Companies Underinvest in Cybersecurity, AI Increases Risk
Companies underinvest in cybersecurity skills, leaving staff shortages that drive breaches and raise risks as attackers use AI and firms lack AI security expertise.
Many companies are underinvesting in cybersecurity skills, creating persistent staff shortages that contribute to security breaches and increase risk as attackers adopt AI tools.
Security leaders and industry groups report gaps in experienced security personnel even as demand for defenders grows. Organizations are expanding cloud services, remote work and customer-facing digital products while budgets for security hiring and training lag behind.
Experienced analysts and engineers handle monitoring, patching, access controls and incident response. When those roles are vacant or occupied by less experienced staff, misconfigurations can remain uncorrected, alerts go uninvestigated and response times lengthen.
Security teams with limited capacity often rely on basic detection rules and automated alerts instead of deeper forensic analysis, allowing some intrusions to go unnoticed or to escalate before containment.
The staffing gap has led many firms to increase use of managed security service providers and outsourced specialists, and to buy more automated tools. Security managers note that tools do not replace human judgment, and outsourcing can reduce visibility and control if vendor arrangements lack strong governance.
Attackers are using AI and generative models to automate phishing, refine social engineering, produce malicious code snippets and speed vulnerability discovery. At the same time, defenders often lack staff with the skills to secure AI systems, validate models and build monitoring to detect misuse.
Companies point to several causes for the talent shortfall: rising competition for technical staff that pushes up compensation and turnover; small training budgets for existing employees; slow hiring processes; and hiring practices that emphasize formal credentials over hands-on experience. Those factors contribute to shortages of mid- and senior-level security engineers and leaders.
Regulatory and compliance obligations add reporting, monitoring and control tasks that increase workload for security teams. Threat actors continue to exploit cloud misconfigurations, stolen credentials and supply-chain weaknesses-areas that often require experienced staff to remediate.
Some organizations are responding by funding upskilling programs, apprenticeships and recruitment from coding bootcamps and veterans’ retraining. Others are prioritizing basic hygiene such as patch management, multi-factor authentication and least-privilege access. Security teams are also testing AI and automation to reduce repetitive work while maintaining human oversight.
Widespread cloud adoption, remote work and growing IT complexity have expanded attack surfaces and increased demand for skilled defenders. Industry observers say security staffing will remain on the agenda for corporate boards and executives, and some companies are streamlining hiring and expanding training to shorten windows of exposure created by staff shortages.
