It’s hard to go a day without some headline touting how generative AI is transforming the future of work. And this sentiment certainly rings true in the security industry as security operations centers (SOCs) continue to mature their security posture with automation so that they can protect their enterprise and customer data. But how are leaders and teams feeling about the progress of AI adoption and how the tools are being used?
We recently surveyed 200 IT security professionals from large organizations (revenue more than $500 million) to get a sense of adoption trends and attitudes. The findings revealed that while more and more teams use AI tools, plenty are dissatisfied with how teams use these tools.
The role of AI security tools today
The good news is that 100% of IT security professionals responded that they use AI in cybersecurity, just as they did in 2022. But they are using it in dramatically different and additional ways–even in one short year.
Nearly half now use AI to understand strengths and gaps in cybersecurity (49%). This reflects an 8-point gain over 2022 (41%). We also found that the number of IT security pros who use AI for incident response rose to 37% in 2023–up 9 points from 2022 (28%). This is not surprising because incident triaging and response is one of the more basic outputs of a SOC–it’s becoming table stakes capabilities for most large organizations.
A majority of respondents have adopted SOAR solutions (53%), cloud SIEM solutions (52%), and AIOps (51%) into their SOC. Incorporating more sophisticated AI tools into a security stack is a no-brainer. I would expect this category to continue to adopt and transform as they journey to an autonomous SOC.
Surprisingly fewer teams are using AI for IT asset inventory management. While 58% use AI for IT asset inventory management—the most cited use—this is a surprising 21 point drop from 2022, when 79% said the same. After chatting with several CISO’s that explored and invested in these approaches, it appears that blockers to success have been access to the necessary raw log data. Event data is more useful than alert data in this case, and some organizations have been overly judicious in filtering and removing event log data to reduce storage costs.
Overall, AI adoption in the SOC continues to grow in part to larger macro trends such as increased federal scrutiny, more corporate boards demanding MTTR and MTTD incorporated into a company’s KPI’s, and the overall burnout that SOC analysts experience.
People are not happy with AI adoption in the SOC
Yet despite the increasing application of AI overall, we also discovered that satisfaction levels among respondents with how their companies are implementing the technology are surprisingly low. A resounding 96% survey responses said that they are not fully satisfied with their organization’s adoption of automation in the SOC.
The most common reason cited for this dissatisfaction is limited scalability and flexibility of the available solutions (42%). Old guard security tools have historically been built on-prem in a rigid fashion, and were not easily customizable to a team’s use case. While newer tools address these concerns, ripping out and replacing a company’s security infrastructure requires time and resources that require senior leadership buy-in. As time goes on I would expect this blocker to diminish.
Another consideration is the high costs associated with implementation and maintenance (39%). You can buy all the latest and greatest tools but if you don’t have a plan to implement and maintain these tools, this will end up draining resources. As with many new tools adoption, a lot of people think the devil you know is better than the devil you don’t know.
But it always boils down to people: 34% say their team’s lack of internal expertise and resources to manage a particular solution as a barrier to effective adoption of SOC automation. This response is heavily related to prior factors because at a certain point, there will need to be a transition period that will cost a company money in terms of human capital – but that will pay off in the long term.
In a time where every security leader is probably being held to higher scrutiny with limited budgets, it might be easier to go with what you know. However, I find this approach to be risky as the evolving security landscape and enterprise attack surface grows at an accelerated pace. There needs to be a philosophical shift at companies that accept that the SOC needs to transform to do its job in the modern age. Only then will the tension between use and adoption resolve.
AI uses will continue to evolve and eventually teams and leaders will adopt the proper use cases so their teams can be their most productive. Whether or not your SOC has embraced AI, the future of the SOC will undoubtedly incorporate automation. I expect these trends to continue to sway towards more advanced, next generation SIEMs to power their SOCs.