Cybersecurity 2028: Your workforce, built for the AI frontier

In partnership with AWS, discover whether your organization is crawling, walking, or running toward AI-first cybersecurity operations—and what's next.
In partnership with AWS, discover whether your organization is crawling, walking, or running toward AI-first cybersecurity operations—and what's next.

Chief information security officers (CISOs) have spearheaded the evolution of digital security, converting every technological upheaval into an opportunity to strengthen their organizations' defenses. The playbooks for most security and technology leaders were written for the growth opportunities of cloud migrations and digital services—tempered by the expanding attack surfaces these created. And yet, many of the assumptions that underlie these playbooks are becoming obsolete. Why?

First, human-intermediated operations are being replaced by AI-intermediated technologies. And second, frontier AI models are evolving so rapidly leaders can’t foresee with any confidence where capabilities will be in the near to mid-term—complicating their planning and investment decisions.

What is clear: advanced AI modalities are changing how organizations work in fundamental ways—creating opportunities but also introducing uncertainties and risks. For instance, more than one in four AI initiatives have been cancelled, postponed, or failed to scale because of security concerns, and more than one in three organizations indicate their AI capabilities have already been compromised by cyberattacks. The unchecked growth of nonhuman identities fueled by generative AI actually expands the attack surface, creates new targets for threat actors, and leads to a loss of visibility into who or what is accessing critical systems.

Fittingly, AI technology can help CISOs with AI threats. However, instead of traditional operations enhanced with AI, AI is moving to the center of the operating model—evolving into a strategic capability that is redefining how technology and security teams work together and collapsing the distance between business operations and business outcomes. Yet our research reveals security and operations leaders are living in a house divided, with sentiment split on whether their organizational culture is inhibiting (44%) rather than enabling change (56%). 

One conclusion from our analysis: the next 36 months represent a critical window of opportunity for CISOs. We believe how leaders respond during this time will separate the AI-resilient from the AI-disrupted. 

“One of the biggest threats is not any adversary, but our own lack of imagination.”

Koos Lodewijkx
Vice President, CISO, IBM


Beating the ticking clock: The 36-month sprint 

In this report, we map out the transformation journey toward AI-first operations. Hint: cybersecurity workforce development and changes to the IT/IS operating model will play a big role. Organizations are in one of three states at the moment: crawl, walk, or run.
 

Roughly one in five enterprises are in “crawl” mode

Based on insights from over 1,000 security, technology, and business executives across 17 geographies and seven industry sectors (see research methodology on page XX), a minority of organizations are still in the early stages of modernizing their cybersecurity delivery and support model. Our analysis reveals approximately one in five organizations (18%) are still in a “crawl” state when it comes to AI transformation. These enterprises are largely focused on planning and incremental change, with little to show for their transformation efforts to date.
 

The majority are in “walk” mode

Most organizations (52%) are finding their way, typically following one of two paths: prioritizing AI-first workforce transformation or enhancing IT/IS integration. We characterize these organizations as being in the “walk” phase of their transformation journey, where leaders are activating their workforce and building momentum for change. The difference for these organizations is that AI is positioned to become the connective tissue running throughout their entire organization.
 

The future is all “run”

30% of organizations have moved the fastest toward building their AI-first foundation. These organizations are entering the “run” phase of their transformation journey, where cybersecurity capabilities achieve a new level of visibility, reach, and autonomy. In this state, IT/IS operations have evolved to become more self-regulating, self-correcting, and self-healing, with the ability to deliver not only automated (scripted) responses but effectively self-initiated and goal-oriented cybersecurity outcomes. In the run state, cybersecurity capabilities are largely autonomous—formulating decisions, testing their own hypotheses, and leveraging agentic AI to both enrich decisioning and automate inference-driven actions. These organizations are adapting rapidly to changes in the operations environment, opening the door to greater resilience, innovation, and growth—safely and at scale. 

 

“Security that doesn’t deeply understand the business is the beginning of the problem. It’s like moving a very large thing. It takes a lot of energy to get moving. And once it’s moving, you still have to keep putting energy in.”

Chris Betz
Chief Information Security Officer, AWS

 

“We recently had a conversation with one of the leaders of the new frontier AI firms. He said that over the past two years, the capabilities of models have doubled every 10 months. If that growth curve continues, how long will it take for these capabilities to be 10 times what they are today? It’s about three years. That puts us in 2028.”

Koos Lodewijkx
Vice President, CISO, IBM

 

Stage one: Crawl

AI overload: Finding signal in the noise

For all the interest and investment in AI, there is an equal amount of confusion and indecision. Security concerns have emerged as a primary obstacle in widescale enterprise AI adoption. 

One hurdle is a perception that innovation and security are somehow at odds — creating some strategic paralysis among technology executives who may be thinking they need to choose between the two.  Opinion is evenly divided on whether new AI governance frameworks create excessive friction, with 49% saying they do. Similarly, leaders are split on whether organizational culture is impeding transformation, with 44% seeing their culture as a barrier rather than an enabler.

Further skepticism is evident from the 62% of executives who say their organizations are placing excessive faith in AI's transformative potential. This finding underscores a growing impatience among stakeholders: it’s time for theoretical benefits to translate into measurable business outcomes.
 

Agentic AI: The next frontier

Looking ahead, autonomous AI agents represent the most promising development on the near-term horizon:

  • 76% of executives anticipate AI agents will fundamentally improve operations within two years.
  • 64% expect universal adoption of AI agents among IT staff in the same timeframe.
  • 67% anticipate agents will significantly enhance ROI on existing AI investments.
  • 72% view AI agents as key catalysts for organizational innovation.


Leaders express optimism about AI agents

 

These insights suggest that while the AI security landscape remains challenging, executives are identifying specific technologies—particularly autonomous agents—that can justify accelerating investment in AI infrastructure despite the hurdles. In other words, some IT/IS, business, and operations leaders are finding signal in the noise.
 

Bridging the AI knowledge gap

Many organizations are in a crawl state not only because of issues around governance and ROI, but also because they need to prepare their security workforce. Some are making significant strides in workforce preparation—but a troubling disparity between executive and employee readiness threatens long-term success.

The talent equation has emerged as an equally critical factor in AI implementation. According to a recent IBM IBV study of C-level executives, talent, skills, and cybersecurity are the leading challenges organizations will face over the next three years.
 

Executives point to talent, skills, and cybersecurity as their leading challenges


Organizations have moved swiftly to address security workforce needs, with 65% establishing formal upskilling plans to support their AI strategy. Nearly as many (63%) have launched structured change management programs to integrate AI assistants and agents, while 60% have delivered formal training on how AI will reshape daily work.

Yet beneath these encouraging metrics lies a concerning reality: AI readiness remains disproportionately concentrated at the executive level. The data reveals a significant disparity—82% of executives demonstrate fluency in AI capabilities, limitations, and responsible use practices, compared to just 53% of frontline employees. Similarly, while 52% of organizations have embedded AI skills into executive development pathways, only 38% have extended these opportunities to their broader workforce.
 

Top-heavy AI: Readiness skewed toward executives, not employees


This asymmetry isn't just a talent issue—it represents an existential threat to AI transformation itself. When the people actually using these tools lack fundamental understanding, even the most sophisticated AI implementations will inevitably falter in practice. Closing the executive-employee AI fluency gap over the next 36 months is an essential brick in the foundation upon which sustainable AI transformation must be built.
 

“We know that there are going to be right ways and wrong ways and we don’t know what all those hidden traps are yet.”

Chris Betz
Chief Information Security Officer, AWS

 

“We need everybody to be thinking about this and be very deeply involved in what AI is capable of and where it’s going. Where we use it today, where we can’t use it today, where we can use it in six months when a whole new set of use cases become available to us. Because I think the capabilities are advancing faster than people’s imagination.”

Koos Lodewijkx
Vice President, CISO, IBM

 

The Flywheel Effect
Security awareness, behaviors, and culture reinforce each other, building momentum for change

“I think of security ABCs as the flywheel that helps power things forward, that helps us adapt. You’ve got to keep feeding the flywheel, but once you get it going, it keeps momentum that will help you deal with the bumps you encounter along the way.”

Chris Betz
Chief Information Security Officer, AWS

 

Action guide 

Security in motion

Break out by committing to an AI-first security strategy

Recommendations for AI-first transformation leaders (CISOs, CTOs, CIOs): 

  • Commit. Convert AI experimentation into AI innovation and execution. Understand the priorities of your business and operations counterparts and discuss how distributing technology and security expertise could improve efficiency.
  • Use AI as a catalyst. Create a holistic view of AI capabilities across infrastructure and operations. “Solve once" by architecting AI, cloud, and security in concert and at scale, then modernize your technology and security operations according to AI-first principles.
  • Connect everything. Build bridges across the organization by connecting security ABCs to goals and outcomes. Work on building momentum to make faster decisions and to power change.
  • Become a bridge builder. Focus on creating a better value proposition by connecting core security principles such as trust, integrity, and resilience with business objectives such as innovation, speed, and growth. Rally around these to create a flywheel effect.

 

Recommendations for leaders critical to AI-first success (CEOs, CFOs, COOs, CHROs): 

  • Make security your Rosetta Stone. Use security ABCs to align business, operations, technology, and security stakeholders. Articulate priorities for each domain and reconcile how innovation and governance mechanisms should reinforce each other. Stop thinking of risk, governance, innovation, and growth as separate things.
  • Walk in my shoes. Assemble a working group of business, operations, technology, and security leaders to understand where domain AI strategies intersect. Identify some objectives for a cross-functional secure and resilient AI roadmap. Instead of trying to cover all bets, start with a few, high-impact investments to understand how to support AI use cases across the operations lifecycle.
  • Find your groove. Create a flywheel effect by inviting technology and security experts onto your product and service teams. Work with your IT/IS counterparts to identify ways to remove friction, accelerate delivery, and improve customer outcomes.

 

 

Case study

Singapore’s strategy for public sector gen AI adoption


Singapore's Government Technology Agency (GovTech), responsible for the nation's digital public services, has created a model for enterprise-scale generative AI adoption. GovTech saw generative AI's potential to transform public services, from streamlining processes to personalizing citizen interactions. A major challenge was the high cost of running large language models (LLMs) at a national level.

GovTech's solution (aka MAESTRO) is designed to deliver cost-efficient, pre-built, and production-ready generative AI capabilities across government agencies.

 

Key outcomes and strategic approaches:

  • 75% improved cost performance for gen AI workloads. GovTech optimized its computing infrastructure for generative AI's demands. They selected high-performing foundation models and used techniques such as model quantization. Amazon Bedrock and SageMaker JumpStart allowed them to select right-sized models, and then deploy multiple smaller, specialized models instead of large, general ones. This approach significantly cut resource consumption and costs without losing capability.
  • Accelerated use cases and broad accessibility. The platform features a no-code, unified, web-based interface that simplifies ML model building, training, and deployment. This made complex machine learning accessible to nontechnical staff. By removing technical barriers, GovTech rapidly increased generative AI use across the government. Within nine months, the platform was adopted by 20 public sector organizations, involving over 45 project teams and more than 300 data scientists and ML engineers.

 

Real-world impact and  operational transformation:

GovTech's platform investment is delivering clear benefits:

  • Ministry of Manpower (MOM). Used the platform to build an AI "sensemaker" tool. It processed over one million documents in three months, boosted insights extraction by 60%, and cut sensemaking time by 50%, saving over 2,000 work hours. MOM also deployed an automated job classification tool that processed 10 million job postings with 92% accuracy in three months.
  • Central Provident Fund Board (CPFB). Used the platform to summarize transcripts from about 600,000 annual citizen calls. These AI-generated summaries help with follow-ups and identifying emerging public issues, improving service quality and operations.

Jeffrey Chai, MAESTRO Product Manager at GovTech, noted the strategic importance: "Making generative AI more accessible and sustainable for our agencies is critical. This allows us to use its potential while managing resources responsibly."

GovTech's platform and adoption model offer a blueprint for CISOs and executives globally. Their experience shows that focusing on optimized cost structures and accessible platforms facilitates scaling of generative AI, delivering significant operational improvements and better citizen services efficiently.

 

 


Stage two: Walk

Everything connects: Ambient AI across the enterprise

AI isn't just another technology layer—it's becoming the central nervous system of modern enterprise operations. On the horizon, multiagent systems, large action models, and synthetic data will extend AI capabilities into new domains, increasing reliance on AI-driven outcomes. Yet many organizations find themselves swimming in solutions and managing complex cloud infrastructure, unprepared for delivering intensive AI-centric operations at speed.

This mirrors what on-premises infrastructure organizations experienced during the cloud transition. Just as cloud services introduced the shared responsibility model as a fundamentally new operational approach, organizations today must adapt to an emerging cooperative work model centered on AI-workforce integration—or risk being left behind. Successful organizations will be those that learn how to use, build, deliver, and scale AI responsibly.
 

The hard data on current performance

Our research reveals a sobering reality: current operating models are delivering mostly mixed outcomes. Despite 24% of organizations claiming alignment across technology, security, and talent strategies, even these leaders show uneven results—stronger threat management but disappointing returns on cybersecurity investments. Across common operational metrics, different strategies reflect different trade-offs, with no clear correlation between approach and performance.
 

The talent crisis meets AI opportunity

The well-documented cybersecurity staffing gap is now colliding with fierce competition for AI expertise. In many cases, tasks are being redirected to AI solutions and roles are being redefined. Recruiting just one of these specialized professionals takes an average of 99 days, according to executives—nearly a full business quarter spent searching for AI security expertise. Meanwhile, survey participants shared that an alarming 21% of security team members leave annually, taking valuable training and institutional knowledge with them. 
 

AI transformation is driving an increase in talent budgets

What keeps CISOs awake at night? Finding professionals who can master "the mission-critical trifecta": navigating the regulatory labyrinth, speaking fluent business, and battling the ever-evolving threat landscape—each cited by 54% of our respondents. These complex, judgment-intensive areas are precisely where the augmented workforce—humans and AI working in concert—will create competitive advantage.

Forward-thinking organizations are already reimagining talent development. IBM has pioneered "Cyber Academy" to bring specialized security talent into specific industries and markets, while its "Cyber Campus" features virtual cyber range experiences to accelerate practical skills.
 

The evolution of security operations

Just as today's cutting-edge aircraft rely on intricate autopilot systems while still demanding human pilots for critical maneuvers, cybersecurity is undergoing a similar transformation. Once painstakingly manual threat management and incident response tasks are evolving into increasingly autonomous capabilities, with human analysts strategically positioned to handle complex escalations—especially as digital perimeters explode across sprawling partner ecosystems.

The numbers tell the story: 60% of executives describe administering their organization's risk, security, and compliance posture as "highly effort-intensive," while an even more striking 78% characterize it as "highly expertise-intensive." Human expertise is considered essential in 67% of cybersecurity workloads today, but this reliance is expected to drop by 34% over the next three years.
 

Decentralizing expertise: The security culture solution

So the dilemma for leaders is: how to concentrate resources and maximize efforts, given the talent and skills crunch? The most forward-thinking organizations are tackling the AI readiness challenge with a counterintuitive approach: rather than centralizing AI security expertise and responsibilities, they're deliberately dispersing them throughout operations. They’re distributing security responsibilities out into the business and sharing responsibilities with product owners and practice leaders across the organization. 

This distributed responsibility model represents a radical departure from traditional cybersecurity approaches. Instead of building fortress walls around AI systems, these organizations are cultivating security awareness as a shared responsibility, embedding AI governance principles into the daily workflows of product owners and practice leaders across departments.

What makes this approach particularly effective is its recognition that AI transformation isn't merely a technological shift—it's fundamentally about enhancing human decision-making. By democratizing both AI capabilities and security responsibilities, these organizations are creating ecosystems where employees become active participants and owners rather than passive recipients of AI transformation.
 

The AI edge: Supercharging security and productivity

The undeniable momentum of AI is translating into tangible benefits for security teams. AI augmentation is effectively tackling labor-intensive and expertise-draining security functions, leading to significant operational improvements. This powerful upside is driving aggressive adoption strategies, with organizational leaders forecasting:

  • A substantial 50% increase in AI augmentation adoption within the next three years
  • A remarkable 63% expansion in generative AI security capabilities
  • A significant 45% rise in workflow automation and orchestration.


Crucially, this technological shift is enhancing, not eliminating, human intellect. A strong majority of executives (65%) agree that AI and automation are cultivating a more productive landscape for their IT and security professionals, and close to two-thirds (62%) are already realizing considerable value from embedded AI functionalities.
 

The path forward: Reinventing the operating model

The next three years will be defined by fundamentally new ways of working. How do organizations integrate digital labor into everyday operations? How do they work with AI agents as cooperators, collaborators, and tireless 24x7 extensions of themselves? What are the security implications of machine identities proliferating throughout environments?

While this vision remains a work-in-progress, organizations that effectively answer these questions—integrating them into strategy and operations—can create significant competitive advantages.
 

Organizations are in transition, and operating models are showing their age

For CISOs and security leaders, success requires not just new technology but a fundamental reimagining of the security operating model itself. While there's no consensus yet on the ideal approach, the race for competitive advantage in AI-powered security has already begun.

 

“I want to be surrounded by smart people solving hard problems and let computers do the rest. This generation of gen AI is going to accelerate that. The kinds of things AI can do is going to increase. The people who are going to be most successful over the next few years are going to be those that use AI and automation across the lifecycle so they can focus on using their human judgment, experience, and knowledge to solve the really, really hard problems that AI solutions cannot.”

Chris Betz
Chief Information Security Officer, AWS

 

“Over the past five years, we’ve seen significant upskilling because of the way we’ve adopted automation. Our people are better and our tools are more effective. We’ve gotten to a place where over a 24-hour period, we’re starting to see 100% of our threat responses be completely automated, with no human intervention. That’s the direction we want to go.”

Koos Lodewijkx
Vice President, CISO, IBM

 

Action guide 

Security accelerated

Build momentum by modernizing your operating model for AI

Recommendations for AI-first transformation leaders (CISOs, CTOs, CIOs):

  • Build the foundation. Improve hygiene, improve effectiveness, improve ROI, improve resilience. Because agentic AI will require humans and AI working in a more cooperative, more interdependent way, leaders should look to improve alignment across their tech, security, and talent strategies.
  • Excellence everywhere. Make your work environment world-class. Rationalize your technology and security toolsets to improve efficiency, visibility, and governance. Standardize around a few core platforms with comprehensive data integration and workflow orchestration capabilities. Pair high-skill, subject-matter experts with comprehensive AI and automation services across the IT/IS lifecycle.
  • Hyphenate. Move beyond established roles and cultivate a team of business-minded security specialists. Think "cyber curators" and "AI forensics strategists"—individuals who combine technical expertise with sharp cyber instincts. These are the people who will guide, interpret, and challenge increasingly autonomous AI systems. It’s not just about filling seats; it’s about building a team that can anticipate risks and outpace threat actors’ rapidly evolving AI and automation tactics.


Recommendations for leaders critical to AI-first success (CEOs, CFOs, COOs, CHROs): 

  • Make AI your operating model. Create a balanced scorecard to assess the level of alignment between your talent, technology, and security strategies. Articulate high-impact user stories that span all three.
  • Shift from top down to middle out. Rather than route every decision through a centralized security function, distribute security capabilities throughout the organization. Then champion security as a core value. Make sure AI advocacy and enthusiasm are shared by executives and employees. Ensure that AI benefits are not flowing to some but not others. Start with culture and work backward. Avoid prioritizing efficiency to the detriment of your work environment.
  • Turn guardians into champions. Forge an elite team of cyber curators, innovators, and creators—the core of your AI security strategy—and land these in high-impact business and operations teams. Your frontline against the escalating AI threat landscape extends beyond technology to a carefully constructed team.
  • Double-down on expertise. Consider where human skills, expertise, and judgment make the greatest impact. Use AI augmentation to enhance performance. Assess effort and expertise-intensive tasks. Shift to automation where it makes sense to reduce errors, improve responsiveness, and recover cycle time.

 

 

 

Stage three: Run

Autonomous AI as the enterprise guardian

AI everywhere, all at once

Organizations are being outmaneuvered in the AI race by fighting the wrong battle. While threat actors deploy AI to craft sophisticated deepfakes and bypass authentication, enterprises remain fragmented—security teams operate in silos, blind to the bigger picture.

The vulnerability isn't technical—it's organizational. Threat actors see entire enterprises as one connected system. Organizations see functions and responsibilities. Attackers deploy coordinated tactics that evolve from a routine privilege escalation to lateral network movement. Defenders analyze data in isolation, often failing to appreciate its significance because they don’t see corresponding side-channel tactics or because the real-time context is missing.

This fundamental misalignment leaves enterprises exposed. Current access controls fail because attackers exploit the gaps between business, operations, technology, and security— gaps that have been baked into how the organization operates.

The solution requires more than better tools. Organizations need an AI-centric security operating model that mirrors how attackers think: holistically. When IT and security functions truly integrate, AI becomes transformative—processing threats across time and context, not just individual incidents.

Trust powers institutions, but the mechanisms that create trust are under siege. Organizations must rebuild them with the same sophistication adversaries use to undermine them.

The good news: a majority of organizations (59%) are already pursuing deep integration across security, infrastructure, and application operations, with a significant 67% anticipating full consolidation of IT, application, and security observability within the next three years.
 

AI emerges as a differentiator

Three years, three steps

Over the next three years, organizations will learn to scale AI while learning to trust it. Three foundational use cases reveal how this transformation unfolds: IT/IS observability, AIOps, and autonomous cybersecurity.

These capabilities unlock advanced use cases across the operations lifecycle. Organizations such as AWS have automated security policies so extensively they've eliminated traditional, highly centralized security operations centers.  This evolution required moving from discrete tools to mutual accountability to a culture where security and success reinforce each other—the security flywheel in action. 

The future lies in AI that sparks the imagination. For example, using foundation models to learn the sequence of threat actor behaviors; using log files to identify anomalous activity, flagging API calls with unconventional syntax, or running spot checks when code check-ins aren’t consistent with the expected order of operations – the sum total of which transforms threat detection and response capabilities into a new, far more proactive way of working.

As we move beyond scripted automation and orchestration, our AI support teams will become extensions of ourselves. With greater visibility and reach, we will shift our focus to learning — developing new, more efficient ways to connect our risk posture to security policies to business outcomes. New security solutions will shift from capabilities to characteristics, such as:

  • Self-correction. AI captures and collates data to resolve issues before they become threats. Like a smart thermostat, it proactively identifies cloud misconfigurations and unusual traffic patterns, automatically adjusting settings while reducing alert fatigue for human experts.
  • Self-healing. When disruptions occur—DDoS attacks, software glitches—AI orchestrates automated recovery. It reroutes traffic, isolates affected systems, and restores services with minimal human intervention, freeing specialists to tackle novel threats.
  • Self-direction. AI learns from incidents and threat intelligence to autonomously refine policies, update defenses, and anticipate attack vectors. It acts as an intelligent guardian while humans shift to strategic oversight, supervisory learning support, and innovation activities.

 

This transformation creates enterprises that don't just defend themselves but thrive in perpetual resilience, readiness, and growth. However, success demands robust data pipelines, careful attention to algorithmic bias and model drift, and clear governance frameworks maintaining human oversight where critical judgment remains essential.

While this vision may be compelling, most organizations are in the middle of AI transformation efforts that will play out over several years. At this point in time, there are few clear right answers, and the journey will be different for every organization. But three years from now, we will have a much better idea of what success looks. And some questions are pertinent to all, namely how should leaders assess progress and how should our transformation efforts be funded?

 

“Defenders today have some interesting advantages. First, they have all the data on their environment. They see all those connections, all the cloud trail logs for all the API calls. Attackers are dying for that data. Instead, they're coming into a black box. Second, generative AI creates some huge opportunities for defenders. It can be used in so many ways -- to secure your workloads, your accounts, your applications, your data. This generation of genAI is going to accelerate all those capabilities.”

Chris Betz
Chief Information Security Officer, AWS


 

Action guide

AI overdrive 

Full throttle in the “Run” stage

Recommendations for AI-first transformation leaders (CISOs, CTOs, CIOs):

  • Make data your strength. Your institutional data is your advantage—both with competitors and adversaries. Think historical ticket data, policy configurations, design documents. Make the most of retrieval augmented generation (RAG) capabilities to turn these into AI model inputs. Shift from running playbooks to supervising AI learning.
  • Turn AI risks into AI lessons. Prepare for an AI-meets-AI world. Get ahead of your adversary doppelganger by training your AI models for operational resilience. Assess your IT, OT, and IS footprint to determine how you can make baseline risk management, threat identification, and incident response automatic—that is, fully automated and autonomous.
  • Find yourself. Focus on making your security operations more self-regulating and self-correcting through IT/IS observability and resilience capabilities. Make them more self-sustaining and self-healing through AI operations capabilities. Make them more self-directed, outcome oriented, and autonomous by freeing specialists to focus on higher-value supervisory tasks, where context and complexity require interpretation and judgment.
  • Follow the money. Run the numbers to understand how you will fund your AI-first transformation program. Use advanced AI modalities such as AI agents and multiagent systems to recover cycle time and expand capacity. Shift personnel expenditures from effort and expertise-intensive tasks to new AI-augmented roles.

 

Recommendations for leaders critical to AI-first success (CEOs, CFOs, COOs, CHROs): 

  • Turn security personas into business personas. Think of a day in the life of various personas in your org: what they want to achieve, what data sources and tools they use, what outcomes they create and deliver. Can security be improved in ways that improve the user experience?  Can friction be reduced with AI agents? Can elapsed time be reduced via autonomous decision-making?
  • All things are difficult before they are easy. Work with your IT/IS counterparts to shift workloads to AI-moderated solutions in stages—providing feedback and improving outcomes over time. The mark of success is when your team embraces AI as an essential complement, companion, and extension of their own work.
  • Take smarter risks. Consider AI, cloud, and security investments together—as a whole. The key to risk management and better resilience is thinking holistically. While cloud and AI are evolving together, too often security lags. The real advantage comes when AI, cloud, and security are fused together, from the start.

 

 
 

The power of starting where you are

The AI revolution doesn't wait for perfect plans or complete transformations. It is a work-in-progress and will be for the foreseeable future. Every month spent deliberating is a month competitors pull ahead—and threat actors sharpen their tools. The organizations that emerge as AI-resilient won't be the ones that had all the answers from day one. They'll be the ones that started moving, failed fast, learned faster, and adapted better..

This isn't about perfection—it's about momentum. The "crawl, walk, run" journey isn't linear, and it doesn't require starting from scratch. Start from where you are, with what you have, right now.

Over the next 36 months, the cybersecurity landscape will be redrawn entirely. The question isn't whether AI will transform how your organization defends itself—it's whether you'll be driving that transformation or scrambling to catch up. The enterprises that thrive won't just be AI-enabled; they'll be AI-native, with security woven into the fabric of every automated decision, every synthetic data set, every autonomous action.

Your future awaits. The question is: will you crawl, walk, or run toward it?
 

I think the number one most important thing is that when I do my job best, I make it faster and easier for the business to achieve their goals in a trustworthy way. That means I need to go on that journey with them. It’s not a separate security journey. It’s a security journey with the business.”

Chris Betz
Chief Information Security Officer, AWS

 

 

 

 


Bookmark this report



Meet the authors

Leonard Bernstein

Connect with author:


, Global Cybersecurity Leader, AWS


Srinivas Tummalapenta

Connect with author:


, CTO, IBM Cybersecurity Services, IBM Distinguished Engineer


Abhi Chakravorty

Connect with author:


, Partner, Cloud & Infrastructure Security Offering Leader, IBM Consulting


Michael Massimi

Connect with author:


, Global Principal, Cloud Security Services for AWS, IBM Consulting


Gerald Parham

Connect with author:


, Global Research Leader, Security and CIO, IBM Institute for Business Value

Originally published 05 June 2025

Overview Annual report Corporate social responsibility Inclusion@IBM Financing Investor Newsroom Security, privacy & trust Senior leadership Careers with IBM Website Blog Publications Automotive Banking Consumer Goods Energy Government Healthcare Insurance Life Sciences Manufacturing Retail Telecommunications Travel Our strategic partners Find a partner Become a partner - Partner Plus Partner Plus log in IBM TechXChange Community LinkedIn X Instagram YouTube Subscription Center Participate in user experience research Podcasts United States — English Contact IBM Privacy Terms of use Accessibility