Companies want to spend more on AI to defeat hackers, but there's a catch

Cybersecurity mishaps are expensive. The average total cost of a data breach in 2023 is $4.45 million, a 15.3% jump from 2020, according to IBM, and just over half of organizations plan to increase cybersecurity spending as a result.

But some experts say that more isn't always better. The latest AI also presents internal risks of costly data misuse related to sensitive information employees may plug into large language models of generative artificial intelligence systems. And there is risk that as AI speeds the development of software, new iterations will roll out so quickly that flaws may be missed.

In any event, the approach to cybersecurity budgets is changing, and AI's impact on data breaches and employee use, and misuse, plays a major role.

"We're already seeing machine learning, which is a subset of AI, offering some real value in fraud detection, incident analysis and vulnerability analysis," said Mike Scott, CISO of Immuta, which handles data security for companies like Mercedes-Benz and ADP. Scott, former CISO of Wendy's, added, "The bad actors have that same access. They're able to expedite their attacks the same way that we're trying to expedite solving them."

As organizations make cybersecurity budget decisions amid fiscal year 2024 planning, AI looms larger, and as companies continue their migration to the cloud, CISOs, CIOs and other cybersecurity advocates within an organization must know how to prove the value of their increasingly crucial initiatives to stay enough paces ahead.

Experts view cloud migrations and AI as the two biggest threats to an organization's cybersecurity right now.

Andrew Casey, CFO of cloud security company Lacework, said that cloud migrations are cost- and workflow-effective, but that changes in the cloud happen in microseconds. "Every company is going to have to be concerned about how well they're protecting their assets and information as they move to the cloud," Casey said. "It introduces a whole new set of security risks." 

Casey also recognizes that developers are creating software faster with AI. "If we're developing software faster, we're introducing vulnerabilities faster. If we're introducing vulnerabilities faster, you better be able to catch those as they're happening," he said. 

Meanwhile, Scott said the risks of data misuse differ from data breaches because in a breach both the vulnerabilities and the culprits start from the inside. With a data breach, companies can use their insurance, but "if they misused data, they violate multiple contracts, potentially laws," he warned. Policy around things like the use of generative AI can mitigate this, but cyber blockades are also key.

Scott says that a company's AI may be the first emerging technology to be cloud-first, given the historically slow pace of cloud migration for larger organizations. This fuses together two risks, showing cyber leaders must take a nuanced approach moving forward.

When it comes to budget discussions, it's important to know that CFOs are focused not just on protection, but also growth. "If I continue to grow my business, then I've got to have a software partner that's going to allow me to have a decrease in cost relative to the revenue that I bring in," Casey said.

Budget conversations for 2024 will likely differ in one key way, experts say: less panic, more preparedness. From the CFO's perspective, Casey expects less short-term focus and more concentration on the long term. 

That could be good news for CISOs who want to push cybersecurity projects that look years ahead. 

"I think CISOs can leverage the AI buzz to go in and really expedite some projects they've been wanting to do," Scott said. "If we want to do AI in 2025, like experts are predicting, and we want to start really dipping our toes in, this is a critical year for us to build all the right controls and have our base infrastructure ready to go."

While CFOs understand that money must go towards cybersecurity efforts, it's the technology experts that help them allocate. 

"We want a really good justification why we need to spend the money and where," said Diesha Cooper, founder of executive matchmaking platform Execuly, and a CFO.

From Casey's perspective, cybersecurity executives must prove that the investment they want to make is aligned with the company's strategic objectives. This could be cutting licensing costs, increasing productivity or boosting team effectiveness.

If cyber leaders can make vendor consolidation happen, Casey says, all the better. He recently spoke with a large commercial bank that had over 500 different security technologies but didn't feel more secure. "More CFOs like me are asking, are we really getting the return we expected and is there an opportunity for us to consolidate those tools into a single vendor?" Casey said. 

Scott learned a long time ago that sales were part of his job as a CISO. Instead of just focusing on the risk of not implementing the proposed investment, Scott advises CISOs to tie their initiative to what the company is trying to accomplish. Moreover, Scott always comes with at least two options, even if those two options are simply doing it or not. Having a middle ground, he says, is even better.

"If you move the needle just a little bit, you still made an improvement," Scott said. "Then maybe you continue to build a use case for that bigger project as you go," he added.

Cooper is influenced by facts like employee training being the second-most effective cost mitigator for data breaches, trimming an average of $232,867 off the cost, according to IBM, second only to DevSecOps. That's why she says one of the ways companies can effectively budget is in training for their teams. This is especially true for government contractors who are required to meet an increasingly strict level of cybersecurity training in order to keep their contracts.

Perhaps most importantly, Scott says he tries to flush out bias before entering budgeting conversations. "By really focusing on the overall ROI, I walk into a meeting unbiased," he said. "Other executives pick up on that, and they appreciate the transparency." That, Scott says, is what builds trust between the financial advocates and technological advocates within the organization.