metric that they are always focused on and that they are currently focused on more now than they have been in the last twenty five years. That metric is your stock price. And what we have seen is for large successful companies across industries, their stock price is whiplashing crazily based on the current narratives around AI. And so while maybe they should be asking more questions about your cybersecurity metrics, that is way down their list of metrics that they want to talk about. What they want to make sure is that they have a great story to tell their stockholders about how they are using AI and staying relevant in an AI driven world. And what that means is cybersecurity teams, and I talk to a lot of them, they're getting direct pressure from their board, not to say, how are you making effective use of cybersecurity or of how are you doing more effective cybersecurity? They're getting pressure to demonstrate their AI strategy to get better. And so I don't think you can underestimate how much pressure and how much interest there is from the top in specifically what you're doing in AI for whatever function you're in. So I think there's no secret that AI is improving security operations. In our survey, 92% of leaders said that AI is already improving or will improve security operations by 2026. Hello, we're in 2026. Everybody knows that AI is improving in some way, and and the top ways that we saw that was through threat detection and alert triage, workforce productivity and workforce automation, automated incident response, threat intelligence and integration. These things are tedious tasks that require a lot of manual work are being alleviated with the SOX. So Gabrielle, I'm interested in how you're seeing this value play out in your job. You work in XBeam and our security team, and you you do this every single day. So what's perspective? How is it affecting you? You know, I think it's really interesting, especially given, you know, we're seeing in the industry that people keep saying that AI is going to replace our security practitioners or replace certain functions in the industry. And it's it's fascinating because what I'm seeing on the ground is is a little bit less about replacement and more about augmentation. The improvements that I think that have been made to soft workflows so far have been very practical and and more, like you said, conserving time and energy and able to allow analysts and practitioners to kind of refocus their efforts and not necessarily replacing them. So the biggest impact I think we've seen is detection quality and triage. AI is really helping to correlate signals. It's making a lot of the behavioral detections a lot more robust and the alert context enrichment. And it surfaces more of what actually matters to the team, so there's a lot less digging involved. It's been really good at you know, summarizing the things that we're seeing in the SEM tool as well. Now we're also seeing some progress in automated response, but I think that's been pretty narrow. I think there's a lot of organizations that are still pretty wary about letting AI do things automatically, so there's certain containment actions for things that are really well understood that we're seeing, that people are using, letting AI do, and also, you know, host isolation, account disabling, things along those lines. But for the most part, the biggest change I think we've seen is that AI is augmenting the team, and a lot of the successful teams that are using AI in their SOC functions are using it to move analysts up that value chain. So instead of sitting there, you know, manually triaging alerts and things like that, they're actually able to do more hypothesis driven hunting, do more incident coordination, do more risk assessment, and some of that more heavy hitting. So it's not transforming overnight. It's not replacing analysts, but I think we're definitely seeing it remove a lot of that friction from workflows and and making the people working in the SOC a lot more effective. Yeah. I I would say above and beyond that, it is lightening the fatigue that a lot of SOC analysts feel. Right? So if I can detect in seconds and start to contain in minutes versus, you know, I'm going to spend three hours to do the analysis and make sure that I've got the elements in place before I can start actually doing anything real against the incident that's occurring, that's a stressful time for SOC analysts. And, the AI that we're seeing in place today, specifically within our tools, I don't look at too many other tools, but the fact that we can get to a summarization literally in seconds and a triage pattern that we can follow that I haven't seen once be wrong has been fantastic. But you bring up another interesting point, Gabby, because you're looking at this going, okay, so there's a certain amount of trust that's required to be able to do the full automation. And to me, that's very important, right? I hate to say it. I've never been a fan of Bruce Schneier. Steve Wilson is. But Bruce was the first guy I listened to at the RSA last year. And he was talking about, you to trust your AI. You want your AI to like you. You want to be able to trust your AI. And every day I hear some example where he's not wrong, right? So, it hurts me some to say that, but we get to a point where we're literally beginning to trust our AI to be able to take action and do more of that blocking and tackling that a SOC team sometimes used to take hours to do. And so to me, that's a huge win. If we can get it to move at machine speed for more of the patterns that are out there, more of the elements that are coming in as threats to the organization, the better off we're all going to be. So it's broadly interesting to watch the evolution of people's attitudes around AI. And it varies from not too many months ago. There was a lot of skepticism that maybe these chatbots are cute, but they're never going to add to productivity. And we saw the stock market wobbling as a result that maybe this was just a flash in the pan. All of a sudden, we've seen a flip over to these things are so good that maybe we're all going to wind up unemployed and the whole economy is going to crash. So where's the reality behind this? And as a security leader, what should you be thinking about? I think one of the results of this pivot to these things are super capable is the rise of this term that's been kicking around for months, but really there's a lot of buzz around it now, which is autonomous SOC. And the idea is that the AI is now capable enough that I can automate what the humans in my SOC are doing, and I can dismantle my SOC room, lay off my SOC employees, and have the agents run this for me. I think you have some very crafty marketers selling you some really questionable strategies, if that's what you're thinking is coming this year, next year, or the year after. And I think history bears this out. We've seen this with every transition where we've had a major technology shift that, you know, quite simply, I'm going to put everybody out of business with this technology. Anybody who works in this area is going to go out of business. Never happened. There are shifts and jobs will change. And I think the jobs that cybersecurity professionals do will change. I think everybody who works in a SOC today is going to need some different skills. Many of them are going to have to step up and effectively be team leaders where they have teams of intelligent agents who work for them. That's a much different attitude, but you're still going to need to understand the technical underpinnings of what's going on, understand the human psychologies of what insider risk means. In fact, that may be some of the most important things that you contribute to the equation when the AI agents can do more of the low level scout work. So I think we're in a position now when we look at things like the rapid adoption of AI by the hacker community, we're going to see 10 times as many attacks. When we look at the rapid adoption of AI agents inside the enterprise, we may have 10 times the number of employees that we do today. It's just 90% of them might be digital or virtual. So if I've got 10 times the number of employees and 10 times the number of attackers, I might have a 100 times the amount of data and noise to deal with. There's no way I am laying off all my SOC employees for some automated SOC. What I need is to turbocharge the security team that I have today with advanced AI. And this idea of accelerated security operations, believe, is a much more viable destination where we are going to make much more capable security teams. We are going to do that rapidly over the next two years. So there's going to be a dramatic evolution. But if you're working in a SOC today, you shouldn't be worried about losing your job unless you are not interested in learning some new skills and evolving the way that you do your job. But when you absolutely, positively don't care about your business, autonomous suck. So AI isn't just reshaping defense. It's actually reshaping the entire threat landscape. And more than half of our respondents have said that insider threats are increasing. And this is from our August research report building on that. And many of those report that AI enhanced phishing and impersonation is growing concerns. So we're seeing this shift from insiders being just human identities to now nonhuman entities. So what's changing in the landscape right now as it relates to AI and insider threats? We started talking a little bit about this earlier, right? So we were looking at what's happening on the AI front from a threat actor perspective. And we're beginning to see things like AI being used to impersonate your CEO on a conference bridge and be able to fully act like, smell like, talk like your CEO. And it's gone beyond the boundaries of, Okay, so we're going to do a phishing campaign or a vishing campaign where he tries to get you to buy $100 gift cards for some element, they're actually going after the bottom line dollars associated with investment. So, if you've got your CEO saying, Okay, so we need to pull out and invest $100,000 or $1,000,000 in X, and here's why. Mr. CFO, please go cut that check today and send that over via wire. It's an emergency, blah, blah, blah. It still has the same techniques and tactics that are occurring at the phishing and vishing and quishing level, but it's definitely at a newer level of ability. And, you know, you have to be able to defend against that. You have to be able to understand that that could occur and does occur and be able to protect against that. A lot of executives, until you actually show them an image of themselves talking and acting and being themselves in a conversation that they never had, won't understand it. And we're seeing that today. I actually had the chance to do that earlier this year with our CEO and with the entire company and one person on the entire call of, I don't know how many people were on there, 300 plus said, Oh, that's not our CEO. Everybody else did. Well, the other thing that was on there was I was interviewing the CEO, and not one person said, Oh, by the way, that's not Kevin. And that was missed completely, right? I was also an insider threat actor using deepfake technology to drive alignment. So I'll add on another twist to this. Kevin talked about the idea that these AIs are making some of our traditional insider threats worse, basically turbocharged phishing at levels we've never seen. The flip side of this is not that the AI will help make us more effective at attacking the humans, even though it clearly will. It's that the AI themselves become targets and become insider threats. We have seen examples of this in movies and science fiction books for fifty plus years. Hal getting misaligned and killing the crew of the Discovery in 2001. It's Whopper getting confused and trying to start a thermonuclear war. That all seemed like science fiction until 2025. And what we need to remember now is that this latest generation of AIs that we've built are digital predators designed to do one thing, which is achieve their goals. They are descendants of the chess bots that beat Gary Kasparov. They are descendants of the bots that beat the world champions at Go and very direct descendants of the bots that beat the world StarCraft champions at real time video games. These are dedicated goal achievers. And these are exactly the same technologies being used to develop our bots, which means if they get a little out of alignment, they will do things that you don't want. And now the research out of these top labs very clearly shows that they will do things where they will become misaligned, they will malfunction, and that they can be subverted. And that turns into classic insider threat technology. They may exfiltrate data, they may attempt to blackmail your company. Or they may just get confused and give away information that you don't want them to give away and become confused deputies inside your firewall. So this calls for a different set of defenses. This is not going to be traditional guardrails. This is going to be a wholesale rethink at how we do insider threat programs. And we're going to need to develop new science around how we do behavioral analytics on these agents so we can build on what we learn to do from the humans. But we need to evolve quickly to get this in a place where we can understand it and control what these agents are doing. As an aside, recently in Vancouver, there was a room full of executives I was meeting with. And we were starting off more of a traditional discussion on insider threat. And you typically ease into AI later. Now, it was like a cartoon of parliament right out of the gate where one of them mentioned, what about AI? Right out of the gate. And then they all just kind of immediately, you know, stomped their feet and threw papers in the air. It was that was the beginning of the discussion, which was kind of fun to see that they were immediately keying in on that. We're seeing that people that if they if they don't have an insider threat program, that AI is actually driving them to create what is effectively a program. So they're adding not only technologies, but also human capital and dedicating resources to the creation of new programs because of AI. Now, you could argue maybe they should have already had an insider program to begin with, but, that's here nor there. But this is causing them to frame it out. And, and they're they're building the program around the concept of AI as an insider. Pretty interesting stuff. So it sounds to me like the organizations that thrive aren't just implementing AI effectively. They're defending against it effectively, and then they have to prove convincingly and quantitatively that it delivers measurable security outcomes and real business impact. There is no getting around the implications of AI and how it's changing the threat landscape. There's no getting around the need to implement AI in your business to defend against it and not only improve workforce productivity and utilize the greatness that comes from AI. For those who are interested, you can download our research report from Adoption to Accountability, the new economics of AI in cybersecurity to see all the information that we covered here today. And if you're interested in learning more about defending against these AI agents as insider threats, we'll drop some resources below as well. Thank you for joining us today, and until next time.