3 days ago
Everyone's Using AI In Security—Now What?
Dave Merkel (also known as "Merk") is the co-founder and CEO of Expel, a cybersecurity provider headquartered near the Washington, DC, area.
The question is no longer whether AI is part of the deal when selecting a security provider. The answer is going to be a resounding "yes." However, determining whether the AI in the equation is enabling that service—and, as a result, your organization—or is simply tacked on for marketing purposes is more nuanced.
The uncomfortable truth is that security budgets are plateauing (if not shrinking), while security incidents (and the average cost of a data breach) are increasing. As a result, business leaders must ask themselves:
• If attacks are growing in frequency and sophistication every day, are we making the right investments to stay ahead of those threats?
• Is it an efficient use of capital?
• Are we getting the results/outcomes we should?
• Are we continuously improving?
For some, AI-enabled security services might be the key to meeting those needs. If that's the case for your organization, it's time to pivot to the next critical step: selecting vendors that move beyond adoption to show how AI adds real, demonstrable value to your security stack.
Moving Past The Feature List To Achieving Business Objectives
To make that shift from what it does to what they can accomplish with it, leaders have to recognize that AI isn't a magic bullet; it's an enabler for achieving specific business objectives. However, when rapidly emerging tech crashes onto the scene, it can be difficult to differentiate between a marketing play and a real value add. Doing so requires security leaders to ask the right questions—of themselves and their would-be providers. Questions like:
• What are the objectives of our cyber program? Taking an outcome-first approach can help determine what specific, measurable results you're after—whether that's reducing mean time to remediate, improving threat detection speed or other important SOC metrics.
• Can this tool seamlessly integrate with our security stack? Compatible integrations and interoperability not only speed up onboarding but also help avoid tool sprawl.
• Does the tool provide actionable insights that align with the business risks we care about? Focus on vendors that understand your specific environment and deliver recommendations for tools that help you continuously improve, not just a steady stream of alerts.
• Can it grow with our business and adapt to evolving threats? The best offerings will use AI to accelerate efficiency, allowing your organization to grow and scale without sacrificing protection.
• Is there a human in the loop? Understand where the checks and balances exist in the system and ensure AI-driven decisions are easily auditable. This builds trust internally and externally, and it helps avoid fallout from hallucinations (AI-generated incorrect or nonsensical information).
• What's the implication for team headcount? If your CFO approves a new solution, don't expect a simultaneous increase to your hiring budget. Knowing whether the solution keeps your headcount neutral or—better yet—helps net some efficiency only strengthens your argument.
Of course, feeling confident in these answers and knowing you're ready to onboard an AI-enabled vendor is only part of the puzzle. You also have to prove that value with a compelling ROI.
Proving The "Now What" To The Business And Board
If you've based your argument for a new tool on efficiency gains, consider how the security team having "more time" will be beneficial to the CFO, CEO and/or board. While it can be difficult to prove a negative (i.e., cost saved on breaches that didn't happen), it's usually a matter of translating security efficiency into business value.
In other words, AI-enabled investments reduce the likelihood of cyber incidents—and when they do occur, they reduce their impact. This directly translates to:
• Minimal Business Disruption: Faster detection and remediation lead to less downtime and fewer breaches, creating a more resilient organization.
• Less Reputational Risk: Avoiding negative PR, loss of brand trust or anything that reduces competitiveness in a market.
• Fewer Unplanned Direct And Indirect Costs: Mitigating incident response, technology rebuilds, recovery and time lost when the business has to shift attention and resources to a security incident.
• Meeting Regulatory And Legal Requirements: Avoiding GDPR fines, FTC and SEC consent decrees and expensive, distracting lawsuits.
It also frees up resources for better optimization. AI-enabled services should give time back to the human analyst in the loop, taking over the repetitive, manual tasks and allowing them to focus on strategic initiatives like threat hunting, proactive defense and security architecture improvements.
When it comes time to communicate this ROI to stakeholders, focus on business outcomes. Use clear units (dollars and percentages, preferably), show trends and employ comparables against industry frameworks (e.g., NIST CSF) to establish context. Over time, this also measures for continuous improvement and efficiency, making it that much easier to "prove the negative" (prevented breaches) to the skeptics in the room.
These elements together elevate the security function and allow for the business to innovate faster—making security an enabler, not a roadblock.
From Adoption To Strategic Advantage
The "now what" of AI-enabled security is about moving past the flashy new tech and thinking critically about the strategic outcomes it drives for the business. Security leaders tasked with proving the ROI on these services are best served when they can solve for business-critical risks and communicate how efficiency in the security program helps drive these goals.
Communicating that ROI is also about understanding who is at the table and speaking their language, whether they come from a tech background or the business and/or finance side of the house. Frame things in terms of enterprise risk and positive business outcomes that the organization really cares about, keeping in mind that finance is the common language of leadership and boards. Regardless, establish metrics that help security teams find creative and useful ways to demonstrate effectiveness and build a cycle of continuous improvement.
AI alone is not a differentiator; rather, it's how it enables teams to help achieve your business goals. The next time you see a provider touting AI, ask hard questions—of potential vendors and your own program—and know the difference between better security outcomes or just marketing fluff.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
