Cloud complexity, tools sprawl and the AI awakening further tip the balance in favor of cyber attackers.

Combined with corporate inertia, artificial intelligence-washing, large language model inconsistency and the pace of change, we believe that, for now anyway, adversaries have the advantage over defenders. Moreover, macro spending headwinds continue to force organizations to make budget tradeoffs, not the least of which is how to fund AI experiments and deployments. Notably, however, 45% of organizations are using LLMs in production for use cases that may very well improve the productivity of security operations teams in the long run and accelerate the cat-and-mouse game back to a state of quasi-equilibrium.

In this Breaking Analysis, we share key takeaways from Supercloud 3 – AI meets cloud security – and put forth new spending data from the latest Enterprise Technology Research survey that shows which security firms are best positioned in the AI race to capitalize on the wave.

The spending climate remains tight

In the above graphic, we show the latest results from ETR’s July survey of nearly 1,800 information technology decision makers, representing three-quarters of a billion dollars in worldwide tech spending. As we’ve reported in earlier research, we entered 2023 with a more sanguine spending outlook of 4.6% annual tech budget growth – a figure which has deteriorated over time and continues to see deceleration. IT executives now expect just under 3% growth for the year, down again from the last survey period.

The AI awakening shifts spending priorities

Below are the results from the same drill-down survey assessing sector priorities. Although cybersecurity remains the leading priority once again, we continue to see a slight downtick from last October. Notably AI has seen a marked uptick in the survey, as shown by the red arrow. Supercloud 3 was all about AI + cloud security, and you can see why below. Cloud migration, despite the optimization trend, remains steady as does analytics and data platforms, which is a subject we’ve covered extensively in previous research.

The point is, whereas budget constraints combined with the AI imperative force companies to make more tradeoffs, cloud chaos and the wide availability of new AI tools, such as generative AI, further support attacker agendas.

Spending priorities are shifting across IT sectors

The graphic below plots Net Score or spending momentum on the vertical axis and Pervasion in the data set, which is a proxy for penetration in the market. The 40% dotted line indicates highly elevated spending velocity. And the squiggly lines track that momentum for the past several quarters.

As we reported last week, AI bottomed the month before the announcement of ChatGPT and has been up and to the right ever since. Only AI and containers remain above the 40% mark, although cloud computing is right at that level. Cloud is a much more mature and advanced market than AI and more prominent in the data set. The implication is that that large a share of market with sustained momentum is still impressive, despite the recent pullback since the peak during the pandemic.

Meanwhile, cybersecurity is pervasive (to the right) but, as we’ll show in a moment, bifurcated between the old and new platforms — meaning several modern, cloud-based security offerings show strong momentum and are disrupting legacy solutions. However, inertia remains difficult to overcome for many organizations as they rinse and repeat longstanding patterns, which make rapid transitions difficult.

This is of increasing importance and concern as leading security firms are reporting strong adoption of AI by attackers who have used AI for years. Today, however, many more bad guys have access to advanced AI tooling since ChatGPT’s launch and the open-source industry’s response.

Tracking the security leaders poised to benefit from AI

Let’s double-click on the cybersecurity landscape and look at the players in the market. We want to answer the following question: “Which leading security firms are in the best position to exploit AI?”

The chart below cuts ETR data by crossing 574 AI accounts – that is, strong adopters of AI – with cybersecurity firms that receive more than 100 mentions in the ETR survey. The vertical axis is spending momentum or Net Score in those AI accounts and the horizontal axis is the Overlap or penetration in those AI accounts. The red dotted line at 40%, again, represents those platforms that have a highly elevated Net Score.

We sorted the data on the inserted table based on companies with the top 10 in spending momentum (the upper table in the chart) and the top 10 sorted by N’s in the survey (the bottom table). Companies that make the top 10 in both cuts we give 4 stars. Those firms are:

• Palo Alto Networks Inc.
• CrowdStrike Holdings Inc.
• Okta Inc.
• Zscaler Inc.

Cloudflare Inc. just misses the Net Score top 10 cut, so we give it two stars.

A couple of points are noteworthy here:

Microsoft is dominant in the upper right. Interestingly, last week Microsoft made some security announcements around secure edge that spooked investors and took down many of the security names. However, as we said at the time, we thought that selloff was overblown as firms such as CrowdStrike and Okta have successfully competed with Microsoft’s endpoint and identity products, respectively, for years. But it’s Microsoft and the company’s current AI momentum captures attention with any moves it makes.

Cisco Systems Inc. is another call-out where we can see it has significant market presence. Cisco has a $4 billion security business which is a separate business unit inside the company. Although this is smaller than Palo Alto’s business, for example, Cisco shows further to the right in the survey. This is likely because many customers associate Cisco networking with security, and Cisco has such a large networking business which includes many security features. As such, respondents likely show up more prominently in the survey.

Having said that, as you can see above, the company doesn’t have the spending momentum of the four star companies. Jeetu Patel, who runs that business for Cisco, has a vision and plan to accelerate that momentum and it likely will involve security and networking coming closer together… and of course, AI.

Many security players vying for market share

Now remember, we’ve simplified the previous picture by cutting the data by leading AI adopters and narrowing the N to be greater than 100. There are many other companies in the security market, and the chart below underscores how crowded it has become.

Above, we cut the data by the same 574 AI adopters and turn off the requirement for 100 or more Ns. The picture becomes both more crowded and bifurcated with many firms showing single-digit or negative momentum on the Y axis. And many companies are below the 40% mark.

A few additional notable items here:

• While we only show 10 above, there are 13 companies in the survey within this cut that are above the 40% mark.
• Here’s another striking stat: Three companies jump 10 percentage points when you slice the data by AI buyers: 1) Datadog Inc. shows at 44% Net Score above versus 34% with AI “off;” 2) Zscaler jumps from 40% to 50% Net Score within the AI buyer base; and 3) Palo Alto Networks jumps from 35% to 45% Net Score when AI the AI cut is initiated. This data underscores the affinity the firms have amongst AI adopters.
• Most other players on this chart jump as well — not as much as these three, but the point is AI is a rising tide lifting all cyber boats in the water that are leaning into AI — which should be everyone by all logic.

But the other point of this chart is the market is split between those modern platforms that have the momentum – either newer firms such as Wiz Inc. or more mature firms such as Palo Alto Networks — and disruptors such as Zscaler — versus those “below the line” that don’t have the momentum and are in the red.

On balance, security is a mature market with large pockets that are both growing organically and stealing share from others.

How organizations are evaluating and deploying generative AI

Sticking with the AI theme, above we take a look at how organizations are deploying generative AI. This data from ETR shows how organizations are evaluating generative AI, how they’re contemplating using it and where it is deployed in production.

Not surprisingly, more folks are still evaluating than in full production. Moreover:

By this survey, around 45% of customers surveyed have LLMs in production. And they’re using large language models in ways you’d expect: generating code, chat bots, writing copy, summarizing text and the like.

Although these aren’t necessarily directly targeted at security, one can see code generation helping developers better secure their code. Chatbots could help deal with incoming inquiries to security teams. Summarizing documentation or logs and streamlining run reports are all things that could make security teams more productive.

One can see how these very same uses could dramatically assist attackers — writing better phishing emails, identifying vulnerabilities and dozens of other uses which have been well-documented.

Execs believe attackers are advantaged at the moment

At Supercloud 3, we asked many guests whether ultimately AI will help attackers or defenders. Mostly, people believe it will help attackers in the near term. And questions remain long-term as to how long it will take defenders to catch up.

The following comments come from three leading executives as to how they answered the question:

Will AI ultimately be of greater benefit to attackers or defenders?

Below are comments from John Roese, chief technology officer of Dell Technologies Inc., with Zscaler Chief Executive Jay Chaudhry and CrowdStrike CEO George Kurtz weighing in.

Watch John Roese’s commentary

In the security world today, it benefits the attackers. We don’t like to talk about it, but it allows them to just move faster and to move at a speed and a scale we’ve never seen before, we’re already seeing that. Defensively, we’ve used it, we do great work on fraud detection and event correlation with AIs, and that’s kept us treading water properly. But over the long term, again, if the fight is between a machine or a person with a few machines helping them, and it’s a volume fight because that’s what cyber is about these days, you’re going to lose. And so we’ve got to find a path to be comfortable shifting more of the work into the machine layer.

Watch Jay Chaudhry’s commentary

I think the big challenge is inertia in large companies. I’ll tell you an interesting dialogue I had with the board of directors of a very large bank out of Asia and one board member said, “Jay, you are sitting in the U.S. leading this No. 1 company. But some of the largest American Fortune 100 companies are getting breached. They got technology, they got money, they got all the knowhow. Why are they getting breached? If they are, what hope do I have?” was the question, I had to think about it for 30 seconds. Then I said all that is true. The biggest thing that’s holding large corporations back is inertia. Think of inertia as a very powerful thing.

Watch George Kurtz’s commentary

I think when you look at adversarial AI and, and generative AI, one of the areas that I think is critical is the ability to actually compress the timeframe for exploitation. So think about this, zero-day Tuesday for Microsoft comes out, once a month. And overall what we found is that it takes some period of time to be able to reverse-engineer patches and create exploits and things of that nature. And it’s actually very specialized. You have to be very skilled in doing that. So you can take something which is very time-consuming and specialize and leverage a generative AI model to say, OK, every time there’s a new Microsoft patch that comes out, reverse-engineer it, create an exploit, and then start to build that into the exploit toolkits that can be monetized as part of the gray market. I mean, those are the kind of things that we’re gonna see.

So the first point is you heard that machines will beat humans if they’re going it alone. Remember when Gary Kasparov lost in chess to IBM’s supercomputer, he started a contest to beat the computer. And his tournaments have shown that humans + AI can beat machines alone. We think the same will ultimately happen in cyber where the combinations of machines and humans will balance the stakes.

Inertia, as Jay Chaudhry says, is the risk, but education, automation and AI adoption will ultimately address that challenge in our view.

George Kurtz nailed it. Today, Patch Tuesday means Hack Wednesday and what he’s implying is Patch Tuesday becomes Hack Tuesday — same day. And again automation and AI will help close those gaps.

Ultimately we think the arms race will reach an equilibrium and everything is being compressed, so it will likely happen much faster than we expect.

Key issues to watch: AI meets cloud security

Let’s close with some of the things we’re paying attention to over the near and mid term.

Chaos. A couple years ago we wrote a research note…Chaos means Cash for Criminals – and Cyber Technology Companies. Cross-cloud complexities add to that chaos, but injecting LLMs into the equation creates opportunity as well as more confusion. On the one hand, AI can automate the mundane, but the diversity of LLMs, new database choices, open-source tools and vendor AI marketing create dissonance. Not to mention the fact that generative AI is… generative. Meaning it’s really good at guessing what to say next but it’s inconsistent and untrustworthy. In security and governance, you don’t want a different answer every time… you want consistency and confidence in answers.

What do guardrails really look like? People talk about guardrails and it’s unclear what shape those will take and in what form, especially as generative AI is concerned. So other forms of machine intelligence will likely be applied more specifically to security solutions.

Budget constraints. The macro continues to be problematic for companies that lack the security talent and expertise to combat the enemy. And so often as Chaudhry’s story underscored, they revert to the comfortable and kick the can down the road by just doing what they’ve always done. While that’s a self-serving narrative, it’s still true.

Mix of solutions add to complexity. The likely outcome will be a combination of AI embedded into cloud security offerings that just come with the territory (such as Salesforce Einstein), combined with copilots that are supervised and keep humans in the loop. As well, we see organizations deploying AI that is unique and directly sourced from AI companies to be applied within organizations directly. It will be a blend.

There’s excitement and trepidation. There’s also doubt and much uncertainty.

Two things are clear, however: 1) AI will be ubiquitous and 2) Most, if not all jobs, including those in security, will be AI-powered within just a few years.

That is a near-certainty and if you’re not trying to figure out how to apply AI, you will be left behind.

By the way, we put up a poll on LinkedIn and Twitter asking who ultimately will benefit most from AI – attackers or defenders?

Below are the links to the results. What’s your take?

Keep in touch

Many thanks to Alex Myerson and Ken Shifman on production, podcasts and media workflows for Breaking Analysis. Special thanks to Kristen Martin and Cheryl Knight, who help us keep our community informed and get the word out, and to Rob Hof, our editor in chief at SiliconANGLE.

Remember we publish each week on Wikibon and SiliconANGLE. These episodes are all available as podcasts wherever you listen.

Email david.vellante@siliconangle.com, DM @dvellante on Twitter and comment on our LinkedIn posts.

Also, check out this ETR Tutorial we created, which explains the spending methodology in more detail. Note: ETR is a separate company from Wikibon and SiliconANGLE. If you would like to cite or republish any of the company’s data, or inquire about its services, please contact ETR at legal@etr.ai.

Here’s the full video analysis:

All statements made regarding companies or securities are strictly beliefs, points of view and opinions held by SiliconANGLE Media, Enterprise Technology Research, other guests on theCUBE and guest writers. Such statements are not recommendations by these individuals to buy, sell or hold any security. The content presented does not constitute investment advice and should not be used as the basis for any investment decision. You and only you are responsible for your investment decisions.

Disclosure: Many of the companies cited in Breaking Analysis are sponsors of theCUBE and/or clients of Wikibon. None of these firms or other companies have any editorial control over or advanced viewing of what’s published in Breaking Analysis.

Image: Who is Danny/Adobe Stock