There is a growing disconnect between the increasing sophistication of cybersecurity threats and the preparedness of IT teams to combat them, according to the O'Reilly 2024 State of Security Survey report which surveyed more than 1,300 IT professionals.
According to an O'Reilly press release, among the notable findings is a critical AI security skills gap: 33.9% of tech professionals report a shortage of AI security skills, particularly around emerging vulnerabilities like prompt injection. This highlights the need for specialized training as AI adoption continues to accelerate across industries.
More from the release:
Cloud security expertise also emerges as a significant concern. Despite cloud computing's two-decade presence, 38.9% of respondents identified cloud security as the most significant skills shortage. This revelation underscores a lag in expertise as organizations continue their cloud migration journeys, potentially leaving them vulnerable to cloud-specific security threats.
Looking ahead, AI-enabled security tools rank as the top priority for the coming year (34.4%), with security automation following closely behind (28.2%), signaling a strong push toward automation in cybersecurity defenses.
Security vendor experts weighed in on the report and what it means.
Amit Zimerman, Co-Founder and Chief Product officer at Oasis Security, said:
"To address the shortage of AI security skills, organizations need to invest in upskilling their teams through dedicated AI security training programs. These programs should focus on both foundational AI security knowledge and emerging threats like prompt injection. Partnering with universities and industry certification bodies to develop standardized curricula can help bridge the gap. Moreover, encouraging cross-functional collaboration between AI specialists, security professionals, and software engineers can help teams stay ahead of evolving threats. Implementing AI security tools that provide real-time threat detection and learning capabilities can also alleviate the skills gap by automating the identification of vulnerabilities like prompt injection.
"Cloud security is a multifaceted challenge that requires both strategic planning and operational excellence. Organizations should focus on leveraging modern tools that offer comprehensive analytics, capable of processing large volumes of data to identify and prioritize vulnerabilities. The use of policy-based automation and security orchestration tools allows teams to respond to threats proactively and at scale. Additionally, building a culture of continuous learning is crucial—offering specialized cloud security training and certifications, such as AWS, Azure, or Google Cloud security credentials, can help fill this expertise gap. Investing in hands-on, scenario-based training can ensure teams are equipped to handle real-world security incidents efficiently.
"Regular employee training remains essential in combating phishing threats, but training must evolve beyond static lessons. Incorporating phishing simulators to mimic real-world attacks enables employees to apply their training in dynamic environments, testing their ability to recognize and respond to threats effectively. However, education alone isn't sufficient. IT security teams must implement strong identity and access management (IAM) frameworks with compensating controls like multi-factor authentication (MFA) to mitigate phishing attempts. While traditionally phishing has been the main entry point for attackers, as an industry we have done a lot to improve our defense and made it much harder for attackers. What we are seeing is that attackers are now increasingly looking at weaker parts of the perimeter, such as non-human identities (NHIs), which control machine-to-machine access and are increasingly critical in cloud environments. NHIs now outnumber human identities in most organizations, and securing these non-human accounts is vital, especially in AI-heavy architectures like Retrieval-Augmented Generation (RAG) systems.
"To successfully integrate AI-enabled security tools and automation, organizations should start by evaluating the effectiveness of these tools in their specific contexts. Rather than being swayed by marketing claims, teams should test tools against real-world data to ensure they provide actionable insights and surface previously unseen threats. Existing security frameworks may need to be updated, as older frameworks were designed for non-AI environments. A flexible approach that allows for the continuous evolution of security policies is critical."
Nicole Carignan, Vice President of Strategic Cyber AI at Darktrace, said:
"Historically, security was an afterthought in the development of AI models, leading to a skills gap between security practitioners and AI developers. As we continue to embark on the AI revolution, innovation research and information sharing across the industry is essential for both AI developers and security practitioners to expand their knowledge. Practitioners should leverage industry resources from NIST, CISA, MIT, and other reputable podcasts, news sources, online courses and more to upskill themselves and help bridge the growing skills gap in AI security. Promoting continued education through industry collaboration and knowledge sharing upfront will allow us to move even faster to realize the positive opportunities and benefits of AI. Cross-functional teams that work together with expertise across different domains (DevSecOps, Data engineering, Data Science, ML engineering, Security, Cloud, Risk, etc.) can facilitate faster, safer innovation as well as provide individuals the ability to cross-skill in other areas.
"Faced with limited resources, organizations need to ensure their technology is helping to augment the expertise and skills that they do have. Organizations should seek integrated solutions purpose built for cloud data rather than trying to retrofit on-prem tools. With the right implementation, AI can significantly enhance visibility and threat detection across multi-cloud, hybrid, and on-premise environments. AI-powered agentless cloud solutions can reduce the complexity and costs associated with installing and maintaining agents on cloud resources. They reduce the performance impact on cloud workloads, and can streamline security deployment across large, dynamic environments. With tools that provide constant visibility, autonomous investigation and real-time response, security teams can focus their limited time and resources where they are needed most.
"Implementing AI safely and securely in security operation centers (SOC) can help augment the current cyber workforce, expanding situational awareness, and accelerating mean time to action to allow them to be more efficient, reduce fatigue and prioritize cyber investigation workloads. AI can act as a force multiplier, augmenting human teams by performing autonomous investigations to lower triage time and accelerate detection of an incident.
"It is critical that organizations focus on implementing AI techniques that drive accuracies of detection and data analysis to help uplift teams, enabling security teams to prioritize higher-level strategic efforts, like improving cyber resilience. If models are not rooted in transparency, explainability, privacy and control; hallucinations or inaccurate outputs may cause erroneous information to be fed into workflows, exacerbating issues of alert fatigue and potential burnout."
Stephen Kowski, Field CTO at SlashNext Email Security+, said:
"Organizations can address AI security skills shortages by investing in specialized training programs and partnering with AI security experts. Encouraging cross-functional collaboration between AI and security teams can foster knowledge sharing and skill development. Leveraging advanced AI-powered security solutions can also help bridge the gap by automating complex threat detection and response tasks.
"To close the cloud security skills gap, organizations should prioritize cloud-specific security training and certifications for their IT staff. Implementing cloud-native security tools that provide comprehensive visibility and protection across multi-cloud environments can help mitigate risks. Engaging managed security service providers with cloud expertise can also supplement in-house capabilities and provide valuable guidance.
"To prepare for AI-enabled security tools and automation, organizations should first assess their current security posture and identify areas where AI can add the most value. Investing in solutions that seamlessly integrate with existing security infrastructure and provide actionable insights is crucial. Upskilling security teams on AI concepts and fostering a culture of continuous learning will ensure successful adoption and maximize the benefits of these advanced technologies."
Jason Soroko, Senior Fellow at Sectigo, said:
"Organizations can address the AI security skills shortage by investing in specialized training for emerging vulnerabilities like prompt injection, giving time to achieve certifications, and partnering with educational institutions to develop relevant curricula. Employees need time and experience with new toolsets. The mind shift won't happen without an investment in putting aside dedicated time.
"To close the cloud security skills gap, organizations should offer targeted training programs, support certification efforts, and consider hiring experts to mentor existing teams. To combat phishing, IT security teams should implement regular phishing simulations, provide interactive training sessions, and promote a security-conscious culture that encourages reporting suspicious activities.
"Preparing for AI-enabled security tools and automation involves assessing current security frameworks, identifying integration points for new technologies, investing in appropriate tools, and training staff to effectively manage and utilize these innovations. Technical staff often have the problem of thinking that automation will put their jobs at risk, but they should be encouraged to utilize automation tools to enhance their effectiveness."
