A survey of 422 CISOs finds that while well over half (61%) believe their organizations are highly competent when it comes to cybersecurity and cyber resilience, less than half (45%) said their organization’s risk appetite is effectively aligned with cybersecurity risk management even though 57% claimed their communications channels with the line of business units is effective.

Conducted by LevelBlue, a provider of managed security services, the survey also finds only 53% of respondents feel their organization is prepared to defend against adversaries that are enabled by artificial intelligence (AI) and even fewer (37%) said cybersecurity budgets are embedded into projects from the start.

LevelBlue CISO Kory Daniels said the results suggest there is still a significant gap between an organization’s ability to secure emerging technologies such as AI prior to it being embedded within business workflows. The issue with AI is that pace of adoption is already faster than any previous class of emerging technologies, he added.

However, that gap may be narrowing, with 69% of CISOs identifying machine learning for pattern matching as the top investment priority, followed closely by data encryption (67%), application security (66%), cyber resilience (66%), generative AI for social engineering attacks (65%), advanced threat detection technologies (64%), enhanced software supply chain security (62%) and attack-specific defenses (59%). Lower down on that list of priorities are neural networks for predictions (39%) and zero-trust architectures (34%), the survey finds

Overall, the survey finds the biggest challenges CISOs face are now data security and privacy (55%), data storage for increased volumes (48% ​), data loss prevention (44%), data fragmentation and siloed access (42%), cost management and optimization (42%), lack of interoperability between systems (37%) and data latency or inconsistencies (33%), the survey finds.​

Additionally, the survey suggests many CISOs have a potential blind spot. Just 25% say that the need to assign or create a confidence level of suppliers is an important factor in improving software supply chain visibility. Only 31% say that the biggest security risk they face today could come from within the software supply chain, and between half and two-thirds said some aspects of the software supply chain pose no particular risk to the business.

Many CISOs are now also seeing the scope of the responsibilities being assigned them expand into new areas when their appreciation for the level of risk might not yet be as high as it might need to be, noted Daniels.

Regardless of the scope of those responsibilities, cyberattacks being launched are increasing in both volume and sophistication thanks to the rise of AI. The amount of time cybersecurity teams have to detect and thwart those attacks before there are catastrophic consequences has at the same time been sharply reduced. In effect, CISOs now find themselves locked in an arms race with adversaries that tend to have much larger financial resources at their disposal.

The challenge, as always, is determining how much to spend to mount an appropriate defense based on actual levels of risk that doesn’t ultimately result in an organization spending more on security than it can ill afford in a global economic environment that remains uncertain at best.