April 19, 2024

AI will impact security more than the cloud

Notes from conversations and a survey of over 40 leading CISOs

We recently convened security leaders from a range of companies, including MongoDB, Ramp, Chime, and Oscar Health, to discuss, among other topics, the impact of AI on security. It’s still early, we know. It’s difficult to imagine the state of security in the future when companies aren’t even sure how they might use AI or what the underlying infrastructure might look like. 

Yet when we asked these top minds gathered over a dinner in New York, the consensus was that AI will have a greater impact on security than even the cloud. While most enterprises are only in the piloting phase (if they’re even that far), these CISOs at the forefront of AI planning were certain it would reshape their workflow.

“Initially, AI will lower the cost for hackers to launch attacks, but security teams will soon use AI to increase the cost of attacks, rendering most common attacks obsolete,” said one participant. Another added, “AI will automate a lot of the manual processes in security.” The main point these top security leaders voiced was acceptance of the AI revolution, even as they grappled with many open questions about the best way to prepare.

It’s clear only in retrospect that the transition from on-premise computing to the cloud would dramatically upend the lineup of players dominating the security sector. The move from on-prem to the cloud began in the late 2000s, but it wasn’t until 2014 or 2015 that large enterprises fully embraced the idea. For all AI’s expected impact on the enterprise, until we better understand its infrastructure. We make sense of its impact on our software delivery and operational practices by drawing parallels to traditional devops and software engineering. Surprisingly, many of the surveyed CIOs shared that they have no immediate intention to adjust their approach to security due to AI innovation, even though they primarily agreed that AI will fundamentally reshape security tooling much like the cloud. Most security approaches we see today are reactive—understand user behavior first and then fix the after-effects—but AI will likely need a more proactive protective stance.

Evolution of security companies by focus from on-premise to cloud to AI

We surveyed 41 CISOs prior to our New York dinner. All agreed that their organizations, to the extent they were implementing AI, needed to implement it securely. Yet some saw no need to purchase additional products. They believe that augmenting their existing security software tools will be adequate. Others understand that AI will invariably spark new security purchases, including the need for new firewalls to contain LLMs and enable secure data retrieval through RAG. 

The CISOs surveyed, representing Fortune 100s and unicorn startups alike, indicated that spending on software security will continue to grow despite belt-tightening in other areas. After increasing by an average of 9 percent in 2023, their spending on software security is expected to grow by another 10 percent in 2024. This is modestly outpacing the average growth of overall software spending.

Will AI have more of an impact on your security strategy than the cloud transition? Most say Yes.

Keeping up with rapid AI innovations is quickly becoming a top priority for security teams. Take email phishing, one of the primary methods attackers use to infiltrate organizations. Now, attackers can leverage open-source LLMs that spit out a -infinite number of natural-sounding phishing emails. Enterprises may be adopting a cautious attitude toward adopting AI, but that’s unlikely true for those seeking to harness it for ill gain.

“Most of the impact will be negative,” the CISO at one company with a security budget north of $20 million told us. For years, organizations have taught employees to look for obvious grammatical errors to determine if an email is suspicious. That is no longer enough.

AI threats as opportunities

Charts about how security budgets will grow and top new software category for 2024

Yet, of course, the concerns expressed by the CISOs we spoke with can also represent an opportunity for enterprising founders. Below are some of the key takeaways from our survey:

(1) Email security ranked as a top five priority in 2024.

CISOs are unhappy with the incumbents they’ve been relying upon for email security, which provides an opportunity for disruption. Phishing attacks will undoubtedly become more advanced using AI, pushing security teams to evolve in the ever-ongoing cat-and-mouse game. Companies currently leading in this area, such as Proofpoint and Mimecast, came up numerous times in our surveys as offering products that left users feeling disappointed. That’s provided an opportunity for companies like Sublime and Abnormal, which are applying AI to help secure inboxes and provide customizable solutions for CISOs.

(2) Identity management, for both human and non-human accounts, is a top concern.

In addition to needing to consistently and accurately verify human identity, the adoption of AI portends a far greater reliance on machine-to-machine interactions without human intervention. Investing in new non-human identity solutions to better secure APIs, keys, tokens, and eventually AI Agents is the next evolution of Zero Trust security and an area that requires investment. CISOs surveyed most commonly cited non-human identity (which can consist of API and machine identity) as the top security pain point that needs a satisfactory solution. Non-human identities were often overlooked historically, but are now front and center. This on all facets of identity are why companies pursuing parts of the identity stack like ConductorOne, Oso (both Felicis investments), Aembit, and Clutch are seeing a lot of interest from security teams.

(3) Security operations will incorporate AI and require better data.

The use of autonomous SecOps copilots means more automated and autonomous operations. But AI is only as good as the quality of the data—the SIEM—beneath these autonomous agents. SIEM came up as a top priority and a place where CISOs are hungry for a better solution, and incumbents scored very low NPS numbers. New concepts such as Security Data Fabric and additional data layers to lower SIEM bills are also top of mind. In the SecOps layer, companies still crave solutions like Tines (a Felicis investment) to automate human processes across multiple systems and view this area as ripe for AI Security Copilots and Agents.

(4) AI can potentially upend the sizable pen testing & services market.

Some CISOs we spoke with indicated that pen testing and other red team activities would account for as much as 25 percent of their total security budget in 2024. While other CISOs found that allocation surprisingly high, it suggests a meaningful opportunity for a new generation of AI-powered pen testing products. For instance, while many existing pen testing solutions automate numerous processes, they still often require the heavy presence of a human in the loop. Newer solutions have the opportunity to take automation to a much higher level and help reduce the human cost of pen testing.

Another paradigm shift in the offing?

There are reasons to suspect that AI’s impact will be bigger and more disruptive than the move to the cloud. AI adds both complexity and quantity to any attack and allows attackers to move lightning-fast. In the past, automation has been nice to have. Automation now seems mandatory for many fronts of an enterprise’s defenses.

That’s good news for the team behind Tines, the only early-stage company that CISOs mentioned multiple times when asked to name their top vendors. One respondent described Tines, a platform that helps security teams automate more of their processes, as “the kind of tool that makes other tools in the stack and our team better.” 

Chart about the biggest security concern in five years? Most say AI and Data.

Access to sensitive internal data had long been a top concern but now CISOs must throw AI into the mix. Some models are internal-facing, but many are external-facing products, which raises serious governance and privacy concerns. An organization can’t just throw AI on top of something and let the model figure out what it crawls. This is why we were excited to invest in Dig, a cloud data security platform recently acquired by Palo Alto Networks (PANW). Given PANW’s history of smart acquisitions, this shows an increasing awareness by major players of how crucial data security is to the next generation of computing.

Founders wondering where to start building should consider where CISOs are most dissatisfied. Our survey reveals that incumbent vendors with the lowest net promoter score (NPS) are: Broadcom/Symantec, followed by Cisco, IBM, McAfee, and, in a tie, Okta and KnowBe4. 

List of the lowest and highest NPS security vendors

Of course, new, unforeseen categories will arise as we all start relying more on AI. Invariably, the adoption of any new technology introduces new vulnerabilities that an organization must address—as happened with the transition to the cloud, to the benefit of a long list of founders and their investors. 

If you are building something at the intersection of security and AI or data, we’d love to connect.