Studies show that UK businesses faced approximately 7.78 million cybercrimes in the past 12 months alone. While 75% of the respondents surveyed for the 2024 SoPR have integrated AI tools into their penetration testing processes, a critical skills gap persists. Most organisations struggle to match the pace of AI adoption with the necessary expertise to secure these implementations effectively.
With this in mind, Conor O’Neill, Co-Founder and CEO of penetration testing provider, OnSecurity, has shared how CISOs can address this skills gap, balancing rapid AI innovation with strong cybersecurity...
- Recognise the challenge and act decisively
The first step in bridging the AI-cybersecurity skills gap is acknowledging its scope. Organisations cannot simply hope their existing security frameworks will automatically scale to meet AI-driven threats. CSOs must champion a fundamental shift in how their teams approach both offensive and defensive security in an AI-augmented world.
- Prioritise upskilling as a strategic investment
CSOs must commit to providing training programmes for their teams, focused on AI literacy, secure deployment practices, and understanding adversarial risks. This involves not just technical training, but also developing the strategic thinking needed to anticipate how AI will reshape the threat landscape.
- Use AI to amplify human expertise
The most successful organisations view AI as an amplifier of human expertise rather than a substitute. By automating routine tasks like monitoring, anomaly detection, and repetitive analysis, AI enables skilled professionals to focus on complex, high-value challenges that require human logic.
This approach not only enhances overall resilience but also makes cybersecurity careers more attractive by emphasising strategic problem-solving over mundane tasks.
- Promote a culture of security and responsibility
Embedding a security-first mindset across the organisation is essential for sustaining progress. Leaders should champion the ethical and responsible use of AI, supported by regular awareness campaigns. Crucially, security teams must communicate that robust security enables innovation rather than stifling it; a message that helps ensure buy-in from teams across the business.
The future of offensive security
- Adopt agile security models
Static, point-in-time security assessments are increasingly inadequate. Organisations must embed continuous penetration testing into their development lifecycle, allowing them to catch vulnerabilities early and continuously improve their security posture. This shift requires new tooling, processes, and mindsets, but the payoff in terms of reduced risk and faster remediation is substantial.
- Prioritise risk-based testing
Not all assets carry equal risk, and security resources are never unlimited. CSOs must direct their efforts toward high-value targets such as customer data repositories, financial systems, and critical infrastructure. A risk-based approach ensures testing efforts are both strategic and impactful, maximising security ROI while addressing the most critical vulnerabilities first.
- Centralise and coordinate penetration testing efforts
As testing becomes more automated, coordination becomes paramount. CSOs should establish centralised oversight that spans development, security, and operations teams. This ensures findings are actioned quickly and efficiently, closing vulnerabilities before they can be exploited while maintaining visibility across the entire attack surface.
Photo by Immo Wegmann on Unsplash
