Humans are the one cybersecurity problem AI won’t solve

Despite advances in AI for cybersecurity, experts believe human creativity remains irreplaceable in both posing and countering threats.

Humans are the problem—and the solution in cybersecurity. AI will result in innovations on both sides of the security war but will not replace human creativity, said an expert panel of CISOs who met in Melbourne this week.

The panel convened by crowdsourced cybersecurity provider Bugcrowd met to debate solutions to the increasing threat to businesses posed by bad actors who leverage AI.

The event took place at the AISA conference which brought together 5500 security professionals.

The company’s CEO Dave Gerry reminded CISOs that the average cost of a breach is predicted to reach $4.35m, according to Ponemon Institute. IDC expects to see global spending on cybersecurity reach $219b in 2023, up 12% on the year earlier.

The problem is particularly acute in the APAC region where penetration of hybrid working is 60%, putting a majority of the workforce outside the enterprise security perimeter and presenting a bigger-than-ever attack surface.           

Another problem is the growth of IoT and interconnected devices.

“Everything is interconnected, with healthcare monitoring devices talking to one another and exchanging data. That creates incredible benefits for a healthcare outcome, but it creates some very interesting risk and can make a healthcare organisation a really serious target,” said Ryan La Roche, CISO at St, John of God, not-for-profit healthcare provider.

Dan Maslin, group CISO at Australia’s largest university, Monash University, pointed to the growing sophistication of hackers. “We’re seeing zero days being discovered and exploited within 24 hours. I think that's going to get worse.”

Maslin also warned that security perimeters were becoming more porous as organisations became networks of digital partners.

“It doesn't matter how hard you make the shell of the organisation, you've got hundreds or even thousands of third parties connected in. They could become the Achilles heel for many organisations for the rest of the decade,” he said.

Panellists acknowledged the growing impact of AI both as an offensive weapon and a defensive tool.

Luke Barker, group owner for security at telecoms carrier Telstra said: “From a detection and response perspective, I think we'll see some significant advancement in leveraging the power of Gen AI to reduce the human effort in becoming more proactive to respond to threats. I see a shift from pure volume of analyst numbers, to be more pivoting towards engineering capabilities to harness the power of Gen AI to keep ahead of the threat,”

White hat hacker Sajeeb Lohani, head of security at Bugcrowd, believes AI will be a useful tool for hackers but not a threat to the survival of the species. According to Inside the Mind of a Hacker research published by Bugcrowd, 94% of hackers either already use AI or plan to start using it soon for ethical hacking. Most (72%) do not believe AI will ever replicate human creativity.

Bugcrowd’s Gerry agreed: “AI is going to help make this entire industry more efficient, we're going to become more productive, [but] it's going to introduce a lot of new risks.”

“No matter how many tools are deployed, no matter how many new solutions and services and vendors are brought on board, this ultimately still comes down to the human being, and how do we make sure that we're securing our teams or securing our infrastructure, but we're doing this from a human first approach.”

Gerry cited a Gartner prediction that by 2027 50% of enterprise CISOs would have adopted human-centric security design practices, which take account of the impact of human behaviour and error on security.

Bugcrowd’s bug bounty programme rewards hackers for detecting vulnerabilities and potential exploits, but Lohani believes that altruism is a stronger motivator. “Bugcrowd’s survey of 1,000 hackers found 87% believe that reporting a critical incident is more important than making money,” he said.