87% of Companies Were Hit by an AI Cyber Attack. The Fix Is a Skills Problem, Not a Headcount One
Historically, cybersecurity was a battle between human attackers and defenders, constrained by human speed and capacity. This limitation has effectively vanished. Over the past couple of years, generative AI has shifted from aiding defenders to empowering attackers, dramatically altering the economics of cyberattacks. The scale of this change is staggering: cybercrime losses are expected to reach about $10.5 trillion worldwide in 2025, a sharp increase from $6 trillion in 2021 and just $3 trillion in 2015. If cybercrime were a national economy, it would rank as the third largest globally. A major driver of this steep growth is automation; a survey of security experts found that nearly 87% had faced AI-powered cyberattacks within the last year, with 91% anticipating these threats to intensify. However, on the defense side, only around 25% of security teams felt confident in reliably detecting such AI-driven incursions.
The complexity beyond the numbers marks a turning point rather than a mere decline. Phishing, the most common hacking method, has become almost completely automated: independent research indicates that AI drafts or masks the majority of phishing emails today. Incidents involving deepfakes have surged by over 2,000% since 2022. Increasingly, detected malware variants are polymorphic, constantly rewriting themselves to evade traditional signature-based defenses. These developments point to emerging threat categories nearly nonexistent three years ago, such as AI-assisted phishing attacks, adversarial machine learning misuse, harmful generative AI applications, and self-mutating automated malware. Defenders have responded by heavily investing in AI-driven cybersecurity technologies—anomaly detection, automated incident triage, and behavior analytics—which are expected to see market growth from $25–30 billion in 2024–25 to between $94 billion and $134 billion by 2030. However, spending on technology tools is outpacing the capacity of security teams to effectively utilize them, making skilled personnel the true limiting factor today.
For the past decade, conversations around cybersecurity workforce challenges have centered on a global shortage of qualified professionals, reportedly exceeding 4.7 million. However, a recent comprehensive workforce study shows a subtle but critical shift: the issue is no longer the number of people but the mismatch of skills available. Nearly all teams report existing skills gaps, with 59% labeling these as critical or significant—a sharp increase from previous years—and 88% have experienced security incidents linked to these deficiencies. Only a tiny fraction, about 5%, feel fully equipped. Notably, artificial intelligence has risen to be the most needed technical skill for the second year in a row, surpassing cloud security; two years ago, AI was not even considered among essential competencies. The data also reveals a significant lag in education and training, with certification programs and curricula struggling to keep pace with evolving real-world demands. Hiring managers increasingly search for rare “unicorn” candidates who combine robust security fundamentals with proficiency in configuring and interpreting AI systems—talents that are scarce. The research concludes that the sustainable solution lies in upskilling existing cybersecurity professionals.
In response to this evolving landscape, AI security has emerged as a distinct discipline rather than merely a subset of broader security training. A clear indicator of this change is the introduction of a specialized certification designed to focus exclusively on AI’s intersection with cybersecurity. This credential prioritizes operational defense, emphasizing practical skills such as securing AI systems, defending against adversarial attacks, preventing data poisoning, and mitigating model theft—all grounded in recognized frameworks. The curriculum targets mid-career practitioners who have multiple years of IT and security experience, signaling a mature and focused approach to AI security education rather than a basic awareness overview.
Certification alone is insufficient without comprehensive training programs that allow security professionals to build hands-on experience. One institution leading such initiatives employs a curriculum aligned with the new certification, featuring practical labs that simulate AI system fortification, adversarial defense strategies, and AI-driven threat detection. This approach prioritizes real-world application over rote memorization, preparing graduates to effectively address the sophisticated challenges posed by AI in cybersecurity. Importantly, practitioners emphasize that the discourse around AI security should balance risks with opportunities. While AI-driven threats like automated phishing are prominent, a less obvious but critical risk lies in “shadow AI”—the uncontrolled use of AI tools by employees, which can expose sensitive data internally. Addressing this internal governance challenge is becoming increasingly urgent as many organizations lack fully implemented controls over their AI usage.
When discussing workforce demand, experts highlight the value of professionals who can employ AI to enhance security operations—improving threat detection, efficiently processing large data volumes, and identifying anomalies—instead of viewing AI as a replacement for human analysts. This sentiment aligns closely with workforce surveys indicating that AI will create more specialized cybersecurity roles rather than reducing overall employment. Trainees are advised to possess foundational security knowledge before advancing into AI security, reinforcing the need for targeted instructional pathways that build upon established expertise. These pathways reflect a broader consensus among workforce analysts that targeted upskilling is the key to bridging skill gaps that recruitment alone cannot solve.
Cautious optimism prevails regarding the emerging certification and training trends. Since these programs are relatively new, concrete data on salary premiums or widespread market impact remain unavailable, and some promotional claims about earnings should be viewed skeptically until supported by evidence. The real test for these initiatives is whether graduates can effectively perform security tasks from day one rather than merely demonstrating theoretical knowledge. Early indicators suggest a significant shift in the field: success in cybersecurity will increasingly depend on organizations’ ability to rapidly develop dual competencies—defending AI-enabled systems and leveraging AI as a tool—within their existing workforce. The rise of AI security from a niche topic to an independent discipline illustrates how rapidly the cybersecurity landscape is evolving in response to accelerating, machine-speed threats.