Cloud complexity, tools sprawl and the AI awakening further tip the balance in favor of cyber attackers. Combined with corporate inertia, AI-washing, LLM inconsistency and the pace of change, we believe for now anyway, adversaries have the advantage over defenders. Moreover, macro spending headwinds continue to force organizations to make budget tradeoffs, not the least of which is how to fund AI experiments and deployments. Notably, however, 45% of organizations are using LLMs in production for use cases that may very well improve the productivity of SecOps teams in the long run and accelerate the cat and mouse game back to a state of quasi-equilibrium.
In this Breaking Analysis we share key takeaways from Supercloud 3 – AI meets cloud security – and put forth new spending data from the latest ETR survey that shows which security firms are best positioned in the AI race to capitalize on the wave.
The Spending Climate Remains Tight
In the above graphic we show the latest results from ETR’s July survey of nearly 1,800 IT decision makers, representing three quarters of a billion dollars in worldwide tech spending. As we’ve reported in earlier research, we entered 2023 with a more sanguine spending outlook of 4.6% annual tech budget growth – a figure which has deteriorated over time and continues to see deceleration. IT executives now expect just under 3% growth for the year, down again from the last survey period.
The AI Awakening Shifts Spending Priorities
Below are the results from the same drilldown survey assessing sector priorities. While cybersecurity remains the leading priority once again, we continue to see a slight downtick from last October. Notably AI has seen a marked uptick in the survey as shown by the red arrow. Supercloud 3 was all about AI + cloud security and you can see why below. Cloud migration, despite the optimization trend remains steady as does analytics and data platforms, which is a subject we’ve covered extensively in previous research.
The point is, whereas budget constraints combined with the AI imperative force companies to make more tradeoffs, cloud chaos and the wide availability of new AI tools such as generative AI, further support attacker agendas.
Spending Priorities are Shifting Across IT Sectors
The graphic below plots Net Score or spending momentum on the vertical axis and Pervasion in the data set which is a proxy for penetration in the market. The 40% dotted line indicates highly elevated spending velocity. And the squiggly lines track that momentum for the past several quarters.
As we reported last week, AI bottomed the month before the announcement of ChatGPT and has been up and to the right ever since. Only AI and containers remain above the 40% mark although cloud computing is right at that level. Cloud is a much more mature and advanced market than AI and more prominent in the data set. The implications is that large a share of market with sustained momentum is still impressive, despite the recent pullback since the peak during the pandemic.
Meanwhile cybersecurity is pervasive (to the right) but as we’ll show in a moment, bifurcated between the old and new platforms. Meaning several modern, cloud-based security offerings show strong momentum and are disrupting legacy solutions. However inertia remains difficult to overcome for many organizations as they rinse and repeat long standing patterns which make rapid transitions difficult. This is of increasing importance and concern as leading security firms are reporting strong adoption of AI by attackers who have used AI for years. Today however, many more bad guys have access to advanced AI tooling since ChatGPT’s launch and the open source industry’s response.
Tracking the Security Leaders Poised to Benefit from AI
Let’s double click on the cybersecurity landscape and look at the players in the market. We want to answer the following question: “Which leading security firms are in the best position to exploit AI?”
The chart below cuts ETR data by crossing 574 AI accounts – i.e. strong adopters of AI – with cybersecurity firms that receive more than 100 mentions in the ETR survey. The vertical axis is spending momentum or Net Score in those AI accounts and the horizontal axis is the Overlap or penetration in those AI accounts. The red dotted line at 40%, again, represents those platforms that have a highly elevated Net Score.
We sorted the data on the inserted table based on companies with the top 10 in spending momentum (the upper table in the chart) and the top 10 sorted by N’s in the survey (the bottom table). Companies that make the top 10 in both cuts we give 4 stars. Those firms are:
- Palo Alto Networks
- CrowdStrike
- Okta
- Zsclaler
Cloudflare just misses the Net Score top 10 cut so we give it two stars.
A couple of points are noteworthy here:
Microsoft is dominant in the upper right. Interestingly, last week Microsoft made some security announcements around secure edge that spooked investors and took down many of the security names. However as we said at the time, we thought that selloff was overblown as firms like CrowdStrike and Okta have successfully competed with Microsoft’s endpoint and identity products respectively for years. But it’s Microsoft and the company’s current AI momentum captures attention with any moves it makes.
Cisco is another callout where we can see it has significant market presence. Cisco has a $4B security business which is a separate business unit inside the company. Although this is smaller than Palo Alto’s business for example, Cisco shows further to the right in the survey. This is likely because many customers associate Cisco networking with security, and Cisco has such a large Networking business which includes many security features. As such respondents likely show up more prominently in the survey.
Having said that, as you can see above, the company doesn’t have the spending momentum of the four star companies. Jeetu Patel who runs that business for Cisco has a vision and plan to accelerate that momentum and it likely will involve security and networking coming closer together…and of course, AI.
Many Security Players Vying for Market Share
Now remember, we’ve simplified the previous picture by cutting the data by leading AI adopters and narrowing the N to be greater than 100. There are many other companies in the security space and the chart below underscores how crowded it has become.
Above, we cut the data by the same 574 AI adopters and turn off the requirement for 100 or more N’s. The picture becomes both more crowded and bifurcated with many firms showing single digit or negative momentum on the Y axis. And many companies below the 40% mark.
A few additional notable items here:
- While we only show 10 above, there are 13 companies in the survey within this cut that are above the 40% mark.
- Here’s another striking stat. Three companies jump 10 percentage points when you slice the data by AI buyers: 1) DataDog shows at 44% Net Score above vs 34% with AI “off;” 2) Zscaler jumps from 40% to 50% Net Score within the AI buyer base; and 3) Palo Alto Networks jumps from 35% to 45% Net Score when AI the AI cut is initiated. This data underscores the affinity the firms have amongst AI adopters.
- Most other players on this chart jump as well. Not as much as these three but the point is AI is a rising tide lifting all boats cyber boats in the water that are leaning into AI. Which should be everyone by all logic.
But the other point of this chart is the market is split between those modern platforms that have the momentum – either newer firms like Wiz or more mature firms like Palo Alto Networks…and disruptors like Zsclaler…versus those “below the line” that don’t have the momentum and are in the red.
On balance security is a mature market with large pockets that are both growing organically and stealing share from others.
How Organizations are Evaluating and Deploying Generative AI
Sticking with the AI theme, above we take a look at how organizations are deploying generative AI. This data from ETR shows how organizations are evaluating generative AI, how they’re contemplating using it and where it is deployed in production.
Not surprisingly, more folks are still evaluating than in full production. Moreover:
By this survey around 45% of customers surveyed have LLMs in production. And they’re using large language models in ways you’d expect. Generating code, chat bots, writing copy, summarizing text, etc.
While these aren’t necessarily directly targeted at security, one can see code generation helping developers better secure their code. Chat bots could help deal with incoming inquiries to security teams. Summarizing documentation or logs and streamlining run reports are all things that could make security teams more productive.
One can see how these very same uses could dramatically assist attackers. Writing better phishing emails, identifying vulnerabilities and dozens of other uses which have been well documented.
Execs Believe Attackers are Advantaged at the Moment
At Supercloud 3, we asked many guests whether ultimately AI will help attackers or defenders. Mostly, people believe it will help attackers in the near term. And questions remain long term as to how long it will take defenders to catch up.
The following comments come from three leading executives as to how they answered the question:
Will AI ultimately be of greater benefit to attackers or defenders?
Below are comments from John Roese, CTO of Dell Technologies, Jay Chaudhry, CEO of Zscaler and George Kurtz, CEO of CrowdStrike all weighing in.
In the security world today, it benefits the attackers. We don’t like to talk about it, but it allows them to just move faster and to move at a speed and a scale we’ve never seen before, we’re already seeing that. Defensively, we’ve used it, we do great work on fraud detection and event correlation with AIs, and that’s kept us treading water properly. But over the long term, again, if the fight is between a machine or a person with a few machines helping them, and it’s a volume fight because that’s what cyber is about these days, you’re going to lose. And so we’ve got to find a path to be comfortable shifting more of the work into the machine layer.
Watch Jay Chaudhry’s Commentary
I think that big challenge is inertia in large companies. I’ll tell you an interesting dialogue I had with the board of directors of a very large bank out of Asia and one board member said, Jay, you are sitting in the U.S. leading this number one company. But some of the largest American Fortune 100 companies are getting breached. They got technology, they got money, they got all the knowhow. Why are they getting breached? If they are, what hope do I have was the question, I had to think about it for 30 seconds. Then I said all that is true. The biggest thing that’s holding large corporations back is inertia. Think of inertia as a very powerful thing.
Watch George Kurtz’ Commentary
I think when you look at adversarial AI and, and generative AI, one of the areas that I think is critical is the ability to actually compress the timeframe for exploitation. So think about this, zero day Tuesday for Microsoft comes out, once a month. And overall what we found is that it takes some period of time to be able to reverse engineer patches and create exploits and things of that nature. And it’s actually very specialized. You have to be very skilled in doing that. So you can take something which is very time consuming and specialize and leverage a generative AI model to say, okay, every time there’s a new Microsoft patch that comes out, reverse engineer it, create an exploit, and then start to build that into the exploit toolkits that can be monetized as part of the gray market. I mean, those are the kind of things that we’re gonna see.
So first point is you heard that machines will beat humans if they’re going it alone. Remember when Gary Kasparov lost in chess to IBM’s supercomputer, he started a contest to beat the computer. And his tournaments have shown that humans + AI can beat machines alone. We think the same will ultimately happen in cyber where the combinations of machines and humans will balance the stakes.
Inertia. As Jay Chaudhry says is the risk but education, automation and AI adoption will ultimately address that challenge in our view.
George Kurtz nailed it. Today, patch Tuesday means hack Wednesday and what he’s implying is patch Tuesday becomes hack Tuesday…same day. And again automation and AI will help close those gaps.
Ultimately we think the arms race will reach an equilibrium and everything is being compressed, so it will likely happen much faster than we expect.
Key Issues to Watch…AI Meets Cloud Security
Let’s close with some of the things we’re paying attention to over the near and mid term.
Chaos. A couple years ago we wrote a research note…Chaos means Cash for Criminals – and Cyber Technology Companies. Cross cloud complexities add to that chaos but injecting LLMs into the equation creates opportunity but more confusion. On the one hand AI can automate the mundane but the diversity of LLMs, new database choices, open source tools and vendor AI marketing create dissonance. Not to mention the fact that generative AI is…generative. Meaning it’s really good at guessing what to say next but it’s inconsistent and untrustworthy. In security and governance you don’t want a different answer every time…you want consistency and confidence in answers.
What do Guardrails Really Look Like? People talk about guardrails and it’s unclear what shape those will take and in what form, especially as generative AI is concerned. So other forms of machine intelligence will likely be applied more specifically to security solutions.
Budget Constraints. The macro continues to be problematic for companies that lack the security talent and expertise to combat the enemy. And so often as Jay Chaudhry’s story underscored, they revert to the comfortable and kick the can down the road by just doing what they’ve always done. While that’s a self-serving narrative, it’s still true.
Mix of Solutions add to Complexity. The likely outcome will be a combination of AI embedded into cloud security offerings that just come with the territory (e.g. Salesforce Einstein), combined with copilots that are supervised and keep humans in the loop. As well, we see organizations deploying AI that is unique and directly sourced from AI companies to be applied within organizations directly. It will be a blend.
There’s excitement and trepidation. There’s also doubt and much uncertainty.
Two things are clear, however: 1) AI will be ubiquitous and 2) Most, if not all jobs, including those in security, will be AI-powered within just a few years.
That is a near certainty and if you’re not trying to figure out how to apply AI, you will be left behind.
By the way…We put up a poll on LinkedIn and Twitter asking who ultimately will benefit most from AI – attackers or defenders?
Below are the links to the results. What’s your take?
Ultimately will AI be more beneficial to #CyberSecurity attackers or defenders?
— Dave Vellante (@dvellante) July 20, 2023
Keep in Touch
Many thanks to Alex Myerson and Ken Shifman on production, podcasts and media workflows for Breaking Analysis. Special thanks to Kristen Martin and Cheryl Knight who help us keep our community informed and get the word out. And to Rob Hof, our EiC at SiliconANGLE.
Remember we publish each week on Wikibon and SiliconANGLE. These episodes are all available as podcasts wherever you listen.
Email david.vellante@siliconangle.com | DM @dvellante on Twitter | Comment on our LinkedIn posts.
Also, check out this ETR Tutorial we created, which explains the spending methodology in more detail.
Watch the full video analysis:
Note: ETR is a separate company from Wikibon and SiliconANGLE. If you would like to cite or republish any of the company’s data, or inquire about its services, please contact ETR at legal@etr.ai.
All statements made regarding companies or securities are strictly beliefs, points of view and opinions held by SiliconANGLE Media, Enterprise Technology Research, other guests on theCUBE and guest writers. Such statements are not recommendations by these individuals to buy, sell or hold any security. The content presented does not constitute investment advice and should not be used as the basis for any investment decision. You and only you are responsible for your investment decisions.
Disclosure: Many of the companies cited in Breaking Analysis are sponsors of theCUBE and/or clients of Wikibon. None of these firms or other companies have any editorial control over or advanced viewing of what’s published in Breaking Analysis.